specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 2 weeks ago verified publisher icon CycloneDX

Support for Infrastructure as Code (terraform, etc...)

Open DarthHater opened this issue 4 years ago • 7 comments

So it dawned on me, that say you wanted to represent not just your application, but the external dependencies for it (so, the miraculous things that happen in AWS, GCP, etc...), I wasn't entirely sure how to represent this! I'm opening this issue as more so a collection of ideas, no concrete feeling that I'll come out of it with YES THIS IS HOW, but more so to see how people think about it?

This could be slightly duplicative of the intent of something like terraform, too! Terraform is meant to manage your IaC, and it creates files that describe what it plans to do, or state, (terraform plans, terraform state, etc...)

Mostly curious as to others thoughts around this. How would YOU describe them?

DarthHater avatar May 20 '21 21:05 DarthHater

I would document them as services. Or is there some required information for your use case missing from that type?

coderpatros avatar May 24 '21 11:05 coderpatros

I can think of e.g. the google_container_clusters resource from the google terraform package, which describes the Kubernetes version being used, which can then be linked to CVEs. Same for Cloud SQL (postgresql) etc.

hazcod avatar May 27 '21 05:05 hazcod

@hazcod I don't use terraform myself, so I might be misunderstanding your example.

But, if it's an external service I would document it as a service. Ideally you would additionally add an external reference to the BOM of that service. Which is a supported external reference type.

coderpatros avatar Jun 01 '21 08:06 coderpatros

Yes I can see many use cases for this as vulnerabilities etc could live in the underlying infra such as an Ansible play, Terraform, CloudFormations etc and also the specific underlying OS instances, packages, and configuration.

tonykay avatar Dec 24 '21 00:12 tonykay

Checkov supports CycloneDX and obviously IaC, but I haven't seen how they output CycloneDX. Does anyone have an example of infrastructure represented in CycloneDX from checkov?

stevespringett avatar Dec 24 '21 04:12 stevespringett

Let me join this discussion. I'm deep respect this community.

IaC only defines the infrastructure of the product. Probably If it is created as a BOM specification, it is necessary to abstract the product.

A product is ・Service {Operating-system { Applications {Libraries}}} ・Devices (L2, L3 switch e.g. load balancer, machine) ・Network (IP address, domain, port, firewall)

If it is possible to define the SaaSBOM specification and how these Services or Applications are connected to each other, it should be possible to create a BOM from the IaC.

Thanks.

masahiro331 avatar May 31 '22 07:05 masahiro331

v1.5 will introduce a new external reference called codified-infrastructure which will allow a CDX BOM to reference terraform or other IaC spec.

stevespringett avatar Mar 13 '23 14:03 stevespringett