You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 2
Next »
Introduction
The JS7 includes a number of 3rd-party components:
- SOS is striving to use up-to-date versions of 3rd-party components.
- SOS cannot exclude a situation when 3rd-party components are hit by vulnerabilities.
- SOS is monitoring 3rd-party components for vulnerabilities at an ongoing basis.
- If vulnerabilities are detected the Release Policy - Vulnerability Management applies.
- This includes to make information about vulnerabilities public with our Change Management System, see https://change.sos-berlin.com
- This includes to add fixed versions of 3rd-party components to timely JS7 maintenance releases.
In addition to above measures the JS7 ships with a Software Bill of Materials (SBOM) that provides the information to users which 3rd-party component versions and licenses are included
FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.2
SBOM
The JS7 SBOM is provided from the OWASP CyclonDX format.
Tools to manage and to visualize the SBOM include the OWASP dependency-track. In addition a number of web sites are available that allow to visualize the SBOM.
Download
The SBOM ships from the sbom.json file that is available for download from JOC Cockpit.
- URL:
http(s)://<host>:<port>/joc/sbom.json - Directory:
JETTY_BASE/webapps/joc/sbom.json
Example
Find the following example of an SBOM file:
{
"bomFormat": "CycloneDX",
"specVersion": "1.3",
"serialNumber": "urn:uuid:725fd204-c3cf-4f2a-9e48-ee0cdfb17f2a",
"version": 1,
"metadata": {
"timestamp": "2023-01-02T06:08:35.977Z",
"tools": [
{
"vendor": "CycloneDX",
"name": "Node.js module",
"version": "3.10.6"
}
],
"component": {
"type": "library",
"bom-ref": "pkg:npm/joc-cockpit@2.5.0",
"name": "joc-cockpit",
"version": "2.5.0",
"description": "This project was generated with [Angular CLI](https://github.com/angular/angular-cli) version 14.1.1.",
"purl": "pkg:npm/joc-cockpit@2.5.0"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:npm/%40angular/animations@14.2.12",
"author": "angular",
"group": "@angular",
"name": "animations",
"version": "14.2.12",
"description": "Angular - animations integration with web-animations",
"hashes": [
{
"alg": "SHA-512",
"content": "83076715992f554afe7a750d7e17c2191186a8d1e7d7ebd303cd5aa4b7c762127182388b52d1137382933ab41ebed0e6d36da911df8b4abbebf2bfbb6a0fa393"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"purl": "pkg:npm/%40angular/animations@14.2.12",
"externalReferences": [
{
"type": "website",
"url": "https://github.com/angular/angular#readme"
},
{
"type": "issue-tracker",
"url": "https://github.com/angular/angular/issues"
},
{
"type": "vcs",
"url": "git+https://github.com/angular/angular.git"
}
]
},
{
"type": "library",
"bom-ref": "pkg:npm/tslib@2.4.1",
"author": "Microsoft Corp.",
"name": "tslib",
"version": "2.4.1",
"description": "Runtime library for TypeScript helper functions",
"hashes": [
{
"alg": "SHA-512",
"content": "b46cb2e1d02344813023b073b01d25ca75a03a97ea8d476af755d70252160f63b02811fba0297f1991bf1d3e01387ad394f30e01294c43bbdec93aa999172b34"
}
],
"licenses": [
{
"license": {
"id": "0BSD"
}
}
],
"purl": "pkg:npm/tslib@2.4.1",
"externalReferences": [
{
"type": "website",
"url": "https://www.typescriptlang.org/"
},
{
"type": "issue-tracker",
"url": "https://github.com/Microsoft/TypeScript/issues"
},
{
"type": "vcs",
"url": "git+https://github.com/Microsoft/tslib.git"
}
]
},
...