Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SBOMproof: Beyond Alleged SBOM Compliance for Supply Chain Security of Container Images

Jacopo Bufalino, Mario Di Francesco, Agathe Blaise, Stefano Secci

TL;DR

SBOMproof investigates software supply chain security for container images by examining how SBOMs generated by different tools interoperate and how that interoperability (or lack thereof) affects vulnerability detection. The authors conduct a large-scale, data-driven study across Debian and Alpine containers, assessing pURL and SPDX compliance and CVE mapping accuracy, and they reveal a prominent SBOM confusion vulnerability caused by fragmented tooling. They introduce sbomvert, an open-source translator that converts tool-specific SPDX SBOMs into interoperable forms to improve cross-tool vulnerability detection, and they quantify the gains in CVE coverage after translation. The work highlights the practical need for standardized SBOM formats and tooling in order to reliably leverage SBOMs for container security in real-world supply chain scenarios.

Abstract

Supply chain security is extremely important for modern applications running at scale in the cloud. In fact, they involve a large number of heterogeneous microservices that also include third-party software. As a result, security vulnerabilities are hard to identify and mitigate before they start being actively exploited by attackers. For this reason, governments have recently introduced cybersecurity regulations that require vendors to share a software bill of material (SBOM) with end users or regulators. An SBOM can be employed to identify the security vulnerabilities of a software component even without access to its source code, as long as it is accurate and interoperable across different tools. This work evaluates this issue through a comprehensive study of tools for SBOM generation and vulnerability scanning, including both open-source software and cloud services from major providers. We specifically target software containers and focus on operating system packages in Linux distributions that are widely used as base images due to their far-reaching security impact. Our findings show that the considered tools are largely incompatible, leading to inaccurate reporting and a large amount of undetected vulnerabilities. We uncover the SBOM confusion vulnerability, a byproduct of such fragmented ecosystem, where inconsistent formats prevent reliable vulnerability detection across tools.

SBOMproof: Beyond Alleged SBOM Compliance for Supply Chain Security of Container Images

TL;DR

SBOMproof investigates software supply chain security for container images by examining how SBOMs generated by different tools interoperate and how that interoperability (or lack thereof) affects vulnerability detection. The authors conduct a large-scale, data-driven study across Debian and Alpine containers, assessing pURL and SPDX compliance and CVE mapping accuracy, and they reveal a prominent SBOM confusion vulnerability caused by fragmented tooling. They introduce sbomvert, an open-source translator that converts tool-specific SPDX SBOMs into interoperable forms to improve cross-tool vulnerability detection, and they quantify the gains in CVE coverage after translation. The work highlights the practical need for standardized SBOM formats and tooling in order to reliably leverage SBOMs for container security in real-world supply chain scenarios.

Abstract

Supply chain security is extremely important for modern applications running at scale in the cloud. In fact, they involve a large number of heterogeneous microservices that also include third-party software. As a result, security vulnerabilities are hard to identify and mitigate before they start being actively exploited by attackers. For this reason, governments have recently introduced cybersecurity regulations that require vendors to share a software bill of material (SBOM) with end users or regulators. An SBOM can be employed to identify the security vulnerabilities of a software component even without access to its source code, as long as it is accurate and interoperable across different tools. This work evaluates this issue through a comprehensive study of tools for SBOM generation and vulnerability scanning, including both open-source software and cloud services from major providers. We specifically target software containers and focus on operating system packages in Linux distributions that are widely used as base images due to their far-reaching security impact. Our findings show that the considered tools are largely incompatible, leading to inaccurate reporting and a large amount of undetected vulnerabilities. We uncover the SBOM confusion vulnerability, a byproduct of such fragmented ecosystem, where inconsistent formats prevent reliable vulnerability detection across tools.

Paper Structure

This paper contains 45 sections, 10 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Software Composition Analysis
  4. Container Images and OS Packages
  5. Package versioning and maintenance
  6. Software Bill of Materials
  7. The pURL package identifier
  8. System Package Data Exchange (SPDX)
  9. Vulnerability Management
  10. Mapping SBOMs to vulnerabilities
  11. Overview
  12. Motivation and Goals
  13. Datasets
  14. Considered Tools
  15. Evaluation
  16. ...and 30 more sections

Figures (10)

  • Figure 1: Fragments of a \ref{['fig:dpkg']}dpkg and an \ref{['fig:apk']}apk entry for the passwd package.
  • Figure 2: pURL format (above) and an example pURL (below).
  • Figure 3: Minimal example of a SPDX file.
  • Figure 4: Jaccard index for the pURLs in the Debian \ref{['fig:jaccard-purl:debian:all']} All and \ref{['fig:jaccard-purl:debian:top20']} Top 20 datasets.
  • Figure 5: Jaccard index for the package identifiers in the: Debian \ref{['fig:jaccard-ids:debian:all']} All and \ref{['fig:jaccard-ids:debian:top20']} Top 20 datasets; Alpine \ref{['fig:jaccard-ids:alpine:all']} All and \ref{['fig:jaccard-ids:alpine:top20']} Top 20 datasets.
  • ...and 5 more figures