Increasingly, software imposes security requirements on developers. As software is built using multiple libraries or utilities, developers introduce a lot of dependencies into the final product that they actually do not fully control. Ensuring product security means maintaining high-security standards during software development and at the CI/CD (Continuous Integration & Deployment) level. With artifacts accompanying software packages such as SBOM (Software Bill Of Materials), developers have full insight into dependencies and libraries included in software releases.
By running a security scan within CI/CD procedure and producing an SBOM, it is easier to spot if there are components with vulnerabilities before the product is released or identify (just by reviewing the SBOM) the necessity to produce a security patch should the vulnerability be identified post-release.
An SBOM is a list of all components present in a codebase. A fully-fledged SBOM should include the versions, origin and license names of components in the final software release. It may also include patch status and other valuable information about the component.
President Joe Biden issued a security executive order in May 2021 outlining recommendations for agencies and vendors involved in business with the US government. Guidelines stated that companies/agencies must safeguard software in response to supply chain cyberattacks. One suggestion was to include a mandate for SBOMs to guarantee the security of software used by the federal government.
SBOM use cases can vary. The set of SBOM users can include developers, security and compliance teams, incident response teams, procurement, investors and more. Software engineers, for example, want to have an up-to-date SBOM to understand which libraries are related to underlying software dependencies. SBOM is also an ideal tool for security teams, who require insight into third-party software risks, to understand what version they are on, licensing implications, and other dependencies that may be adding to security debt. SBOM helps incident response teams identify where a vulnerability may be placed and assess whether it has been exploited to notify customers and software vendors.
Travis CI can generate an SBOM based on your repository and programming languages used. CycloneDX was chosen as the default standard for scanning and generating SBOM. CycloneDX plugins can generate an SBOM for many popular programming languages supported by Travis CIe. Results are generated in the form of json or xml. An additional advantage is the ability to generate an SBOM as an SPDX file. SPDX is another format of SBOM. See our documentation for more information.
Developers should be aware that because of the open Travis CI structure, it is possible to utilize any scanner/SBOM generator. Travis CI offers an out-of-the box basic option for ease-of-use and standardization of build recipes.
Travis CI users can enjoy the benefits of SBOM generation in their CI/CD automation using integrated SBOM functionality as shown by the below example:
os: linux
dist: focal
language: python
addons:
sbom:
on:
branch: master
pr: true
condition: $OS = linux
run_phase: before_script
output_format: spdx-xml
mariadb: '10.0'
script:
- python hello.py
- pip install -r requirements.txt
<hello.py>
print("hello world")
<requirements.txt>
flask
Finally, SBOM generation is one of many pieces in the secure software supply chain. Remember, the CI/CD tooling automating building, testing and deployment processes is a wide attack surface for threat actors. Other areas can help to secure your software testing and releasing process, which are described in our documentation and blog:
Active log scanning to detect and hide secrets combined with Log access restrictions
Sign your software with Travis Improved CI/CD Build Job Log Securit
Summary of best practices when using Travis CI