# Software Composition Analysis by Surface Security
## sbom-repo
The SBOM repo has data from **OSV.dev** as it's main source of truth and we're using it as a dependency vulnerability database.
The SBOM repo is a complementary module of Surface SCA is within the main surface app, docs and code are available in https://github.com/surface-security/surface/blob/sca/surface/sca. You can use it solo or via pypi as a python application.
### Database Source
**OSV.dev** is an open-source vulnerability database and triage infrastructure project, designed to help both open-source maintainers and consumers of open-source software effectively identify and address security vulnerabilities. It aims to provide precise vulnerability information in a way that is both easily accessible and actionable for developers and users of open-source software. It achieves this by automating the triage of vulnerabilities and maintaining a database where vulnerabilities are directly linked to exact affected package versions, rather than relying on the more traditional, often vague, vulnerability descriptions.
The vulnerability database and the tools provided by OSV.dev are continuously updated to reflect **new vulnerabilities**, **improved triage mechanisms**, and **evolving best practices** in software security. This ensures that using **OSV.dev** every project we scan will always be equipped with the latest in security intelligence.
**SBOM repo** is configured to be a stand alone module, which means, it's a vulnerability database, currently it's importing vulnerabilities from OSV.DEV, but in theory it could be importing from anywhere else.
We've configured it `management/commands/resync_vulnerabilities.py`. Where we import the vulnerabilities from OSV.DEV and create a Vulnerability object for it.
### Process
By uploading an SBOM into the **SBOM repo**, we're able to quickly identify known **vulnerabilities** within software dependencies. This rapid identification allows for quicker remediation efforts, thereby reducing the window of exposure to potential exploits.
We use the concept of **purl** to manage and track the dependencies. A "purl" stands for "Package URL." It's a standardized way to identify and locate a software package within a package management system or ecosystem. The concept of purls is designed to simplify the process of referring to software packages across different programming languages, package managers, and packaging conventions. More in [Pypi](https://pypi.org/project/packageurl-python/).
The **SBOM repo**, will save the SBOM for each app/repo plus information about which of these dependencies are vulnerable and details about it. The SBOM would be imported then into Surface for both visibility and track of both dependencies and vulnerabilities.
Once we receive a **SBOM** we check for vulnerabilities within our Vulnerability Database and return a `.json`. That ยด.json` will be cleaned and prepared to create everything we need for a final sbom to import into our Application where we will display and track every dependency and vulnerability, along side several other features. More in [Surface SCA](https://github.com/surface-security/surface/sca).
### How to run it
The **SBOM repo** is pypi package. You can install it using `pip install django-sbomrepo` within your django application. Make sure you include the `sbomrepo` in your `INSTALLED_APPS` in your `settings.py` file and update your `urls.py` file to include the `sbomrepo` urls.
### Features
- **Import SBOM**: `curl -F 'file=@./sbom.json' "http://localhost:8000/sbomrepo/v1/sbom?repo=${{GIT_URL}}&branch=${{GIT_BRANCH}}&main_branch={branch}"`
- **Get SBOM**: `curl "http://localhost:8000/sbomrepo/v1/sbom/<serial_number>"`
- **Get SBOM and Vulnerabilities**: `curl "http://localhost:8000/sbomrepo/v1/sbom/<serial_number>?vuln_data=true"`
- **List All SBOMs**: `curl "http://localhost:8000/sbomrepo/v1/sbom/all"`
- **Delete SBOMs**: `curl -X DELETE "http://localhost:8000/sbomrepo/v1/sbom/delete"`
- **Reimport SBOM**: `curl -X POST "http://localhost:8000/sbomrepo/v1/sbom/<serial_number>/reimport"`
- **Get Vulnerability**: `curl "http://localhost:8000/sbomrepo/v1/vulnerability/<id>"`
- **Get Ecosystems**: `curl "http://localhost:8000/sbomrepo/v1/ecosystems"`
Raw data
{
"_id": null,
"home_page": null,
"name": "django-sbomrepo",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": null,
"keywords": "django, sbomrepo, sbom, dependencies, vulnerabilities, osv.dev, database",
"author": null,
"author_email": "InfoSec Engineering <surface@paddypowerbetfair.com>",
"download_url": "https://files.pythonhosted.org/packages/27/77/e7c69cf60f8b5d65f05d32b844d6011d5a16fd9e9d319ccb8d35801c051c/django_sbomrepo-0.0.8.tar.gz",
"platform": null,
"description": "# Software Composition Analysis by Surface Security \n\n## sbom-repo\nThe SBOM repo has data from **OSV.dev** as it's main source of truth and we're using it as a dependency vulnerability database.\n\nThe SBOM repo is a complementary module of Surface SCA is within the main surface app, docs and code are available in https://github.com/surface-security/surface/blob/sca/surface/sca. You can use it solo or via pypi as a python application.\n\n\n### Database Source\n\n**OSV.dev** is an open-source vulnerability database and triage infrastructure project, designed to help both open-source maintainers and consumers of open-source software effectively identify and address security vulnerabilities. It aims to provide precise vulnerability information in a way that is both easily accessible and actionable for developers and users of open-source software. It achieves this by automating the triage of vulnerabilities and maintaining a database where vulnerabilities are directly linked to exact affected package versions, rather than relying on the more traditional, often vague, vulnerability descriptions.\nThe vulnerability database and the tools provided by OSV.dev are continuously updated to reflect **new vulnerabilities**, **improved triage mechanisms**, and **evolving best practices** in software security. This ensures that using **OSV.dev** every project we scan will always be equipped with the latest in security intelligence.\n\n**SBOM repo** is configured to be a stand alone module, which means, it's a vulnerability database, currently it's importing vulnerabilities from OSV.DEV, but in theory it could be importing from anywhere else.\n\nWe've configured it `management/commands/resync_vulnerabilities.py`. Where we import the vulnerabilities from OSV.DEV and create a Vulnerability object for it.\n\n\n### Process\n\nBy uploading an SBOM into the **SBOM repo**, we're able to quickly identify known **vulnerabilities** within software dependencies. This rapid identification allows for quicker remediation efforts, thereby reducing the window of exposure to potential exploits.\n\nWe use the concept of **purl** to manage and track the dependencies. A \"purl\" stands for \"Package URL.\" It's a standardized way to identify and locate a software package within a package management system or ecosystem. The concept of purls is designed to simplify the process of referring to software packages across different programming languages, package managers, and packaging conventions. More in [Pypi](https://pypi.org/project/packageurl-python/).\n\nThe **SBOM repo**, will save the SBOM for each app/repo plus information about which of these dependencies are vulnerable and details about it. The SBOM would be imported then into Surface for both visibility and track of both dependencies and vulnerabilities.\n\nOnce we receive a **SBOM** we check for vulnerabilities within our Vulnerability Database and return a `.json`. That \u00b4.json` will be cleaned and prepared to create everything we need for a final sbom to import into our Application where we will display and track every dependency and vulnerability, along side several other features. More in [Surface SCA](https://github.com/surface-security/surface/sca).\n\n\n### How to run it\n\nThe **SBOM repo** is pypi package. You can install it using `pip install django-sbomrepo` within your django application. Make sure you include the `sbomrepo` in your `INSTALLED_APPS` in your `settings.py` file and update your `urls.py` file to include the `sbomrepo` urls.\n\n### Features\n\n- **Import SBOM**: `curl -F 'file=@./sbom.json' \"http://localhost:8000/sbomrepo/v1/sbom?repo=${{GIT_URL}}&branch=${{GIT_BRANCH}}&main_branch={branch}\"`\n- **Get SBOM**: `curl \"http://localhost:8000/sbomrepo/v1/sbom/<serial_number>\"`\n- **Get SBOM and Vulnerabilities**: `curl \"http://localhost:8000/sbomrepo/v1/sbom/<serial_number>?vuln_data=true\"`\n- **List All SBOMs**: `curl \"http://localhost:8000/sbomrepo/v1/sbom/all\"`\n- **Delete SBOMs**: `curl -X DELETE \"http://localhost:8000/sbomrepo/v1/sbom/delete\"`\n- **Reimport SBOM**: `curl -X POST \"http://localhost:8000/sbomrepo/v1/sbom/<serial_number>/reimport\"`\n- **Get Vulnerability**: `curl \"http://localhost:8000/sbomrepo/v1/vulnerability/<id>\"`\n- **Get Ecosystems**: `curl \"http://localhost:8000/sbomrepo/v1/ecosystems\"`\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Software Bill of Materials Repository for Django",
"version": "0.0.8",
"project_urls": null,
"split_keywords": [
"django",
" sbomrepo",
" sbom",
" dependencies",
" vulnerabilities",
" osv.dev",
" database"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0954ca6c288e13bfede8e2fcaa53e0d841f641d9f5ba364a3491c0cdb6f5d96d",
"md5": "f1a391668dac566df57e5bc658db1441",
"sha256": "fa52b58ab21157c969c2027f6a8bbf60df3c52f9640280a0c9e0d7c48bd27e2d"
},
"downloads": -1,
"filename": "django_sbomrepo-0.0.8-py3-none-any.whl",
"has_sig": false,
"md5_digest": "f1a391668dac566df57e5bc658db1441",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 12651,
"upload_time": "2024-09-20T13:20:16",
"upload_time_iso_8601": "2024-09-20T13:20:16.467769Z",
"url": "https://files.pythonhosted.org/packages/09/54/ca6c288e13bfede8e2fcaa53e0d841f641d9f5ba364a3491c0cdb6f5d96d/django_sbomrepo-0.0.8-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "2777e7c69cf60f8b5d65f05d32b844d6011d5a16fd9e9d319ccb8d35801c051c",
"md5": "e6a72ec0f627796ca4f8b6856779ea74",
"sha256": "69ecfc201273af68a5066f54a0d1fdff0e73c9af7a3a2657a4970a3162ef2030"
},
"downloads": -1,
"filename": "django_sbomrepo-0.0.8.tar.gz",
"has_sig": false,
"md5_digest": "e6a72ec0f627796ca4f8b6856779ea74",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 19163,
"upload_time": "2024-09-20T13:20:17",
"upload_time_iso_8601": "2024-09-20T13:20:17.742940Z",
"url": "https://files.pythonhosted.org/packages/27/77/e7c69cf60f8b5d65f05d32b844d6011d5a16fd9e9d319ccb8d35801c051c/django_sbomrepo-0.0.8.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-20 13:20:17",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "django-sbomrepo"
}
JSON