Authenticate source of Components

[cdacshubhambhingarde]

We are seeking a solution to determine how to authenticate the libraries/components pulled from trusted sources in a Java project. In our Java project, we have utilized Maven repositories, and we are now attempting to verify whether developers have obtained these components from authenticated sources.

Currently, the solution we are using involves the following steps:

1. Open the Maven repository link - Maven Repository: Central (mvnrepository.com).
2. Search for Maven libraries using group ID and version number.
3. Search for MD4, SHA1, SHA256, and SHA512 checksums.
4. Compare the hashing algorithms with the components used by the developer using checksums.

If there is a solution available for generating a Bill of Materials (BOM) that can authenticate the components used from Open Source Software (OSS).

This could help in resolving any tampered components used in the project and ensure a smooth Software Development Life Cycle (SDLC).

[prabhu]

@cdacshubhambhingarde, in my personal opinion, hash-based comparisons are unreliable and less likely to work. cdxgen addresses this problem in two ways:

1. Running cdxgen with -t maven-cache would generate an SBoM for all jars in the maven cache, along with the class names in each jars.
2. Running evinse command against the project would list all usages of components.

I hope this helps!

[Shubham-Bhingarde]

is it possible to integrate the authentication of components in the upcoming version of cdxgen?

[prabhu]

@Shubham-Bhingarde, let me think about this. We need a database with the source of truth to make this work.