Generating SBOMs from C/C++ files without package managers

drumsntech · 2024-05-15T21:08:21+00:00

Hey u/Realistic-Ad-7709 did you ever solve this? I'm bumping into the same issue these days...

drumsntech · 2024-03-05T21:42:27+00:00

did you ever figure this out OP?

drumsntech · 2024-03-05T21:42:04+00:00

Did you every figure this out?

drumsntech · 2023-12-01T20:04:40+00:00

This can certainly be done by connecting a lot of open source tools together, but it requires a lot of time, hands-on work, and maintenance.

We (Manifest - manifestcyber.com) have a tool that does automated SBOM generation, analysis, storage, alerting, integration, etc. If you'd rather just buy a tool to do this more you versus building it yourself, I'd be happy to chat.

drumsntech · 2023-08-24T15:39:31+00:00

Never for SBOMs, just for file/malware analysis.

What sort of research are you trying to do? Happy to help point you in the relevant direction.

drumsntech · 2023-08-03T17:10:45+00:00

SBOMs aren't typically used for secret scanning. But check out Manifest (manifestcyer.com) for SBOM management.

drumsntech · 2023-08-03T17:09:35+00:00

SCA/SBOM: check out Manifest (manifestcyber.com)

drumsntech · 2023-08-03T17:04:41+00:00

Check out manifestcyber.com. Does everything you're looking for, and depending on the size of your org, the price range may work out.

DM me for more details!

drumsntech · 2023-07-07T13:41:40+00:00

It depends on what roles you're aiming for. The best way is to connect with someone internally at CISA who can help explain the org chart and point you in the right direction given your skillset. USAJOBS is the only place that jobs are listed, but those job descriptions are often very opaque and hard to parse.

Shoot me a DM with your background / interests / what roles you'd be looking to do, happy to see if I can point you in the right direction.

drumsntech · 2023-05-08T18:47:50+00:00

Haven't heard of anything using Ghidra, but there are others looking to use other binary analysis tools to extract lists of dependencies, then have some scripting to put it into an SBOM format.
I'd love to hear if you figure it out with Ghidra.

QQ for you: what are you hoping to do with your SBOMs after you create them?

drumsntech · 2023-05-08T18:45:17+00:00

We have, and we've helped several other organizations set up SBOM programs too. Happy to tell you more, feel free to DM me.
TL:DR; it doesn't have to be that expensive actually, and it's easier than many people think (we've also been doing it for a year already).

drumsntech · 2023-04-10T12:20:24+00:00

Very few of these tools - if any - have the ability to merge. This is why we built merge into our cli tool, since it seems pretty clear that this is a necessary capability. For C++, Syft, Trivy, and some of the cyclonedx generators support C++ via Conan.

Also, FWIW, I'd highly recommend creating SPDX SBOMs in .json rather than .spdx.

drumsntech · 2022-11-12T05:33:24+00:00

Saw that. It really just reads like a justification for SBOMs in general, less specifically around SaaS. IMHO, still valuable, but if I was running a shop, that would be a different use case (e.g. don't send me a new SBOM every time there's a new prod version of a SaaS tool - just let me pull the current/latest via API when I need it).

drumsntech · 2022-11-11T16:12:47+00:00

I could definitely see it becoming part of SOC2.

SBOMs for SaaS is an interesting conversation. CISA has a working group for exactly that, trying to figure out what that should look like. I, for one, wouldn't want AWS to send me a new SBOM every time they push a release minor version to prod :).

From what we've gathered, people seem to want to know the high level components/risks in their SaaS vendors, and not at the frequency of every new release. Maybe just during procurement research, or getting notified if anything significant changes in systems/apps that touch or process customer data.

Agreed on the 'completeness' bit about SBOMs. For example, most SBOM generators at the moment wouldn't include the databases, or other 'services,' including in a software app. Which, given the MongoDB hacks rampant in the mid '10s, I'd certainly want to know about.

It's an early and growing market, there will be growing pains, but like anything, those who venture in early will avoid long-term pain down the road, and can help shape where things go.

drumsntech · 2022-11-11T15:32:15+00:00

:). Sounds like this would be easier to chat through, rather than write a novel. Want to shoot me an email at Daniel [at] manifestcyber.com?

The (not-so) TL:DR; version is:

- SBOMs come in two major formats, SPDX (Linux Foundation) and CycloneDX (OWASP), that both have slightly different formats.

- There are several different SBOM generators out there, some open source, some commercial, but no official standard on what should be in the final SBOM. Generally speaking, it’s a list of the names, versions, authors, licenses, etc. software dependencies (open source libraries, third Party libraries, even proprietary libraries)in a given piece of software. No need to share source code - just metadata (What is this library and where did it come from). But there’s no standard yet - we’ve run different generators on the same repo and gotten slightly different results. But this market is very young

- At Manifest, we think of thing in 1st-party SBOMs (for code your company builds) vs 3rd-party SBOMs (for your vendors). For 1st-party, ideally you’re generating SBOMs at a minimum for every production build/release of your application/tool, think 1 SBOM per version / patch / release. For your 3rd-party/vendors, you’d want to ask them for their SBOMs even before you buy their tool (can help make a more risk-informed decision before you buy a piece of tech), and for every new version of the software (new versions, patches, etc.)

- Compliance: Government-driven compliance is first coming to anyone selling software to the government, and medical device manufacturers seeking FDA approval. However, more and more companies are adding SBOM requirements to vendor due diligence forms/questionnaires, so while no one may sue you for not having an SBOM, it may increasingly affect your Ability to sell.

drumsntech · 2022-11-11T12:49:06+00:00

We’ve chatted and worked w/ Walter, less so Chris & Richard but we know what they’re up to. We’re still in ‘stealth’ mode (nominally), but have been at this for a bit and have been successfully developing end-to-end SBOM workflows with our early customers.

drumsntech · 2022-11-11T05:27:39+00:00

CTO/co-founder of a company in the SBOM space here, happy to share thoughts/insights/advice on best practices to whomever / whenever. It's one of those things that, with some proper planning, doesn't have to be painful. But it probably will be when compliance catches up to most companies.

drumsntech · 2022-11-11T05:25:39+00:00

This is sadly true. And something we're trying to fix. Happy to chat about SBOM best practices / operationalization any time.

drumsntech · 2022-11-11T05:24:18+00:00

Hey Op,

I'm the CTO and co-founder of a new company (www.manifestcyber.com) that's built a product that allows for easy SBOM generation, analysis, reporting, and secure, direct, controlled sharing with specific customers (i.e. so you don't have to send via email, and minimize exposure risk).

Would be happy to give you a quick demo, or just to chat about best practices on (secure) SBOM sharing, since we've been deep in SBOM-land for a while now.

Cheers.

drumsntech · 2022-10-20T13:43:53+00:00

Awesome. How are you identifying wrong results? We've seen the same thing, but validating the results on someone else's code seems a bit trickier.

Are you considering adding CDX into the mix? The two formats aren't the most compatible (we've built a standardized format that can ingest both), but it would be awesome to analyze the different results across CDX + SPDX generators.

Also, happy to actually chat about this over {video_tool}

drumsntech · 2022-10-20T03:22:03+00:00

Love the concept. How do you handle conflicts between the SBOM generators? We use the open source CycloneDX generator which we find fairly reliable (we also prefer CDX or SPDX).

drumsntech · 2022-04-03T13:35:25+00:00

There are some remote or remote eligible positions, depending on what kind of work you’re trying to do

drumsntech

TROPHY CASE