Software Vulnerability Analysis using SBOMs, Amazon Neptune, and Nodestream
Software vulnerabilities are a significant concern for companies and individuals. In this post, we'll discuss some of the recent work I have been doing to provide a unified graph model for ingesting and analyzing Software Bill of Materials (SBOM).
- Local SPDX or CycloneDX files
- From Amazon Inspector
- Directly from GitHub
2. They provide security personnel with the necessary information to examine and assess potential vulnerabilities within the software environment.
3. They equip legal personnel with the data required to ensure compliance with licensing requirements.
- Dependency Graphs: These graphical representations illustrate how different components within the software depend on and relate to one another, making complex relationships more comprehensible.
- Vulnerability Graphs: By mapping vulnerabilities to the corresponding components, vulnerability graphs enable organizations to assess associated risks and prioritize the mitigation of known issues.
- Supply Chain Graphs: SBOMs trace the flow of components and dependencies up the software supply chain.
pip install -q pyyaml nodestream-plugin-neptune nodestream_plugin_sbom
nodestream.yaml
file as shown below. In this example, we are going to load the SBOM files for Nodestream, the Nodestream Neptune Plugin, and the Nodestream SBOM plugin into our database, directly from GitHub.nodestream run sbom_github --target my-neptune
Document
- This represents the SBOM document as well as the metadata associated with that SBOM.Component
- This represents a specific component of a software system.Reference
- This represents a reference to any external system which the system wanted to include as a reference. This can range from package managers, URLs to external websites, etc.Vulnerability
- This represents a specific known vulnerability for a component.License
- The license for the component or package.
DESCRIBES
/DEPENDS_ON
/DEPENDENCY_OF
/DESCRIBED_BY
/CONTAINS
- This represents the type of relationship between aDocument
and aComponent
in the system.REFERS_TO
- This represents a reference between aComponent
and aReference
AFFECTS
- This represents that a particularComponent
is affected by the connectedVulnerability
Components
that are shared across all the projects.lgpl-2.1-or-later
licensed components.lgpl-2.1-or-later
are connected to components with the unlicense
.Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.