(Note: I work in this "supply chain security" space.)
Until VEX[0] is further along, I worry about the utility of an approach like simply publishing an SBOM for every release.
The presence of a package does not usually mean that there is an exploitable vulnerability[1]. Reality is that only 2-5% of reported vulnerabilities matter.
VEX aims to provide an ability to say, "Yeah, we use that vulnerable library, but we don't call the vulnerable function."
FedRAMP will help push this problem forward though because if you can't meet that certification, you can't sell to the government. And that includes any company in the "supply chain" that has customers that sell to the government too.
It's definitely going to be noisy as hell though!
"Operational Visibility
- Monthly reporting on all vulnerability scans, an up to date POA&M, and an up to date inventory
- High risks must be fixed in 30 days, Moderate in 90; and low as possible"[2]
Does this effectively kill use of most open source software in a federal
environment? I can’t imagine most maintainers can attest to complying with Federal software security requirements.
if too slow, a simple find command is much faster,
find / -name \*.app > this.mac.installed.txt
(but this will not catch binaries)
For Linux (assuming Red Hat or variant)
rpm[4] -qa > this.thing.installed.txt
(which only catches the managed packages, and I have no idea how to catch everything manually installed)
But in all cases better to push a script out from whatever LDAP-implementation of device management, Active Directory, MECM, JAMF, or whathaveyou, use unique file naming and drop the files in a centrally shared folder.
5 comments
[ 4.9 ms ] story [ 24.3 ms ] threadI can't believe this isn't already required.
Until VEX[0] is further along, I worry about the utility of an approach like simply publishing an SBOM for every release.
The presence of a package does not usually mean that there is an exploitable vulnerability[1]. Reality is that only 2-5% of reported vulnerabilities matter.
VEX aims to provide an ability to say, "Yeah, we use that vulnerable library, but we don't call the vulnerable function."
FedRAMP will help push this problem forward though because if you can't meet that certification, you can't sell to the government. And that includes any company in the "supply chain" that has customers that sell to the government too.
It's definitely going to be noisy as hell though!
"Operational Visibility
- Monthly reporting on all vulnerability scans, an up to date POA&M, and an up to date inventory
- High risks must be fixed in 30 days, Moderate in 90; and low as possible"[2]
0: https://www.lunasec.io/docs/blog/vex-silence-false-positives...
1: https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanner...
2: https://www.fedramp.gov/assets/resources/training/200-D-FedR...
For Linux (assuming Red Hat or variant)
(which only catches the managed packages, and I have no idea how to catch everything manually installed)But in all cases better to push a script out from whatever LDAP-implementation of device management, Active Directory, MECM, JAMF, or whathaveyou, use unique file naming and drop the files in a centrally shared folder.
[1] https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmic
[2] https://learn.microsoft.com/en-us/powershell/module/microsof...
[3] https://ss64.com/osx/system_profiler.html
[4] https://man7.org/linux/man-pages/man8/rpm.8.html