How to generate an SBOM in Veracode SCA

Emerging government regulations have driven the advancement of standards for securing software supply chains. The production of a Software Bill of Materials (SBOM) in a standard format is an increasing audit and compliance need for large organizations.

Having an SBOM can help

  • Identify and avoid security risks
  • Understand and manage licensing risks

Veracode Software Composition Analysis (SCA) helps teams qualify and manage risks from software running in their environments, better plan and control their security program, and understand where risks may be as new security threats or new versions of software become available.

Generating an SBOM in Veracode SCA

Veracode SCA SBOM API will help your organization identify vulnerabilities and license risks and help you better understand what software is contained within your application.

The SBOM API response provides you with an inventory of the components within your application, including insight into the relationships that the various components have with each other and identifying which components are coming from third-party sources that make up the software supply chain. The SBOM API will return a response with your SBOM in CycloneDX JSON format, which is one of the approved formats for compliance with the US Executive Order.

To generate the SBOM report for your application, you need to pass the application UUID to the API.

  1. Get application UUID by calling the application API: https://docs.veracode.com/r/r_applications_info
  2. Call SBOM API with the application

Security teams and developers alike can leverage SBOMs to confirm that the software they’re using, purchasing, or building is free from known vulnerabilities and components with unacceptable licenses. One thing to keep in mind – an SBOM is an export that lists components an application is made up of. Think of this as more of a ‘point in time’ exported list of components (that you can not generate without an SCA type tool in place). SBOM does not necessarily inform you directly if vulnerabilities exist in the components. You’ll typically need to use a tool like Veracode SCA or take the time to check each component manually.

Veracode SCA not only identifies these components, but is able to determine direct and indirect dependencies, offer remediation guidance, and actively manage license risk. To try out Veracode SCA first-hand, schedule a demo with our team.

Source

Emerging government regulations have driven the advancement of standards for securing software supply chains. The production of a Software Bill of Materials (SBOM) in a standard format is an increasing audit and compliance need for large organizations.

Having an SBOM can help

  • Identify and avoid security risks
  • Understand and manage licensing risks

Veracode Software Composition Analysis (SCA) helps teams qualify and manage risks from software running in their environments, better plan and control their security program, and understand where risks may be as new security threats or new versions of software become available.

Generating an SBOM in Veracode SCA

Veracode SCA SBOM API will help your organization identify vulnerabilities and license risks and help you better understand what software is contained within your application.

The SBOM API response provides you with an inventory of the components within your application, including insight into the relationships that the various components have with each other and identifying which components are coming from third-party sources that make up the software supply chain. The SBOM API will return a response with your SBOM in CycloneDX JSON format, which is one of the approved formats for compliance with the US Executive Order.

To generate the SBOM report for your application, you need to pass the application UUID to the API.

  1. Get application UUID by calling the application API: https://docs.veracode.com/r/r_applications_info
  2. Call SBOM API with the application

Security teams and developers alike can leverage SBOMs to confirm that the software they’re using, purchasing, or building is free from known vulnerabilities and components with unacceptable licenses. One thing to keep in mind – an SBOM is an export that lists components an application is made up of. Think of this as more of a ‘point in time’ exported list of components (that you can not generate without an SCA type tool in place). SBOM does not necessarily inform you directly if vulnerabilities exist in the components. You’ll typically need to use a tool like Veracode SCA or take the time to check each component manually.

Veracode SCA not only identifies these components, but is able to determine direct and indirect dependencies, offer remediation guidance, and actively manage license risk. To try out Veracode SCA first-hand, schedule a demo with our team.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Senators Urge FTC to Probe ID.me Over Selfie Data – Krebs on Security

Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for “deceptive statements”...

Personal Information of Nearly Two Million Texans Exposed

The personal information of nearly two million Texans was exposed for nearly three years due to a programming issue at the Texas Department of...

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity,...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!