Software supply chain security is critical for enterprises, and Software Bills of Materials (SBOMs) are an essential element of every organization's security framework.

In this blog, we'll explore how to generate SBOMs for wasmCloud projects using common open source tools syft and grype.

What are SBOMs?​

Software supply chain attacks exploit the way modern software is built by utilizing vulnerabilities in libraries and utilities that are widely depended upon by other software projects.

The Log4Shell attack is one of the best-known examples of this strategy—by targeting the Log4j Java logging framework (a common dependency in one of the most common languages in the world), the attackers had a foothold in countless projects that relied on Log4j.

One of the most challenging facets of the Log4Shell attack was that many teams didn't know whether their projects depended on Log4j or not—even if they didn't depend on it directly, sometimes their dependencies did. The software supply chain was opaque.

For many, remediating the vulnerability required time-consuming research, and wasted time meant extended vulnerability. The challenge underscored the need for ubiquitous documentation of dependencies—a record of the software supply chain.

This is the role of the SBOM: to provide an authoritative, easy-to-reference record of all the software dependencies for a given project, making it easy to assess and remediate vulnerabilities when they are discovered. Today, the U.S. National Institute of Science and Technology (NIST) recommends that organizations adopt SBOMs as part of their security frameworks for precisely this reason.

Generating SBOMs for wasmCloud projects​

In order to run through this example, you'll need:

• wasmCloud Shell (wash)
• The language toolchain of your choice (Go, Rust, or TypeScript)
• syft, an open source utility for SBOM generation
• grype, an open source utility for vulnerability-scanning SBOMs

Start by creating a new component:

wash new component hello

wash will present you with a choice of templates for your project. Select the "Hello world" template in your chosen language:

? Select a project template: ›
  hello-world-rust: a hello-world component (in Rust) that responds over an HTTP connection
  hello-world-tinygo: a hello-world component (in TinyGo) that responds over an HTTP connection
  hello-world-typescript: a hello-world component (in TypeScript) that responds over an HTTP connection

Afterwash generates your project files, navigate to the new hello project directory:

cd hello

We'll go ahead and run wash build—this will update our local dependencies and compile a component:

wash build

Now it's time to generate an SBOM for the project using syft. Run the following command:

syft scan dir:. --output spdx-json=sbom.spdx.json

Using the --output argument means that our command will generate a file called sbom.spdx.json in the working directory.

Now that we have some nice structured data enumerating our dependencies, we can scan the SBOM for vulnerabilities using grype:

grype sbom.spdx.json

Grype will compare the dependencies listed in your SBOM against the tool's vulnerability database. The output should look like this:

 ✔ Vulnerability DB                [updated]  
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored 
No vulnerabilities found

Get involved​

If you'd like to learn more about security and wasmCloud, read our security assessment from OSTIF or check out the documentation on wasmCloud's policy service and secrets backends.

Want to talk security instead? Join us on the wasmCloud Slack or in the weekly (virtual) wasmCloud community meeting.