search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.13k stars 2.32k forks source link

Software Bill of Materials (SBOM) #15604

Open rjpowers10 opened 1 month ago

rjpowers10 commented 1 month ago

I'll preface this by saying I'm by no means an expert on this topic. But SBOM is becoming a hot topic these days in the software world and I'm curious what, if anything, that means for Orchard Core.

Is your feature request related to a problem? Please describe.

My company has been on the receiving end of increased pressure to provide a complete SBOM to our customers. There are various tools to produce an SBOM but one such tool is sbom-tool provided by Microsoft. Using sbom-tool on my code is fairly straightforward and gets me most of the way there, at least as far as .NET packages go. The blind spot I'm struggling with is on the client-side technologies. Many client-side technologies are used by Orchard Core, most prominently in the OrchardCore.Resources module. So take the basic client-side stuff like jQuery and Bootstrap for example. Those probably should be in my SBOM but since the tool is looking for npm files (package.json and package-lock.json) it doesn't have a way to know about those dependencies.

The ultimate goal is this: my customers want to know if a particular security vulnerability affects them. I know that my application uses jQuery, so my customers should be watchful for new jQuery vulnerabilities. But right now, it's hard for me to include jQuery in my SBOM using sbom-tool. jQuery is just one example.

Describe the solution you'd like

I'm specifically trying to produce an SBOM in the SPDX format, which has a way to link other SBOMs. I think that, ideally, I could pull an Orchard Core SBOM from somewhere (also in SPDX) and link it from my SBOM.

One complicating factor for Orchard Core is there might be a need for separate SBOMs per module, since applications may not be pulling in all of Orchard Core.

Describe alternatives you've considered

Reverse engineering a package.json file based on ResourceManagementOptions and feeding that into sbom-tool.

sebastienros commented 1 month ago

Please help, this is required by law actually to generate a BOM with every shipping product.

One complicating factor for Orchard Core is there might be a need for separate SBOMs per module, since applications may not be pulling in all of Orchard Core.

I don't think this would be practical, but maybe it has to. We should check on MS packages if each package contains a different SBOM, I wouldn't imagine that. Check with aspnet or dotnet extensions packages maybe.

Piedone commented 1 month ago

Why is the tool that you use for NPM packages not working with the packages.json file of OrchardCore.Resources? Granted, you'd need to run it for the OC source, not your app, but then it should work.

rjpowers10 commented 1 month ago

I completely missed the fact that OrchardCore.Resources has its own package.json file. I now see that several modules have a local package.json. I was looking at the top-level one for the solution, which only lists devDependencies. So I thought the scripts were all being manually added to the solution and then wired up with ResourceManagementOptions.

Piedone commented 1 month ago

Perhaps what we need here is some documentation on how to create an SBOM for your app, then? It won't be the same for every app, since it depends on your flavor of OC (and your app's own dependencies, of course), so maintaining one for OC doesn't seem too useful.

rjpowers10 commented 1 month ago

Yeah, part of why I raised this issue is because I wasn't sure what the "right" solution was, and that perhaps there is not a one-size-fits-all solution in the first place.

I'm not sure what other products are doing in terms of producing and delivering an SBOM. It seems to me like this is still a relatively new topic for the software industry so I don't know if there is a standard practice. For example, is it something that should be produced in the OC build and hosted at https://orchardcore.net/ or https://docs.orchardcore.net/ for consumers to download? Or like you said, maybe just some advice on how to produce the SBOM myself is enough.

Piedone commented 1 month ago

I don't think having a central one for OC would be useful, since it'd both overreport for your app (it'd contain dependencies that your app doesn't use) and underreport (it won't contain custom dependencies that your app includes). This can be useful for enterprises to check a box when selecting a system (which can actually be quite useful for adoption and marketing) but not in practic

rjpowers10 commented 1 month ago

I'll take another look at self-producing the SBOM I need. As you said, it probably means downloading the OC source and running the tool against that.

If nothing else I can report back with my findings and the steps I took.

Piedone commented 2 weeks ago

BTW here is this list too: https://docs.orchardcore.net/en/latest/docs/resources/libraries/