Software Bill of Materials Generation (SBOM) for IAC Security with Software Composition Analysis
Table of Contents
Software Bill of Materials Generation (SBOM) for IAC Security with Software Composition Analysis
A Software Bill of Materials (SBOM) is a contextualized inventory of a software or an application which lists components, libraries, and versions of all open source packages and third-party components used to build it. Insight into the component version enables you to ensure the component is updated to the latest version while parallelly listing vulnerabilities. Using the SBOM, you can also identify the software supply chain in your organization and the cascading risk effect on your infrastructure if the vulnerability is not addressed timely. Open source licensing is an additional insight SBOM generates to ensure you are legally compliant during the version updates as vulnerability remediation.
Prisma Cloud scans your integrated repositories for open source packages through the package manager files found in the repository and IaC resources to generate an SBOM report. You can choose to generate the SBOM report either through a CI/CD pipeline or the console. In addition, you can also choose the SBOM generation format to be either a CSV or a CycloneDX.
Types of SBOM Reports
Prisma Cloud currently supports the export of SBOM reports in two standardized formats, CSV and CyclondeDX.
- CSVCSV is a comma-separated format that displays a line per vulnerability or misconfiguration. This format includes a line per resource or a package without vulnerabilities with categories across open source packages, container images, IaC components, and cloud infrastructure components.
- CycloneDX output follows the scheme outlined for XML version 1.4.CycloneDX format displays all application components including vulnerabilities and misconfigurations as a scheme outlined for CycloneDX XML version 1.4.
Generate SBOM as a CSV
Generating an SBOM in a CSV format from the CI/CD pipeline will generate three files:
- YYYYMMDD-HHMMSS_iac.csv
- YYYYMMDD-HHMMSS_container_images.csv
- YYYYMMDD-HHMMSS_oss_packages
Here YYYYMMDD-HHMMSS is the timestamp of the CSV generation.
Generate SBOM as a CycloneDX
Generating an SBOM in a CycloneDX format will generate a single file with following sections:
- Metadata
- Components
- Dependencies
- Vulnerabilities
Generate SBOM on Prisma Cloud console
You can generate an SBOM report on the Prisma Cloud console in two ways.
- Supply ChainOnApplication Security > Supply Chaingenerate an SBOM report to get insights into the relationship between the software and supply chain.
- Code ReviewsOnApplication Security > Code Reviewsgenerate SBOM to get insights into the open source packages used during the build, and the cascading risk affects that may be on runtime packages.
- Select a repository to generate a report.
- SelectOutput.You can choose between CSV or CycloneDX.
- SelectMaterials.You can choose the type of resources to include in the SBOM.
- All: This generates three different files for each resource type. If there are no resource types available then a blank file is generated.
- Open-source packages: This includes the scan results from scans of open source dependencies.
- Infrastructure as Code: This includes scan results from IaC repositories.
- Images: This includes packages in images built or referenced in the repository.
- SelectDownload.
Generate an SBOM from CI/CD Pipeline
Generate an SBOM report from your CI/CD pipeline by adding a CLI command.
- Access your terminal.
- Access the checkov command line in a specific directory or file. For example, checkov -d . --bc-api-key PRISMA_ACCESS_KEY::PRISMA_SECRET_KEY
- Add the format output syntax to the checkov line.For example, add -o cyclonedx to generate a CycloneDX XML SBOM, -o cyclonedx_json to generate a CycloneDX JSON SBOM, -o spdx --output-file-path results.spdx, to generate a SPDX SBOM and add -o csv to generate a CSV SBOM.The command to generate a CycloneDX SBOM is for example: