Skip to end of metadata
Go to start of metadata

Introduction

For a secure software as JS7 users are enabled to know what is inside its code:

  • the JS7 source code is publicly available from https://github.com/sos-berlin
  • the JS7 ships with a Software Bill of Materials (SBOM) that provides the information which 3rd-party components, versions and licenses are included.
    FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.2

Software Bill of Materials

SBOM Format

The JS7 SBOM is provided from the OWASP CyclonDX format.

Tools to manage and to visualize the SBOM include the OWASP dependency-track. In addition a number of web sites are available that allow to visualize an SBOM. 

Vulnerability Management

The JS7 includes a number of 3rd-party components:

  • SOS is striving to use up-to-date versions of 3rd-party components.
  • SOS cannot exclude a situation when 3rd-party components are hit by vulnerabilities.
    • SOS is monitoring 3rd-party components for vulnerabilities at an ongoing basis.
    • If vulnerabilities are detected the Release Policy - Vulnerability Management applies.
      • This includes to make information about vulnerabilities public with our Change Management System, see https://change.sos-berlin.com
      • This includes to add fixed versions of 3rd-party components to timely JS7 maintenance releases.
  • The SBOM enables users to check directly from their JS7 scheduling environment if a vulnerable version of a 3rd-party component is included.

Download

The SBOM ships from the sbom.json file that is available for download from JOC Cockpit.

  • URL: <http|https>://<host>:<port>/joc/sbom.json
    • <http> or <https> is the protocol for which JOC Cockpit is operated.
    • <host> is the name of the host on which JOC Cockpit is running.
    • <port> is the port for which JOC Cockpit is operated.
  • Directory: JETTY_BASE/webapps/joc/sbom.json

Download from the Login Window

The SBOM can be downloaded from the menu icon in the login window:

Download from any JOC Cockpit page

The SBOM can be download from any JOC Cockpit page using the menu icon like this:

Example

Find the following example of an SBOM file for JOC Cockpit:

Extract of the SBOM example
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:725fd204-c3cf-4f2a-9e48-ee0cdfb17f2a",
  "version": 1,
  "metadata": {
    "timestamp": "2023-01-02T06:08:35.977Z",
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "Node.js module",
        "version": "3.10.6"
      }
    ],
    "component": {
      "type": "library",
      "bom-ref": "pkg:npm/joc-cockpit@2.5.0",
      "name": "joc-cockpit",
      "version": "2.5.0",
      "description": "This project was generated with [Angular CLI](https://github.com/angular/angular-cli) version 14.1.1.",
      "purl": "pkg:npm/joc-cockpit@2.5.0"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:npm/%40angular/animations@14.2.12",
      "author": "angular",
      "group": "@angular",
      "name": "animations",
      "version": "14.2.12",
      "description": "Angular - animations integration with web-animations",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "83076715992f554afe7a750d7e17c2191186a8d1e7d7ebd303cd5aa4b7c762127182388b52d1137382933ab41ebed0e6d36da911df8b4abbebf2bfbb6a0fa393"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "purl": "pkg:npm/%40angular/animations@14.2.12",
      "externalReferences": [
        {
          "type": "website",
          "url": "https://github.com/angular/angular#readme"
        },
        {
          "type": "issue-tracker",
          "url": "https://github.com/angular/angular/issues"
        },
        {
          "type": "vcs",
          "url": "git+https://github.com/angular/angular.git"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:npm/tslib@2.4.1",
      "author": "Microsoft Corp.",
      "name": "tslib",
      "version": "2.4.1",
      "description": "Runtime library for TypeScript helper functions",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "b46cb2e1d02344813023b073b01d25ca75a03a97ea8d476af755d70252160f63b02811fba0297f1991bf1d3e01387ad394f30e01294c43bbdec93aa999172b34"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "0BSD"
          }
        }
      ],
      "purl": "pkg:npm/tslib@2.4.1",
      "externalReferences": [
        {
          "type": "website",
          "url": "https://www.typescriptlang.org/"
        },
        {
          "type": "issue-tracker",
          "url": "https://github.com/Microsoft/TypeScript/issues"
        },
        {
          "type": "vcs",
          "url": "git+https://github.com/Microsoft/tslib.git"
        }
      ]
    },
...




  • No labels