Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sbom as files as config option #51

Open
sparrell opened this issue Oct 24, 2020 · 0 comments
Open

sbom as files as config option #51

sparrell opened this issue Oct 24, 2020 · 0 comments
Assignees
@sigu
Labels
-Maha
Projects
CybersecurityAutomationWorkshop

Comments

@sparrell
Copy link
Owner

sparrell commented Oct 24, 2020
edited

Twinklymaha responds to the openc2 query-sbom command with a hardcoded response of a previously created sbom.
The response is a base64-encoded cyclonedx xml sbom.
The code which does this is around line 93 of https://github.com/sparrell/TwinklyMaHa/blob/main/lib/Oc2/do_query_sbom.ex.

There are several issues that need correcting:

  1. instead of responding with base64-encoded xml, instead respond with json.
  2. the command right now only allows for one type of cyclonedx. Proposal is to allow for two types, xml and json. Use "cyclonedx" for xml and "cyclonedj" for json. The cyclonedj option should replace the cyclonedx option as the only one responded to. Adding xml as a second choice could be a subsequent task
  3. the sbom should not be hardcoded. It should be retrieved from a file. Initially the file could be 'hardcoded' into the src (requiring developers to remember to update) but eventually ideally it should be in a known location and retrieved as part of build process

Step 1 - leaving control structure alone (ie still "cyclonedx" not "clyclonedj") replace line 93 with something retrieves a json file and inserts the sbom json "inside" the response json. To begin with file can be anywhere convenient and for now can just be any old jsom sbom file

Step 2 - once #63 is complete and creating json sboms are part of build process, modify what was done in step 1 to retrieve the actual sbom for this repo

Step 3 - once step 2 works, look to modifying control flow to operate correctly. Openc2 query-sbom command has parameter which lists the priority order of formats (e.g. ["spdx", "cyclonedj", "cyclonedx", "swid"] means return spdx if you have it and if don't return cyclonedj and if you don't then return cyclonedx and if you don't then return swid). Right now it only looks for "cyclonedx". Change it so it looks whereever previous bullet implemented for what formats it has (eg. it might have cyclonedj and cyclonedx) and returns best choice based on what was requested (in this example cyclonedj). Allow for developer manually putting in spdx or swid formatted files in that directory. cyclonedx and cyclonedj should be created by build tools in previous bullet. For cyclondj - return sbom json embedded in response json. For spdx, cyclonedx, swid the response needs to be base64 encoded
@sparrell sparrell created this issue from a note in CybersecurityAutomationWorkshop (In Progress - Duncan) Oct 24, 2020
@sparrell sparrell self-assigned this Oct 24, 2020
@sparrell sparrell moved this from In Progress - Duncan to Next up - Sigu in CybersecurityAutomationWorkshop Nov 17, 2020
@sparrell sparrell added the -Maha label Nov 17, 2020
@sparrell sparrell assigned sigu and unassigned sparrell Nov 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sigu sigu

Labels
-Maha
Projects
CybersecurityAutomationWorkshop
Next up - Sigu
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sigu @sparrell