guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

[feature] SBOM Dashboard for GUAC

Open lumjjb opened this issue 2 years ago • 0 comments

Is your feature request related to a problem? Please describe.

With the new experimental REST interfaces being proposed, and based on some discussion around being able to get value out of GUAC while waiting for ingestion to complete (due to the lack of data from users, or that the process of ingestion of large amounts of data taking a while), we want to enable some use cases which will provide value to users that will provide instant value upon setup of GUAC and iteratively get better when more and more data gets ingested.

We discussed several options including:

  • Do i have an SBOM, If so where does that SBOM live?
  • What is my most widely used dependency
  • Top level package “Scorecard” (for ossf scorecards, licenses, etc.)

This issue describes the first option.

Describe the solution you'd like

  • Do i have an SBOM, If so where does that SBOM live?

In the case of the Whitehouse Executive Order (EO) 14028, organizations are required to be able to provide SBOMs to federal agencies upon request. The feature would be to provide a convenient UX to being able to respond to this, and similarly, the ability to make SBOMs available via self-service request.

A user should be able to:

  • Identify if a piece of software has an SBOM
  • Identify if a certain class of software has an SBOM
  • Be able to retrieve identified softwares' SBOM by downloading it

Through lessons of implementing SBOM response to the EO:

  • Sometimes it is difficult to find SBOMs, people refer to software by product names, or names, this often does not match up with the name used in software. In some cases, it is uncertain what the PURL to query is, and some sort of search functionality is required.
  • Another concept that is useful is a labeling functionality. If it is possible to link an SBOM to a product
  • Sometimes an SBOM may not be attached to the top level package, i.e. a JAR is packaged into a container or VM image, we need to include binary SBOMs that are associated as well.
  • Being able to note which SBOMs are available for public access or ready for federal access may be required (i.e. privacy requirements, or artifacts that may be dev or staging)

Some ideas:

  • Could use things like the findSoftware graphQL type interface to search for SBOMs
  • Could add labels in annotations in SBOMs that may then be attached as HasMetadata, and allow filtering based on those labels
  • Add annotations of whether things are BINARY or APPLICATION within an SBOM to make more sense when traversing dependencies transitively (i.e. to prevent issues arising such as #1357)

Describe alternatives you've considered

Other alternatives to have issues opened up for:

  • What is my most widely used dependency (https://github.com/guacsec/guac/issues/1505)
  • Top level package “Scorecard” (for ossf scorecards, licenses, etc.) (https://github.com/guacsec/guac/issues/1508)

lumjjb avatar Nov 10 '23 19:11 lumjjb