Software Bill of Materials (SBOM) - Rippler

Overview

This directory contains the Software Bill of Materials (SBOM) for the Rippler system. The SBOM provides a comprehensive, machine-readable inventory of all software components, libraries, and dependencies used in the Rippler project.

SBOM Formats

We provide SBOMs in two industry-standard formats:

1. SPDX Format

Download: sbom.spdx.json
Standard: SPDX 2.3
Size: ~3.7 MB
Format: JSON
Use Case: Broad industry adoption, compliance, security scanning

The SPDX (Software Package Data Exchange) format is an open standard for communicating software bill of materials information. It is widely adopted and supported by many security scanning tools and compliance frameworks.

Key Features:

Complete package inventory with versions
License information for each component
Cryptographic hashes (SHA1, SHA256) for verification
Dependency relationships between components
Package URLs (PURL) for standardized identification

Compatible Tools:

Grype (vulnerability scanning)
Trivy (security scanning)
Black Duck (compliance management)
FOSSA (license compliance)
OSS Review Toolkit (ORT)

2. CycloneDX Format

Download: sbom.cyclonedx.json
Standard: CycloneDX 1.5
Size: ~2.3 MB
Format: JSON
Use Case: DevSecOps, vulnerability management, dependency analysis

CycloneDX is a lightweight SBOM standard designed for use in application security and supply chain component analysis. It's particularly well-suited for continuous integration and DevSecOps workflows.

Key Features:

Lightweight and efficient format
Detailed component metadata
Vulnerability references (CVE, etc.)
Dependency graph representation
Service definitions (for microservices)

Compatible Tools:

OWASP Dependency-Track (vulnerability management)
Anchore (container security)
Sonatype Nexus (repository management)
Snyk (security scanning)
JFrog Xray (artifact analysis)

SBOM Contents

Both SBOM files include:

Programming Languages and Package Managers

Java (Maven): Spring Boot services, dependencies
JavaScript/TypeScript (npm): React/Next.js UI, website
Python (pip): LLM service dependencies

Major Components

Java Services (Spring Boot 3.2.0)

api-gateway: Spring Cloud Gateway, OAuth2 Resource Server
auth-service: Spring Security, Spring Data JPA, PostgreSQL
audit-service: Spring Data JPA, Redis, Flyway
launchpad: Spring Boot Web, Spring AOP
dependency-graph-engine: JGraphT, Spring WebFlux
discovery-server: Spring Cloud Netflix Eureka Server

Key Java Dependencies:

Spring Boot 3.2.0
Spring Cloud 2023.0.x
PostgreSQL JDBC Driver
H2 Database (for testing)
Lombok
Jackson (JSON processing)
JUnit 5 (testing)

JavaScript/TypeScript (Node.js)

rippler-ui: Next.js, React, TypeScript
website: Docusaurus (documentation)

Key npm Dependencies:

Next.js 14.x
React 18.x
Docusaurus 3.x
TypeScript 5.x
Various UI libraries

Python (LLM Service)

Key pip Dependencies:

FastAPI 0.121.1
OpenAI 1.3.5
Anthropic 0.7.0
Pydantic 2.5.0
Uvicorn 0.24.0
HTTPX 0.25.1
Tenacity 9.1.2

License Summary

The Rippler project and its dependencies use various open-source licenses:

Primary Licenses:

MIT License: Majority of npm dependencies, many Java libraries
Apache License 2.0: Spring Framework, Spring Boot, many enterprise Java libraries
BSD Licenses: Various libraries (BSD-2-Clause, BSD-3-Clause)
GPL/LGPL: Some libraries (check specific components)
MPL: Mozilla Public License for specific components

Rippler Project License: MIT License

License Compliance:

✅ All dependencies use permissive or copyleft licenses compatible with commercial use
✅ No proprietary or restrictive licenses that would prevent deployment
⚠️ Review specific GPL/LGPL dependencies if creating a proprietary derivative work

For detailed license information for each component, refer to the SBOM files or run:

# Using syft
syft packages dir:. -o json | jq '.artifacts[] | {name: .name, version: .version, license: .licenses}'

Generating Updated SBOMs

The SBOM files are generated using Syft, an open-source SBOM generation tool.

Prerequisites

Install Syft:

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Generate SPDX SBOM

syft dir:. -o spdx-json -o spdx-json=sbom.spdx.json

Generate CycloneDX SBOM

syft dir:. -o cyclonedx-json -o cyclonedx-json=sbom.cyclonedx.json

Generate Both Formats

# Generate SPDX
syft dir:. -o spdx-json=sbom.spdx.json

# Generate CycloneDX
syft dir:. -o cyclonedx-json=sbom.cyclonedx.json

Vulnerability Scanning with SBOM

Use the SBOM files to scan for vulnerabilities:

Using Grype (with SPDX SBOM)

# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Scan SBOM for vulnerabilities
grype sbom:./sbom.spdx.json

Using Trivy (with SPDX SBOM)

# Install Trivy
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

# Scan SBOM for vulnerabilities
trivy sbom sbom.spdx.json

Using OWASP Dependency-Track (with CycloneDX SBOM)

Set up Dependency-Track server: https://docs.dependencytrack.org/getting-started/
Upload sbom.cyclonedx.json to Dependency-Track
View vulnerability analysis, license compliance, and risk scores

Updating the SBOM

The SBOM should be regenerated whenever:

Dependencies are added, updated, or removed
New services or components are added
Before each release
Regularly as part of CI/CD pipeline (recommended: weekly)

Automated SBOM Generation (CI/CD)

Add to your GitHub Actions workflow:

name: Generate SBOM

on:
  push:
    branches: [main]
  schedule:
    - cron: '0 0 * * 0'  # Weekly on Sundays

jobs:
  generate-sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
      
      - name: Generate SBOMs
        run: |
          syft dir:. -o spdx-json=sbom.spdx.json
          syft dir:. -o cyclonedx-json=sbom.cyclonedx.json
      
      - name: Upload SBOM artifacts
        uses: actions/upload-artifact@v3
        with:
          name: sbom-files
          path: |
            sbom.spdx.json
            sbom.cyclonedx.json
      
      - name: Scan for vulnerabilities
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
          grype sbom:./sbom.spdx.json --fail-on high

SBOM Verification

Verify the integrity of SBOM files:

Check File Integrity

# Validate SPDX format
jq empty sbom.spdx.json && echo "Valid JSON"

# Validate CycloneDX format
jq empty sbom.cyclonedx.json && echo "Valid JSON"

# Count components
echo "SPDX components: $(jq '.packages | length' sbom.spdx.json)"
echo "CycloneDX components: $(jq '.components | length' sbom.cyclonedx.json)"

Verify Component Checksums

# Extract and verify a specific component's checksum
jq '.packages[] | select(.name == "spring-boot-starter-web") | .checksums' sbom.spdx.json

Using SBOM for Compliance

Export License Report

# Extract all licenses from SPDX SBOM
jq -r '.packages[] | "\(.name) \(.versionInfo) \(.licenseConcluded)"' sbom.spdx.json > license-report.txt

# Count by license type
jq -r '.packages[].licenseConcluded' sbom.spdx.json | sort | uniq -c | sort -nr

Identify High-Risk Dependencies

# Find components with known vulnerabilities (requires Grype)
grype sbom:./sbom.spdx.json -o json | jq '.matches[] | select(.vulnerability.severity == "Critical" or .vulnerability.severity == "High")'

SBOM Maintenance Schedule

Task	Frequency	Responsibility
Regenerate SBOM	Weekly or on dependency changes	CI/CD Pipeline
Vulnerability Scan	Daily	CI/CD Pipeline
License Audit	Monthly	Security Team
Dependency Review	Quarterly	Engineering Team
SBOM Archive	Each release	Release Manager

Resources

SPDX Specification: https://spdx.dev/
CycloneDX Specification: https://cyclonedx.org/
Syft Documentation: https://github.com/anchore/syft
Grype Vulnerability Scanner: https://github.com/anchore/grype
OWASP Dependency-Track: https://dependencytrack.org/
NTIA Minimum Elements for SBOM: https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom

Support

For questions about the SBOM or to report discrepancies:

Open a GitHub issue: https://github.com/hanisntsolo/rippler/issues
Contact the security team (see README.md for contacts)

Last Updated: November 2024
SBOM Generator: Syft v1.37.0
Maintained By: Rippler Security Team

Overview​

SBOM Formats​

1. SPDX Format​

2. CycloneDX Format​

SBOM Contents​

Programming Languages and Package Managers​

Major Components​

Java Services (Spring Boot 3.2.0)​

JavaScript/TypeScript (Node.js)​

Python (LLM Service)​

License Summary​

Generating Updated SBOMs​

Prerequisites​

Generate SPDX SBOM​

Generate CycloneDX SBOM​

Generate Both Formats​

Vulnerability Scanning with SBOM​

Using Grype (with SPDX SBOM)​

Using Trivy (with SPDX SBOM)​

Using OWASP Dependency-Track (with CycloneDX SBOM)​

Updating the SBOM​

Automated SBOM Generation (CI/CD)​

SBOM Verification​

Check File Integrity​

Verify Component Checksums​

Using SBOM for Compliance​

Export License Report​

Identify High-Risk Dependencies​

SBOM Maintenance Schedule​

Resources​

Support​