Feature Focus: SBOM Import

Learn in this article how to import SBOMs (Software Bill of Materials) into CAST Highlight.

Managing software supply chain risk can be likened to keeping a house safe from intruders. As the guardian of your organization’s software deliveries, you are responsible for ensuring that every component is secure and free from legal, licensing, and vulnerability risks. However, with the vast array of software components involved, it can be challenging to maintain an overview of all potential vulnerabilities and ensure that every software delivery is as safe and secure as possible.

That’s why a Software Bill of Materials (SBOM) is so important and why SBOM formats like CycloneDX are emerging as standards for sharing SBOMs between, for instance, a company and its software suppliers. An SBOM is like a cooking recipe listing ingredients (software components), telling you exactly what’s inside the package. But reviewing these SBOMs manually can be a real headache. Trying to centralize and keep control of this information is even more complex at the portfolio level.

9531
Manual review of SBOMs can be particularly challenging when you don’t have access to the corresponding application’s source code. Without access to the source code, it can be challenging to identify potential vulnerabilities or outdated components that could be present in the software delivery. Manually reviewing each component listed in the SBOM can be a time-consuming process, especially if you’re not an expert in the technology or programming language used. Additionally, manual review can be error-prone and prone to missing potential risks, making it challenging to ensure that the software delivery is as safe and secure as possible. An automated SBOM review process can provide a more efficient and reliable way to analyze the SBOM and identify potential risks, even without access to the source code.

And that’s exactly what a Software Composition Analysis product like CAST Highlight can do. By importing SBOMs in CycloneDX format, CAST Highlight can instantly analyze every component, check for known vulnerabilities, identify any licensing issues, and highlight any outdated components. It’s like having a super-powered microscope that can instantly see all the tiny details that you might miss, without even having to scan the source code or binaries. And that’s the interesting part of this SBOM importing capability. Let’s see how it works.

How to import a CycloneDX SBOM in CAST Highlight

If you’re familiar with CAST Highlight, you know that an application result is made of scan results and/or survey results for a given application snapshot. As an SBOM is neither a scan nor a survey, the first step will consist of creating an “empty” application result (a new snapshot if you will) which will be the placeholder for the SBOM import.

9532

  1. Go to APPLICATION SCANS and click on “Start new SBOM import”.
  2. A modal opens where you can define the snapshot label for the result you’re creating, select the applications and choose the import date.
  3. Once you click on ‘Save’, a new result is created for the corresponding applications with the defined closing date. You can now start the SBOM file import by clicking on ‘Import SBOM file’.
  4. A modal opens to upload the SBOM file (the currently supported format is CycloneDX 1.4), define a reference name for this uploaded document (by default, the reference will be the file name) and a generate date (by default, it will be current date). Note that the same SBOM file cannot be imported more than once for the same application, although the same SBOM file can be uploaded for different applications.

9533

  1. Select the SBOM corresponding to the application snapshot and click on ‘Save’.

9534

  1. Finally click on ‘Submit’ to run the SCA result processing for this SBOM import.

Once the SBOM import has been processed by CAST Highlight, application results are available under the Software Composition tab for the given application, exactly as if it were scanned directly. Vulnerabilities, license issues, obsolescence, list of detected components and versions, and other SCA features are available.

You will notice that the ‘Origin’ icon is slightly different from a regular scan as components are not detected through a dependency file (pom.xml, package.json, etc.) nor a scan fingerprint, but through a SBOM file import.

9535
With this new feature, we extend more and more CAST Highlight capabilities to act as a ‘control tower’ for your application portfolio, even for those applications you can’t scan.

 

Note: we released this SBOM importing feature in beta as, although the CycloneDX format is becoming a de facto standard, the SBOM structure can be different from one SCA product to another as the CycloneDX format is very flexible. For instance, one of the key requirements for current version of SBOM import is the “purl” (package url) attribute.

CAST Highlight supports the import of CAST Highlight-generated SBOMs, but don’t hesitate to reach out to support (help@castsoftware.com) for any issue with SBOMs from other products.

This feature is available on demand, contact us to enable it for your CAST Highlight instance (help@castsoftware.com).

Supported CycloneDX versions and SBOM tools

CycloneDX: 1.5

Tools:

  • CAST Highlight
  • Maven
  • NodeJS
  • Anchore Syft