coderpatros
commented
3 years ago I would document them as services. Or is there some required information for your use case missing from that type?
Open DarthHater opened 3 years ago
coderpatros
commented
3 years ago I would document them as services. Or is there some required information for your use case missing from that type?
hazcod
commented
3 years ago I can think of e.g. the google_container_clusters resource from the google terraform package, which describes the Kubernetes version being used, which can then be linked to CVEs. Same for Cloud SQL (postgresql) etc.
coderpatros
commented
3 years ago @hazcod I don't use terraform myself, so I might be misunderstanding your example.
But, if it's an external service I would document it as a service. Ideally you would additionally add an external reference to the BOM of that service. Which is a supported external reference type.
tonykay
commented
2 years ago Yes I can see many use cases for this as vulnerabilities etc could live in the underlying infra such as an Ansible play, Terraform, CloudFormations etc and also the specific underlying OS instances, packages, and configuration.
stevespringett
commented
2 years ago Checkov supports CycloneDX and obviously IaC, but I haven't seen how they output CycloneDX. Does anyone have an example of infrastructure represented in CycloneDX from checkov?
masahiro331
commented
2 years ago Let me join this discussion. I'm deep respect this community.
IaC only defines the infrastructure of the product. Probably If it is created as a BOM specification, it is necessary to abstract the product.
A product is ・Service {Operating-system { Applications {Libraries}}} ・Devices (L2, L3 switch e.g. load balancer, machine) ・Network (IP address, domain, port, firewall)
If it is possible to define the SaaSBOM specification and how these Services or Applications are connected to each other, it should be possible to create a BOM from the IaC.
Thanks.
stevespringett
commented
1 year ago v1.5 will introduce a new external reference called codified-infrastructure which will allow a CDX BOM to reference terraform or other IaC spec.
So it dawned on me, that say you wanted to represent not just your application, but the external dependencies for it (so, the miraculous things that happen in AWS, GCP, etc...), I wasn't entirely sure how to represent this! I'm opening this issue as more so a collection of ideas, no concrete feeling that I'll come out of it with YES THIS IS HOW, but more so to see how people think about it?
This could be slightly duplicative of the intent of something like terraform, too! Terraform is meant to manage your IaC, and it creates files that describe what it plans to do, or state, (terraform plans, terraform state, etc...)
Mostly curious as to others thoughts around this. How would YOU describe them?