Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
SBOMを利用したソフトウェアサプライチェーンの保護
Search
Masahiro331
August 05, 2022
Technology
4
2.5k
SBOMを利用したソフトウェアサプライチェーンの保護
Masahiro331
August 05, 2022
Tweet
Share
More Decks by Masahiro331
See All by Masahiro331
OSSに新機能を追加するまでの苦労話
masahiro331
0
150
Analyze Filesystem in Virtual Machine Image
masahiro331
0
150
Introduction Supply Chain Security
masahiro331
0
130
Container Security with Trivy
masahiro331
0
190
VirtualMachine Image scanning PoC with Molysis
masahiro331
0
150
Other Decks in Technology
See All in Technology
Explainable Software Engineering in the Public Sector
avandeursen
0
360
ルートユーザーの活用と管理を徹底的に深掘る
yuobayashi
6
720
Dapr For Java Developers SouJava 25
salaboy
1
130
Cline、めっちゃ便利、お金が飛ぶ💸
iwamot
19
18k
Multitenant 23ai の全貌 - 機能・設計・実装・運用からマイクロサービスまで
oracle4engineer
PRO
2
110
SSH公開鍵認証による接続 / Connecting with SSH Public Key Authentication
kaityo256
PRO
2
210
お問い合わせ対応の改善取り組みとその進め方
masartz
1
350
20250328_OpenAI製DeepResearchは既に一種のAGIだと思う話
doradora09
PRO
0
150
技術好きなエンジニアが _リーダーへの進化_ によって得たものと失ったもの / The Gains and Losses of a Tech-Enthusiast Engineer’s “Evolution into Leadership”
kaminashi
0
200
React Server Componentは 何を解決し何を解決しないのか / What do React Server Components solve, and what do they not solve?
kaminashi
6
1.2k
IAMのマニアックな話 2025 ~40分バージョン ~
nrinetcom
PRO
8
890
BCMathを高速化した一部始終をC言語でガチ目に解説する / BCMath performance improvement explanation
sakitakamachi
2
1.2k
Featured
See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Bash Introduction
62gerente
611
210k
Scaling GitHub
holman
459
140k
GraphQLとの向き合い方2022年版
quramy
45
14k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
177
52k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.6k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.3k
Making Projects Easy
brettharned
116
6.1k
How to Think Like a Performance Engineer
csswizardry
22
1.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.4k
A Tale of Four Properties
chriscoyier
158
23k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Transcript
Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with
SBOM CloudNative Security Conference 2022
ຊͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ • Supply Chain Security ͱʁ • SBOMͱʁ
• SBOMͷੜͱ੬ऑੑݕʹ͍ͭͯ • SBOM๊͕͑Δ՝
ࠓ͞ͳ͍͜ͱ • SBOMͷৄࡉͳ༷ͷղઆ • SBOMͷ੬ऑੑݕͷৄࡉ
ࣗݾհ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project
(Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜͱ੬ऑੑݕΛ࣮
ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ
ࡢࠓͷ߈ܸͷಈ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑΛѱ༻ͨ͠߈ܸ͕ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠ΔใηΩϡϦςΟͷ10େڴҖʹϥϯΫΠϯ͍ͯ͠Δ
ࡢࠓͷ߈ܸͷಈ • Sonatype͔ΒϨϙʔτ͕ग़͍ͯΔ • 2020ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ
Supply Chain Security ͱʁ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor
OSS Artifact Production Server Server / Network Machine
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸͷରࡦ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞιϑτΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓͷൣғ ͜Ε*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server Artifact OSS
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ Artifact ࠓͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS
OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ߹ɺαʔόͰҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell
(Java) Event-Stream (Node.js) • 200ສμϯϩʔυΛ͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟ΥϨοτΛ౪͏ͱ͢Δίʔυ͕ೖ͞Ε͍ͯͨ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ґଘ ਪҠతґଘ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔...
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏
SBOMͱʁ
SBOMͱ • ιϑτΣΞͷߏཁૉΛ෦දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ༷4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX
(Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub Βͳ͍…
SBOMʹ͍ͭͯ • ιϑτΣΞͷߏґଘؔΛڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ
ԿͷͨΊʹSBOMΛ͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕͳͲ͕Մೳ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ
ͦͷଞͷ༻్ • ։ൃϕϯμʔϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτΣΞɾϥΠηϯεͷཧ Vendor A Vendor B Vendor
C Engineer AͷSBOM ιϑτΣΞBͷSBOM CͷSBOM
ੈͷதͷಈ • ถࠃͰɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠SBOMͷ࡞Λཁ݅Խ͍ͯ͠Δ • ຊͰɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ
σϞ
SBOMͷੜ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯
σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container
σϞͷղઆ ղੳ ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application
Application Library Application Application Library Container
ิ • CycloneDXͷSBOMͰɺ෦ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼ந͕ߴͯ͘ɺ࣮ͨ͠ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍
SBOMΛ༻͍ͨ੬ऑੑݕ ࡞ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯
σϞͷղઆ Container OS OS Package Application Application Library Application Application
Library CycloneDX ੬ऑੑݕ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ
͍··Ͱ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ੬ऑੑݕ
͜Ε͔Β ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ར׆༻ʢྫ͑੬ऑੑݕʣ ଞͷ׆༻ํ๏ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ
SBOMͰશͯͷιϑτΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!
ͱͳΒͳ͍…
࣮ࡍʹ SBOM Λੜɺݕ͢ΔπʔϧΛ ։ൃ͢Δͱɺଟͷ՝Λݟ͚ͭΔ (CycloneDXͷࣄྫΛհ)
1. શͯͷґଘؔΛՄࢹԽͰ͖ΔΘ͚Ͱͳ͍ • ίϯςφΛղੳ͢ΔTrivyGrypeͳͲͷπʔϧͰ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱͰ͖ͳ͍ ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱͰ͖ͳ͍
2. ʮඪ४ϑΥʔϚοτʯޓੑ͕͋Δͱݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ͪΖΜ͓ޓ͍ͷSBOMͰਖ਼͘͠ݕͰ͖ͳ͍
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ • ͦͦґଘؔͱʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔଘࡏ
• μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ DependencyʹΑΔґଘؔ
4. ༷͕ेͰͳ͍͜ͱ͋Δ • SBOM੬ऑੑΛݕ͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ༷Ͱਖ਼͘͠੬ऑੑݕͰ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰΓͳ͍
·ͱΊ • ύοέʔδߏϑΝΠϧDocker Image͔Β؆୯ʹSBOM͕ੜͰ͖Δ • ੜͨ͠SBOM͔Β੬ऑੑݕ͕Մೳ • SBOMࠓ·࣮ͩݧஈ֊Ͱ՝ଟ͘ݟΒΕΔ • ੜ͢Δπʔϧͷ༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ
• ੜπʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ
༨ஊ • SBOMͷະདྷͷ
SBOMͷະདྷͷ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻அͰ͖ΔΑ͏ʹ͢Δ͜ͱ
Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠ͷɻ Software Attestation Digital Identity Attestation ͷҰछ
Software Attestationͱ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠ͷɻ
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
Thank you for attention
ͪͳΈʹ SBOMͷ༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ༷ʹߩݙ