Skip to content

BMW-lab-MSU/msusel-pique-sbom-supplychain-sec_custom

 
 

Repository files navigation

MSUSEL-PIQUE-SBOM-SUPPLYCHAIN-SEC

Introduction

This project is an operationalized PIQUE model for the assessment of security quality in software supply chains utilizing SBOM technology.

Because of the various development environment challenges when dealing with numerous 3rd party applications, this project is also provided as a packaged standalone docker image. That image is available here.


Tools

These will be automatically installed when the docker image is built.


Run Environment

Docker

docker engine 20.10.24 (not tested with versions 21+)

The image for this project is hosted on dockerhub here. Instructions to download and run are supplied below

not Docker

It is not suggested to run PIQUE-SBOM-SUPPLYCHAIN-SEC without the pre-built docker image, but all files and configs are supplied on this repository.


API Key Requirments

A API key from the National Vulnerability Database and a Github personal access token are needed. See running for details.


Running

  1. Download and install Docker engine
  2. With Docker engine installed, pull the latest version of this project:
docker pull msusel/pique-sbom-supply-chain-sec:latest
  1. Navigate to a working directory for this project
  2. Create two directories, "input" and "out". Inside the "input directory", create two directories "keys" and "projects"
  3. Generate an NVD API key here and save the text of the key to a file 'nvd-api-key.txt'
  4. Generate a Github API token and save the text of the key to a file 'github-token.txt'
  5. Move the files 'nvd-api-key.txt' and 'github-token.txt' to the 'input/keys' directory.
  6. There are two options for input projects. If you have already generated SBOMs place any number of SBOMs to be analyzed in input/projects/SBOM. If you wish to assess the software supply chain security quality of a project but you haven't built an SBOM simply place the root folder of the project in input/projects/sourceCode. The resulting SBOMs will be placed in input/projects/SBOM and the model will continue as normal.
  7. The resulting directory structure should look like this:
├── $WORKDIR
│   ├── input
│   │   ├── keys
│   │   │   ├── github-token.txt
│   │   │   ├── nvd-api-key.txt
│   │   ├── projects
│   │   │   ├── SBOM
│   │   │   │   ├── place SBOMs to analyze here (SPDX or CycloneDX in json format)
│   │   │   ├── sourceCode
│   │   │   │   ├── place source code file systems to generate SBOMs for here 
│   ├── out
  1. Run the command (replace /path/to/working/directory to absolute path of $WORKDIR)
docker run -it --rm -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v /path/to/working/directory/input:/input -v /path/to/working/directory/output:/output msusel/pique-sbom-supply-chain-sec:latest
  1. Results will be generated in the 'out' directory

Funding Agency:

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 87.9%
  • Python 7.4%
  • Shell 4.7%