SBOM Basics For Your AI Application

Software Bill of Materials (SBOM) Lab with Dependency Track & Trivy

Key Concepts:

• SBOM (Software Bill of Materials): A nested inventory of software components used to build an application, providing transparency into the supply chain.
• Dependency Track: An open-source platform by OWASP for analyzing SBOMs and identifying vulnerabilities.
• Trivy: An open-source vulnerability scanner used to generate SBOMs in various formats.
• CVE (Common Vulnerabilities and Exposures): A dictionary of publicly known information security vulnerabilities and exposures.
• CycloneDX: An OWASP standard format for SBOMs, particularly useful for AI understanding.
• UDF (Unified Development Framework): F5’s lab environment used in the demonstration.
• API (Application Programming Interface): A set of rules and specifications that software programs can follow to communicate with each other.

1. Introduction & Lab Overview

Aubrey from F5 Dev Central presents a step-by-step lab focused on creating an SBOM for a containerized application and analyzing it using Dependency Track. The lab utilizes open-source tools: Trivy for SBOM generation and Dependency Track for vulnerability analysis. The goal is to demonstrate how to visualize potential threats within a project by leveraging SBOMs. The lab is conducted within the UDF environment, but can be replicated locally. The process involves bringing up Dependency Track in a container, installing Trivy on a lab system, and using a Python script to upload the Trivy-generated SBOM to Dependency Track for analysis. As Aubrey states, “it’s very, very easy to break down your visualization for these potential threats by project quite easily.”

2. Environment Setup & Olama Container

The lab begins by setting up the environment. Specifically, the NVIDIA runtime is configured within Docker to allow containers to access GPU resources. Docker is then restarted to apply the changes. An Olama container is deployed using Docker Compose. Olama is chosen as the target application for SBOM generation. The docker-compose.yaml file defines the container’s port mappings, environment variables, and network access. Verification of the running Olama container is done via a curl command to the localhost. The purpose of deploying Olama is to provide a system with freshly installed software for inspection.

3. Trivy Installation & SBOM Generation

Trivy, the vulnerability scanner, is installed on the lab system using a downloaded installation script and Snap. The installation is verified by running trivy -V, which displays the installed version. Trivy is then used to generate an SBOM for the running Olama container. The command used is: trivy image --format cyclone-dx --vuln --image olama/olama -o olama_lab.cdx.json.

• --format cyclone-dx: Specifies the SBOM format as CycloneDX, an OWASP standard.
• --vuln: Enables vulnerability scanning during SBOM generation.
• --image olama/olama: Specifies the Docker image to scan.
• -o olama_lab.cdx.json: Specifies the output file name and format (JSON).

The SBOM generation process takes approximately one minute. The resulting olama_lab.cdx.json file contains a detailed inventory of the software components within the Olama container.

4. Dependency Track Setup & Configuration

Dependency Track is deployed using a bundled version, which simplifies setup by eliminating the need for a separate database configuration. A Docker volume is created to persist Dependency Track data, allowing for easy container upgrades without data loss. The container is then started. Initial configuration involves logging into the Dependency Track web interface (default: http://<IP_address>:8080) with the default credentials (admin/admin) and immediately changing the admin password.

An API key is generated for programmatic access to Dependency Track. This is done under Administration -> Access Management -> Teams (Admin Team) -> New API Key. The generated key is crucial for the Python script used to upload the SBOM. A project named "Olama Lab" is created within Dependency Track, classified as a "container" and assigned version 1.0.1. This project serves as a container for the SBOM data and allows for organized vulnerability tracking.

5. SBOM Upload via Python Script

A Python script (dt_upload.py) is used to upload the generated SBOM (olama_lab.cdx.json) to Dependency Track via its API. The script utilizes the previously generated API key for authentication. The script’s functionality is confirmed by a 200 response and a token. The script automates the process of sending the SBOM data to Dependency Track, enabling continuous monitoring and analysis.

6. Vulnerability Analysis & Results

After uploading the SBOM, the Dependency Track interface is refreshed. The "Olama Lab" project now displays detailed information about the software components within the container. The initial scan shows all components as "green," indicating no known vulnerabilities in the freshly installed software. Dependency Track provides a comprehensive view of the container’s software composition, including dependencies and their associated vulnerabilities. The interface displays 15 pages of component data, demonstrating the level of detail captured in the SBOM.

7. Conclusion & Key Takeaways

The lab successfully demonstrates the process of creating and analyzing an SBOM using Trivy and Dependency Track. The key takeaway is the importance of understanding the software composition of applications to proactively identify and mitigate potential vulnerabilities. As Aubrey emphasizes, this process allows for a clear visualization of threats and enables a more informed security posture. The lab highlights the ease of use of these open-source tools and their potential for integrating into a continuous security monitoring pipeline. The ability to automate SBOM generation and analysis is crucial for maintaining a secure software supply chain. “I hope this was a useful lab for you…to make sure that you have yourself covered in terms of threats that might be creeping up on you without your knowing it.”