Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Software Bill of Materials (SBOM) #15604

Open
rjpowers10 opened this issue Mar 27, 2024 · 9 comments
Open

Software Bill of Materials (SBOM) #15604

rjpowers10 opened this issue Mar 27, 2024 · 9 comments

Comments

@rjpowers10
Copy link
Contributor

rjpowers10 commented Mar 27, 2024

I'll preface this by saying I'm by no means an expert on this topic. But SBOM is becoming a hot topic these days in the software world and I'm curious what, if anything, that means for Orchard Core.

Is your feature request related to a problem? Please describe.

My company has been on the receiving end of increased pressure to provide a complete SBOM to our customers. There are various tools to produce an SBOM but one such tool is sbom-tool provided by Microsoft. Using sbom-tool on my code is fairly straightforward and gets me most of the way there, at least as far as .NET packages go. The blind spot I'm struggling with is on the client-side technologies. Many client-side technologies are used by Orchard Core, most prominently in the OrchardCore.Resources module. So take the basic client-side stuff like jQuery and Bootstrap for example. Those probably should be in my SBOM but since the tool is looking for npm files (package.json and package-lock.json) it doesn't have a way to know about those dependencies.

The ultimate goal is this: my customers want to know if a particular security vulnerability affects them. I know that my application uses jQuery, so my customers should be watchful for new jQuery vulnerabilities. But right now, it's hard for me to include jQuery in my SBOM using sbom-tool. jQuery is just one example.

Describe the solution you'd like

I'm specifically trying to produce an SBOM in the SPDX format, which has a way to link other SBOMs. I think that, ideally, I could pull an Orchard Core SBOM from somewhere (also in SPDX) and link it from my SBOM.

One complicating factor for Orchard Core is there might be a need for separate SBOMs per module, since applications may not be pulling in all of Orchard Core.

Describe alternatives you've considered

Reverse engineering a package.json file based on ResourceManagementOptions and feeding that into sbom-tool.

@sebastienros
Copy link
Member

Please help, this is required by law actually to generate a BOM with every shipping product.

One complicating factor for Orchard Core is there might be a need for separate SBOMs per module, since applications may not be pulling in all of Orchard Core.

I don't think this would be practical, but maybe it has to. We should check on MS packages if each package contains a different SBOM, I wouldn't imagine that. Check with aspnet or dotnet extensions packages maybe.

@Piedone
Copy link
Member

Piedone commented Apr 3, 2024

Why is the tool that you use for NPM packages not working with the packages.json file of OrchardCore.Resources? Granted, you'd need to run it for the OC source, not your app, but then it should work.

@rjpowers10
Copy link
Contributor Author

I completely missed the fact that OrchardCore.Resources has its own package.json file. I now see that several modules have a local package.json. I was looking at the top-level one for the solution, which only lists devDependencies. So I thought the scripts were all being manually added to the solution and then wired up with ResourceManagementOptions.

@Piedone
Copy link
Member

Piedone commented Apr 3, 2024

Perhaps what we need here is some documentation on how to create an SBOM for your app, then? It won't be the same for every app, since it depends on your flavor of OC (and your app's own dependencies, of course), so maintaining one for OC doesn't seem too useful.

@rjpowers10
Copy link
Contributor Author

Yeah, part of why I raised this issue is because I wasn't sure what the "right" solution was, and that perhaps there is not a one-size-fits-all solution in the first place.

I'm not sure what other products are doing in terms of producing and delivering an SBOM. It seems to me like this is still a relatively new topic for the software industry so I don't know if there is a standard practice. For example, is it something that should be produced in the OC build and hosted at https://orchardcore.net/ or https://docs.orchardcore.net/ for consumers to download? Or like you said, maybe just some advice on how to produce the SBOM myself is enough.

@Piedone
Copy link
Member

Piedone commented Apr 3, 2024

I don't think having a central one for OC would be useful, since it'd both overreport for your app (it'd contain dependencies that your app doesn't use) and underreport (it won't contain custom dependencies that your app includes). This can be useful for enterprises to check a box when selecting a system (which can actually be quite useful for adoption and marketing) but not in practic

@rjpowers10
Copy link
Contributor Author

I'll take another look at self-producing the SBOM I need. As you said, it probably means downloading the OC source and running the tool against that.

If nothing else I can report back with my findings and the steps I took.

@Piedone
Copy link
Member

Piedone commented Apr 26, 2024

BTW here is this list too: https://docs.orchardcore.net/en/latest/docs/resources/libraries/

@Piedone
Copy link
Member

Piedone commented Jul 22, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants