- CramHacks
- Posts
- [CramHacks] Newsletter #8: š»Spooky Supply Chainš»
[CramHacks] Newsletter #8: š»Spooky Supply Chainš»
CramHacks Chronicles: Key Insights On Software Supply Chain Risks
Kyle Kelly
November 01, 2023
š„³ Happy Monday! š„³
Stickers will be shipped soon - and we still have some left! Send me an email with your shipping info if you want some early adopter CramHacksā stickers!
Software Supply Chain Security
Vishal Garg has shared what must be the most comprehensive list of Software Supply Chain resources. Thereās a reason Iām listing this first; itās awesome.
š If someone wants to add CramHacks under āExpertsā, I wonāt be upset š.
Beautifully written and concise threats overview page. Youāre probably seeing this image all over LinkedIn if you follow others in the supply chain community; because itās awesome. The page also shares real-world examples of supply chain incidents for each category mentioned and notes how SLSA can help.
OWASP has launched the BOM Maturity Model; providing a formalized structure in which bill of materials can be evaluated for a wide range of capabilities, used as a benchmark, and offers customization via profiles.
š This is definitely a necessity. Everyone and their grandmas are producing SBOMs lately, but thereās limited expertise to know when your SBOM is meeting or exceeding quality standards. An SBOM is as useful as the data it contains and so if you feed it garbage, you get garbage value.
Sadly, the release of this model did not include an automated tool to score your SBOMs. But! sbombenchmark.dev is an automated SBOM benchmark solution. Shoutout to Semgrepās Gautam Bhat for letting me know about this website.
cdxgen 9.9.0, the CycloneDX Generator ācan now identify reachable now identify reachable components for Java, JavaScript, and TypeScript applications. The information is available for downstream SCA and ASPM tools to prioritize the application vulnerabilities better and cut down false positives.ā
š Speaking of quality SBOMs re: the previous article; reachability for SBOMs is a sweet value add. The quick summary is that it will tell you where in your projects are you using direct dependencies (it does not currently support transitive dependencies). However, given the expectation for SBOMs to be traded like PokĆ©mon cards, I wouldnāt want to include this information. But, itās still nice for internal use.
There is an important distinction in that cdxgen simply identifies where a dependency is used, whereas, for example, Semgrepās reachability identifies the explicit usage of vulnerable functions; so itās quite a bit more in depth.
GUAC now supports ingesting OpenVEX documents to map relations between software components, vulnerabilities, and their exploitability status.
š There is a powerhouse team supporting GUAC. Kudos to you all for another great integration.
Seth Larson documented his path to patching CVE-2023-4863 across the Python ecosystem. The article covers how he approached identifying vulnerable projects, contacting each project, waiting for patched releases, and notifying users of the vulnerable bundled component.
š Iām still amazed that every project maintainer responded and released a patched version š¤£. But seriously, thatās a testament to the community!
Tbh, if you donāt know that vulnerability reporting is a mess, Iām surprised youāre reading this newsletter. But, I liked how Cynthia Brumfield leaned on recent events to justify lukewarm takes.
Until Next Time! š
Hey, you made it to the bottom ā thanks for sticking around!
Questions, ideas, or just want to chat? Slide into my inbox! š
If you think someone could benefit from this, donāt hesitate to forward.
See you next Monday!
-Kyle