CycloneDX SBom(소프트웨어 재료 명세서) Maven 데모
12357 단어 mavensbomcyclonedxvulnerability
cyclonedx-maven-데모
CycloneDX SBom(소프트웨어 BOM) Maven 데모
오늘날 소프트웨어 공급망을 확보하는 것은 소프트웨어 개발 및 제공 생태계에서 매우 중요한 측면입니다.
CycloneDX은 OWASP에서 지원하는 소프트웨어 BOM 형식입니다.
CycloneDX는 Maven pom.xml 파일에 추가된 모든 직접 및 전이 종속성을 나타내는 매우 가벼운 SBOM입니다.
CycloneDX는 다양한 프로그래밍 언어 프로젝트에서 SBOM을 생성하는 다양한 도구 세트를 제공합니다. 즉. Java, Python, Node 등 Ref. CycloneDX Tools ecosystem
이 샘플 프로젝트는 아티팩트 생성을 위해 Maven 빌드 시스템을 사용하고 있습니다. cyclonedx-maven-plugin은 CycloneDX SBom 파일 생성에 사용됩니다.
CycloneDX SBOM 파일은 OWASPDependency Track ]( https://dependencytrack.org/ ) 애플리케이션을 사용하여 프로젝트 취약성 분석에 사용할 수 있습니다.
샘플 cyclonedx-maven-plugin 구성.
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.0</version>
<configuration>
<projectType>library</projectType>
<schemaVersion>1.3</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>false</includeLicenseText>
<outputFormat>all</outputFormat>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
Maven 빌드 명령을 실행하면 이름이 bom.json 및 bom.xml인 대상 폴더에 SBOM 파일이 생성됩니다.
mvn clean install
Maven 빌드 출력
[INFO] --- cyclonedx-maven-plugin:2.7.0:makeAggregateBom (default) @ cyclonedx-maven-demo ---
[INFO] CycloneDX: Parameters
[INFO] ------------------------------------------------------------------------
[INFO] schemaVersion : 1.3
[INFO] includeBomSerialNumber : true
[INFO] includeCompileScope : true
[INFO] includeProvidedScope : true
[INFO] includeRuntimeScope : true
[INFO] includeTestScope : false
[INFO] includeSystemScope : true
[INFO] includeLicenseText : false
[INFO] outputReactorProjects : true
[INFO] outputFormat : all
[INFO] outputName : bom
[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.json
대상 폴더에서 CycloneDX SBOM 파일 확인
[ravi.soni@GB8TRF2 cyclonedx-maven-demo] $ ls -l target/
total 17380
-rw-rw-r-- 1 ravi.soni ravi.soni 81647 Jul 14 16:05 bom.json
-rw-rw-r-- 1 ravi.soni ravi.soni 69804 Jul 14 16:05 bom.xml
drwxrwxr-x 3 ravi.soni ravi.soni 4096 Jul 14 16:05 classes
-rw-rw-r-- 1 ravi.soni ravi.soni 17619933 Jul 14 16:05 cyclonedx-maven-demo-0.0.1-SNAPSHOT.jar
-rw-rw-r-- 1 ravi.soni ravi.soni 3247 Jul 14 16:05 cyclonedx-maven-demo-0.0.1-SNAPSHOT.jar.original
drwxrwxr-x 3 ravi.soni ravi.soni 4096 Jul 14 16:05 generated-sources
drwxrwxr-x 2 ravi.soni ravi.soni 4096 Jul 14 16:05 maven-archiver
drwxrwxr-x 3 ravi.soni ravi.soni 4096 Jul 14 16:05 maven-status
프로젝트의 모든 종속성(직접 및 전이)을 확인하는 가장 좋은 방법은 Maven 명령을 실행하고 콘솔에서 인쇄하는 것입니다.
mvn dependency:tree
프로젝트의 종속성 트리를 출력합니다.
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ cyclonedx-maven-demo ---
[INFO] com.rvsoni.maven:cyclonedx-maven-demo:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.1:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:2.7.1:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.1:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.1:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.7.1:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] | | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] | | | \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.1:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.64:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.64:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.64:compile
[INFO] | +- org.springframework:spring-web:jar:5.3.21:compile
[INFO] | | \- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] | \- org.springframework:spring-webmvc:jar:5.3.21:compile
[INFO] | +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] | +- org.springframework:spring-context:jar:5.3.21:compile
[INFO] | \- org.springframework:spring-expression:jar:5.3.21:compile
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.7.1:test
[INFO] +- org.springframework.boot:spring-boot-test:jar:2.7.1:test
[INFO] +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.1:test
[INFO] +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] | +- net.minidev:json-smart:jar:2.4.8:test
[INFO] | | \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] | | \- org.ow2.asm:asm:jar:9.1:test
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] | +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] | | +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] | | +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] | | \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] | +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] | \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] | \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] +- org.mockito:mockito-core:jar:4.5.1:test
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.12.11:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.12.11:test
[INFO] | \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] +- org.springframework:spring-core:jar:5.3.21:compile
[INFO] | \- org.springframework:spring-jcl:jar:5.3.21:compile
[INFO] +- org.springframework:spring-test:jar:5.3.21:test
[INFO] \- org.xmlunit:xmlunit-core:jar:2.9.0:test
프로젝트가 빌드되면
jq
명령을 실행하여 bom.json 파일에서 동일한 종속성 정보를 인쇄합니다.jq '.components[]| "\(.group)/\(.name)@\(.version)" ' target/bom.json
산출
[ravi.soni@GB8TRF2 cyclonedx-maven-demo] $ jq '.components[]| "\(.group)/\(.name)@\(.version)" ' target/bom.json
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"ch.qos.logback/[email protected]"
"ch.qos.logback/[email protected]"
"org.apache.logging.log4j/[email protected]"
"org.apache.logging.log4j/[email protected]"
"org.slf4j/[email protected]"
"jakarta.annotation/[email protected]"
"org.yaml/[email protected]"
"org.springframework.boot/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.datatype/[email protected]"
"com.fasterxml.jackson.datatype/[email protected]"
"com.fasterxml.jackson.module/[email protected]"
"org.springframework.boot/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.slf4j/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
코드: https://github.com/rvsoni/cyclonedx-maven-demo
Reference
이 문제에 관하여(CycloneDX SBom(소프트웨어 재료 명세서) Maven 데모), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/rvsoni/cyclonedx-sbom-software-bill-of-material-maven-demo-aa7텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)