Introduction
For a secure software as JS7 users are enabled to know what is inside its code:
- the JS7 source code is publicly available from https://github.com/sos-berlin
- the JS7 ships with a Software Bill of Materials (SBOM) that provides the information which 3rd-party products, versions and licenses are included.
FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.3
JS7 - Package Management allows to enable and to disable software packages based on information from the SBOM.
Software Bill of Materials
SBOM Format
The JS7 SBOM is provided from an sbom.json
file in the OWASP CyclonDX format.
Tools to manage and to visualize the SBOM include the OWASP dependency-track. In addition a number of web sites are available that allow to visualize an SBOM.
Vulnerability Management
The JS7 includes a number of 3rd-party components:
- SOS is striving to use up-to-date versions of 3rd-party components.
- SOS cannot exclude a situation when 3rd-party components are hit by vulnerabilities.
- SOS is monitoring 3rd-party components for vulnerabilities at an ongoing basis.
- If vulnerabilities are detected the Release Policy - Vulnerability Management applies.
- This includes to make information about vulnerabilities public with our Change Management System, see https://change.sos-berlin.com
- This includes to add fixed versions of 3rd-party components to JS7 maintenance releases in a timely manner.
- The SBOM enables users to check directly from their JS7 scheduling environment if a vulnerable version of a 3rd-party component is included.
- JS7 SBOM files include any components developed by SOS and by 3rd-parties.
- In addition, dependencies for any components are included with an SBOM file. This allows to track down which components are affected by a given vulnerability.
- Users of JS7 can check independently from SOS if the version of JS7 in use is affected by a given vulnerability and which component or feature makes use of vulnerable libraries.
- Users have a choice to remove vulnerable 3rd-party components from the installation of a JS7 product:
- The JS7 - Package Management offers to disable/enable software packages.
- This approach is applicable if minor features of JS7 are affected and if users are willing not to use such features.
Accessing the Software Bill of Materials
The sbom.json
file is provided individually for Controller, Agent and JOC Cockpit.
Within limits users can operate the JS7 products from different releases. This requires the sbom.json
file to be available per product and release.
Accessing the Controller SBOM
The sbom.json
file is available from the JS7_CONTROLLER_HOME
directory.
Example:
- Unix:
/opt/sos-berlin.com/js7/controller/sbom.json
- Windows:
C:\Program Files\sos-berlin.com\js7\controller\sbom.json
Accessing the Agent SBOM
The sbom.json
file is available from the JS7_AGENT_HOME
directory.
Example:
- Unix:
/opt/sos-berlin.com/js7/agent/sbom.json
- Windows:
C:\Program Files\sos-berlin.com\js7\agent\sbom.json
Accessing the JOC Cockpit SBOM
The SBOM ships from the sbom.json
file that is available from the JOC_HOME
directory.
Example:
- Unix:
/opt/sos-berlin.com/js7/joc/sbom.json
- Windows:
C:\Program Files\sos-berlin.com\js7\joc\sbom.json
Example
Find the following example of an SBOM file for JS7 Agent release 2.5.3:
- Download: sbom.json