This project is an operationalized PIQUE model for the assessment of security quality in software supply chains utilizing SBOM technology.
Because of the various development environment challenges when dealing with numerous 3rd party applications, this project is also provided as a packaged standalone docker image. That image is available here.
These will be automatically installed when the docker image is built.
- Grype version 0.72.0
- Trivy version 0.44.1
- CVE-bin-tool version 3.2.1
- Sbomqs version 0.0.30
- Maven version 3.9.6
- PIQUE-core version 0.9.4
docker engine 20.10.24 (not tested with versions 21+)
The image for this project is hosted on dockerhub here. Instructions to download and run are supplied below
It is not suggested to run PIQUE-SBOM-SUPPLYCHAIN-SEC without the pre-built docker image, but all files and configs are supplied on this repository.
A API key from the National Vulnerability Database and a Github personal access token are needed. See running for details.
- Download and install Docker engine
- With Docker engine installed, pull the latest version of this project:
docker pull msusel/pique-sbom-supply-chain-sec:latest
- Navigate to a working directory for this project
- Create two directories, "input" and "out". Inside the "input directory", create two directories "keys" and "projects"
- Generate an NVD API key here and save the text of the key to a file 'nvd-api-key.txt'
- Generate a Github API token and save the text of the key to a file 'github-token.txt'
- Move the files 'nvd-api-key.txt' and 'github-token.txt' to the 'input/keys' directory.
- There are two options for input projects. If you have already generated SBOMs place any number of SBOMs to be analyzed in input/projects/SBOM. If you wish to assess the software supply chain security quality of a project but you haven't built an SBOM simply place the root folder of the project in input/projects/sourceCode. The resulting SBOMs will be placed in input/projects/SBOM and the model will continue as normal.
- The resulting directory structure should look like this:
├── $WORKDIR
│ ├── input
│ │ ├── keys
│ │ │ ├── github-token.txt
│ │ │ ├── nvd-api-key.txt
│ │ ├── projects
│ │ │ ├── SBOM
│ │ │ │ ├── place SBOMs to analyze here (SPDX or CycloneDX in json format)
│ │ │ ├── sourceCode
│ │ │ │ ├── place source code file systems to generate SBOMs for here
│ ├── out
- Run the command (replace
/path/to/working/directoryto absolute path of$WORKDIR)
docker run -it --rm -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v /path/to/working/directory/input:/input -v /path/to/working/directory/out:/out msusel/pique-sbom-supply-chain-sec:latest
- Results will be generated in the 'out' directory
