Generating Software Bill of Materials

Objective

The aim of this section is to generate a Software Bill of Materials for DVNA and provide a solution to the 2nd point of the problem statement under Task 3.

Software Bill of Materials

A Bill of Materials is a list of components used to assemble/create a product. It gives out a specification about how each component was used in the making of the end product.

A Software Bill of Materials (SBoM) refers to a list of all software components, open-source or commercial, that was utilized to build a software solution. A more detailed description of software bill of materials can be found here.

CycloneDX

DVNA, like most other applications, is built with dependencies. To generate the SBoM for DVNA, I found a tool called CycloneDX. According to its documentation, it is a tool that creates the SBoM which contains the aggregate of all the dependencies for the project.

CycloneDX is available to be used an NPM package that can generate SBoMs for Nodejs applications but also comes in a variety of implementations to serve projects using different stacks such as Python, Maven, .NET, etc. For my use case, I stuck with the NPM package as DVNA only utilizes Nodejs.

Generating SBoM for DVNA

To start off, I installed CycleDX's Node module with NPM by following the official documentation, and using the command:

npm install -g @cyclonedx/bom

Then I ran CycloneDX, with the command mentioned below, in the root directory of the project to gauge the output and figure out the structure of the SBoM generated:

cyclonedx-bom

Note: I initially ran the scan before building the modules as I used the project directory from the Lint Analysis pipeline which did not require me to build DVNA. So, I had to run npm install before I ran CycloneDX again as it required the /node_modules directory to look through and identify the dependencies.

Lastly, I added a stage in the pipeline to run CycloneDX and store the SBoM (sbom.xml) in the local reports folder that I have been using through the entirety of the tasks:

stage ('Generating Software Bill of Materials') {
    steps {
        //Building the dependencies to generate SBoM
        sh 'npm install'
        sh 'cyclonedx-bom -o /{JENKINS HOME DIRECTORY}/reports/sbom.xml'
    }
}

Software Bill of Material for DVNA

CycloneDX generated a comprehensive SBoM for DVNA. It was in XML format. For each dependency, CycloneDX reported - Name of the Module, the version being used, its description, its hash checksum, the license the module uses, the package URL and external references (if any).

The full Software Bill of Material generated by CycloneDX can be found here.