Slsa: accelerator for successful SBOM

author ：Brandon Lum, Isaac Hepworth, Meder Kydyraliev

translate ： Wang Feng

proofreading ： Sun Wenlong

SBOM  The full name is  Software Bill of Materials, Software BOM , It is not a specific file format .SBOM There are different formats , But the essence is for components 、 rely on 、 Loophole 、 license 、 Display of copyright and other information .

SLSA

 

The full name is  Supply-chain Levels for Software Artifacts,  Supply chain level software products , It's a creation “ Security software supply chain ” Framework .

SBOM  and  SLSA  They can complement each other , Follow relevant  SLSA  Principles can be generated more easily  SBOM. because  SBOM  Depends on accuracy 、 Integrity and credibility , Therefore, those who own software products  SLSA  Source data can improve  SBOM  Quality and integrity of .

If you are trying to build and run secure software , You may have heard of SBOM, Or software BOM . As software “ composition ” label ,SBOM  It is a document that provides a nested list of software packages and components contained in the software .SBOM  As part of a secure software supply chain , Got the White House release “ About improving network information security 2021 Executive order of ” Support for .

 

SBOM  It can help consumers better manage the （ potential ） risk , And can deal with vulnerabilities more easily . In order to make SBOM（ In various organizations ） Be adopted more widely , At present, it needs to be in  SBOM  A lot of work has been put into the relevant fields of . however , Just like other industry changes of the same scale , There are many problems to be solved . for example ：SBOM  There is currently no information included or required to help users respond to build tampering and attacks , for example  Solarwinds  and  Codecov; Distribution and validation  SBOM  The documentation ecosystem is not yet complete ; Generate  SBOM  The most common way is to use the code audit tool to scan after writing the code , But this can lead to  SBOM  The accuracy of .

We believe that ,

SLSA（ Supply chain level software products ） As a framework for creating a secure software supply chain , When it comes to  SBOM  When used in combination , Can solve these potential problems .

This article explains SBOM  and  SLSA  And the fundamental differences between them , And shows  SLSA  How principles can support the generation of high-quality  SBOM  It can also help consumers cope with supply chain attacks .

 

SLSA vs. SBOM

If  SBOM  It's like a food ingredient list , that  SLSA  It can be considered as a food safety handling guide to make the ingredient list credible . From the standard of clean factory environment , Ensure that contaminants do not enter the packaging plant , A sealing strip for food packaging on supermarket shelves to prevent contents from being swapped , This framework for ensuring food safety ensures that consumers can be sure that the food they buy is consistent with the food ingredient list on the packaging .

Again ,

By providing guidance and basis for each step of the software production process ,SLSA  The framework ensures its credibility , The goal is to make the final software package  SBOM  It's believable .

As a framework ,SLSA Some specific practices and guidelines are given , To help you build software safely and verify its integrity . These guidelines help reduce the following risks ：

SBOM  and  SLSA In different cases （ For building a secure software supply chain ） It helps a lot . Just like if there is a product recall , The ingredient list is very useful , So that the affected goods can be removed from the supermarket shelves . alike ,SBOM  Can help answer this question ：“ Whether I have been  Log4j（ Or the next major flaw ） Influence ？”

 

On the other hand ,SLSA  Answers a broader question ：“ Can I trust that this software uses security development best practices at every step of the production process ？”  more importantly ,SLSA  You can also answer the following questions ：“ Does my software meet the requirements of the secure software development framework ？”

 

SLSA and SBOM

SBOM  and  SLSA  They can complement each other , Follow relevant  SLSA  Principles can be generated more easily  SBOM.

especially ,SLSA  One of the main principles of is the need to generate tamper proof source data , That is, who has performed the release process of the software product 、 Whether the materials used in the production process and the software products are protected against tampering . because  SBOM  Depends on accuracy 、 Integrity and credibility , Therefore, those who own software products  SLSA  Source data can improve SBOM  Quality and integrity of .

Accuracy and completeness

At present , Many tools create  SBOM  The method of depends on speculation , Or use the information from the final software product to generate a list of ingredients . however , This method has its disadvantages , Because if you try to generate by scanning compiled software artifacts  SBOM, Information such as statically linked binaries that do not contain their dependent metadata may be missed . Again , By generating... Based on file hashes  SBOM  Some vulnerabilities that are not actually affected may be falsely reported , So as to reduce the trust in the whole vulnerability response process .

 

On the other hand , stay  SLSA  With the help of authentication information, more accurate SBOM. By using  SLSA  Source information and metadata , You can get high fidelity information about the content of software artifacts , Include more accurate dependency information , So you don't have to guess later .

Green shows traditional  SBOM  Source of information ; Use  SLSA  Can be in  SBOM  Contains build information .（ The red triangle marks  SLSA Threats to the software supply chain that can be solved .）

SLSA  Accurate build metadata also helps provide tangible information about how software is built ： The construction metadata will specify the factory information of the entered materials and production products . If the defective product is caused by poor quality control or machinery （ For example, errors in tools such as damaged build systems or compilers ） Caused by the , So the... That contains this extra data  SBOM  Will be more complete , And help users deal with the problem of supply chain damage .

credibility

from  SLSA  Generated from source data  SBOM  Enhanced user awareness of  SBOM  Confidence in accuracy , Because users know that it is created based on high fidelity construction metadata ： The ingredient list is generated by observing the contents added during product manufacturing .SLSA  The source data also tells the user that the metadata comes from a verifiable build , And the source data itself has been captured and signed in a secure way . stay  SBOM  Reference to these source data documents in provides additional assurance for the safety process of production software .

SLSA  The experience of the community in creating this integrity is important to  SPDX（ Software package data exchange ） The format is very useful ,SPDX It's a sign of SBOM  Open standards for .SPDX SBOM  The community is currently working together to identify  SBOM  Data integrity and signature process . besides , It also launched its standardization committee , by SPDX 3.0  Data writing standardized serialization format , This is important to clarify how to validate a signed document .CycloneDX Is another  SBOM  Standards for , It is also solving this problem through its authenticity and the characteristics of source related use cases . We believe that SBOM  The community will benefit from the use of  SLSA  Tools and practices from the same source ：Sigstore（ Used based on  OIDC  Temporary signature and transparency log ） and  in-toto（ Used for metadata format ）. These tools help solve the problem of storing and distributing metadata documents that need to accompany artifacts , It is also helpful to establish users' understanding of SBOM  The trust of the .

Conciseness

use  SLSA  Ideas can also simplify generation  SBOM  Required tool updates . Enable... For all software under development  SBOM  Is a problem , Because it needs to be integrated with all the tools for developing software , For example, compiler 、 Packers and builders . Many of these tools are maintained by volunteers in the open source community , They need to update the tools , Not only in  SBOM  The whole process is described in , Also retrieve and pass all of their input materials  SBOM.

 

However , Use  SLSA  The way to track building metadata means that the tool only needs to generate parts  SBOM  To describe its own software development process . For any particular software , have access to  SLSA  Build metadata as “ adhesive ”, Put the appropriate part of SBOM（“ Can be combined ”SBOM） Assemble into complete and accurate  SBOM. This will relieve the heavy burden on the implementer of the build tool , Drive faster adoption SBOM.

join forces

With  SLSA  and  SBOM  Be adopted more widely , They face many of the same challenges ： Extensibility 、 Tools that can be widely adopted across multiple ecosystems , And how to comply with the requirements of the executive order .SLSA and SBOM  Communities should work together to address these common challenges , Save repetitive energy and time . Only by sharing these resources and ideas can we bring better solutions to the two communities .

 

SLSA  and  SBOM—— Whether it's the concept of community or safety , Compared to using either treatment alone or through a single community , Collaboration will be even stronger .

We look forward to seeing these two communities work together , For better vulnerability management , Provide a more secure software supply chain for all software users .

Link to the original text ：

https://slsa.dev/blog/2022/05/slsa-sbom