CycloneDX Application Analysis

NEW IN RELEASE 77

What is supported

By scanning files with the following pattern <source>-bom.xml containing CycloneDX data (version 1.1 supported).

An example,

cyclonedx-bom.xml

The source is used as an identification source which will be displayed in the Application Composition Report.

bom.xml is a valid option.  If no source provided, Third Party is used by default for identification source in the Application Composition Report.

Integrations with CycloneDX scanning support

  • CLI from version 77
  • Jenkins from version 3.8.20191127-111424.5D61F82
  • Bamboo from version 1.14.2

Steps to analyze using the CLI

Create the cyclonedx-bom.xml 

For detailed instructions on CycloneDX schema please refer to the CycloneDX scanner documentation. 

Example file content

<?xml version="1.0" encoding="UTF-8"?>
<bom version="1" xmlns="http://cyclonedx.org/schema/bom/1.1">
    <components>
        <component type="library">
            <publisher>Ronald Oussoren</publisher>
            <name>altgraph</name>
            <version>0.10.2</version>
            <description>Python graph (network) package</description>
            <hashes>
                <hash alg="SHA-256">628ad4e48be307970476ed0a9ab5efaf52e188bff115ab97d9e3d27fbe95fb60</hash>
                <hash alg="MD5">059ae244d667cc673e16826c2b96046f</hash>
            </hashes>
            <licenses>
                <license>
                    <name>MIT</name>
                </license>
            </licenses>
            <purl>pkg:pypi/altgraph@0.10.2</purl>
            <modified>false</modified>
        </component>
        <component type="library">
            <publisher>Bob Ippolito</publisher>
            <name>bdist-mpkg</name>
            <version>0.5.0</version>
            <description>Builds Mac OS X installer packages from distutils</description>
            <hashes>
                <hash alg="SHA-256">d42a697e0869d12dd451c9ef687ac34f45d44227569cfabec69bddabb40bb89b</hash>
                <hash alg="MD5">db4742ffa9afc8a0cf6c55c2aeb7309f</hash>
            </hashes>
            <licenses>
                <license>
                    <name>MIT License</name>
                </license>
            </licenses>
            <purl>pkg:pypi/bdist-mpkg@0.5.0</purl>
            <modified>false</modified>
        </component>
    </components>
</bom>

When specifying components using its Package URL (tag <purl>), IQ Server will try to match it with its own data and find all information about it.

Note: if in an unlikely case of the same component found more than once in the bom, only the data of the first component will be processed/shown.

NEW IN RELEASE 81

If there was no Package URL specified above, a component can also be specified using its coordinates and IQ server will attempt to apply policies based on this identity.

  • <name>: mandatory when using coordinates
  • <version>: mandatory when using coordinates

NEW IN RELEASE 78

In addition to the identity data shown above, each component can also include vulnerability data as shown in the example below.

<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
     xmlns="http://cyclonedx.org/schema/bom/1.1"
     xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
  <components>
    <component type="library" bom-ref="pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9?type=jar">
      <group>com.fasterxml.jackson.core</group>
      <name>jackson-databind</name>
      <version>2.9.9</version>
      <purl>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9?type=jar</purl>
      <v:vulnerabilities>
        <v:vulnerability ref="pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9?type=jar">
          <v:id>CVE-2018-7489</v:id>
          <v:source name="NVD">
            <v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
          </v:source>
          <v:ratings>
            <v:rating>
              <v:score>
                <v:base>9.8</v:base>
                <v:impact>5.9</v:impact>
                <v:exploitability>3.0</v:exploitability>
              </v:score>
              <v:severity>Critical</v:severity>
              <v:method>CVSSv3</v:method>
              <v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
            </v:rating>
          </v:ratings>
          <v:cwes>
            <v:cwe>184</v:cwe>
            <v:cwe>502</v:cwe>
          </v:cwes>
          <v:description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</v:description>
          <v:recommendations>
            <v:recommendation>Upgrade</v:recommendation>
          </v:recommendations>
          <v:advisories>
            <v:advisory>https://github.com/FasterXML/jackson-databind/issues/1931</v:advisory>
            <v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
            <v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
            <v:advisory>http://www.securitytracker.com/id/1041890</v:advisory>
          </v:advisories>
        </v:vulnerability>
      </v:vulnerabilities>
    </component>
  </components>
</bom>

Please note we currently support vulnerabilities specified within each component level only. And also you must specify the at least the base score for each vulnerability rating.

License support NEW IN RELEASE 81

A component can have one or many licenses, defined as follows. And IQ server will try to apply existing policies on licenses for this data.

<?xml version="1.0" encoding="UTF-8"?>
<bom version="1" xmlns="http://cyclonedx.org/schema/bom/1.1">
    <components>
        <component type="library">
          <name>altgraph</name>
          <version>0.10.2</version>
        </component>
        <licenses>
        	<license>
				<id>MIT</id>
            	<name>MIT</name>
				<url>http://www.url.com</url>
            </license>
        	<license>
				<id>Apache-2.0</id>
            	<name>Apache-2.0</name>
				<url>http://www.url.com</url>
            </license>
       </licenses>
    </components>
</bom>

Run a scan

Invoke a CLI scan of the directory containing cyclonedx-bom.xml.  Instructions on how to do this can be found here https://help.sonatype.com/integrations/nexus-iq-cli.

The output from the cli

Dashboard results

Report results

Component details

License details

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the bom.xml.  A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/bom.xml'], [scanPattern: '**/*-bom.xml']], iqStage: 'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate CycloneDX, add bom.xml to the scan targets via a comma-separated list e.g.

**/bom.xml,**/*-bom.xml

To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.