/jbom

Primary LanguageJavaApache License 2.0Apache-2.0

jbom



jbom generates Runtime and Static SBOMs for local and remote Java apps

Every project should create a Software Bill of Materials (SBOM) and make it available, so that people know what ingredients are inside. You've got a few options for generating SBOMs:

  • GOOD -- Static SBOM (source) - This works fine, but you'll miss runtime libraries from appservers and runtime platforms. You'll also include libraries that don't matter like test frameworks. You'll also have no idea which libraries are actually active in the running application.

  • BETTER -- Static SBOM (binary) - You'll still miss parts, because code can be located in a variety of different places. And you'll also probably include libraries that don't matter but happen to be on the filesystem.

  • BEST -- Runtime SBOM - This is what 'jbom' is all about. Runtime SBOM is the most accurate approach as it captures the exact libraries used by the application, even if they are in the platform, appserver, plugins, or anywhere else. This approach can also include details of services invoked and which libraries are active.

jbom advantages:

  • very fast, complete, and accurate
  • produces standard CycloneDX SBOM in JSON format
  • works on both running apps/APIs and binaries
  • finds all libraries, including platform, appserver, plug-in, and dynamic sources.
  • doesn't report test or other libraries not present at runtime
  • handles nested jar, war, ear, and zip files (including Spring)
  • handles jars using common shaded and relocation techniques
  • no source code required

Discussion and jbom Demo on YouTube

jbom-screenshot

Why should you use RUNTIME security tools

Instrumentation has been around for decades, is widely used in performance tools, debugging and profiling, and app frameworks. Many security tools scan from the 'outside-in' and don't have the full context of the running application. This leads to false-positives, false-negatives, and long scan times.

Instrumentation allows us to do security analysis from within the running application - by watching the code run. Directly measuring security from within the running code has speed, coverage, and accuracy benefits. Using instrumentation to analyze for vulnerabilities is often called IAST (Interactive Application Security Testing). Using instrumentation to identify attacks and prevent exploit is often called RASP (Runtime Application Self-Protection).

Remember, you may be getting false results from other approaches. Scanning file systems, code repos, or containers could easily fail to detect libraries accurately.

  • library could be buried in a fat jar, war, or ear
  • library could be shaded in another jar
  • library could be included in the appserver, not the code repo
  • library could be part of dynamically loaded code or plugin
  • library could be many different versions with different classloaders in a single app
  • library could be masked by use of slf4j or other layers
  • library could be renamed, recompiled, or otherwise changed

Examples

Download the latest release.

Generate an SBOM for all Java processes running locally

java -jar jbom-1.2.jar

Generate an SBOM for all Java processes on a remote host

java -jar jbom-1.2.jar -h 192.168.1.42

Generate an SBOM for a local archive file (.jar, .war, .ear, .zip)

java -jar jbom-1.2.jar -f mywebapp.jar

Generate an SBOM for all archive files in a directory

java -jar jbom-1.2.jar -d mywebapp

Generate an SBOM for all archive files in a remote directory

java -jar jbom-1.2.jar -h 192.168.1.42 -d /var/tomcat/webapps

Usage

Usage: java -jar sbom-1.2.jar [-D] [-d=<dir>] [-f=<file>] [-h=<host>] [-o=<outputDir>]
                    [-p=<pid>] [-P=<pass>] [-r=<remoteDir>] [-t=<tag>]
                    [-U=<user>] [-x=<exclude>]
  -d, --dir=<dir>              Directory to be scanned
  -D, --debug                  Enable debug output
  -f, --file=<file>            File to be scanned
  -h, --host=<host>            Hostname or IP address to connect to
  -o, --outputDir=<outputDir>  Output directory
  -p, --pid=<pid>              Java process pid to attach to or 'all'
  -P, --password=<pass>        Password for user
  -r, --remote=<remoteDir>     Remote directory to use (default: /tmp/jbom)
  -t, --tag=<tag>              Tag to use in output filenames
  -U, --user=<user>            Username of user to connect as
  -x, --exclude=<exclude>      Java process pid to exclude

Building and Contributing

We welcome pull requests and issues. Thanks!

git clone 
mvn clean install
java -jar target/jbom-1.2.jar

License

This software is licensed under the Apache 2 license

Copyright 2021 Contrast Security - https://contrastsecurity.com

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this project except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.