Vulnerability analysis based on SBOMs: A model proposal for automated vulnerability scanning for CI/CD pipelines-Reference-Cited by-同舟云学术

Vulnerability analysis based on SBOMs: A model proposal for automated vulnerability scanning for CI/CD pipelines

Published:2024-06-30 Issue:2 Volume:13 Page:33-42
ISSN:2147-0030
Container-title:International Journal of Information Security Science
language:
Short-container-title:

Author:

Kağızmandere Ömercan¹^ORCID,Arslan Halil²^ORCID

Affiliation:

1. SİVAS CUMHURİYET ÜNİVERSİTESİ

2. SİVAS CUMHURİYET ÜNİVERSİTESİ, MÜHENDİSLİK FAKÜLTESİ, BİLGİSAYAR MÜHENDİSLİĞİ BÖLÜMÜ

Abstract

The software bill of materials (SBOM) emerged in 2018 as an important component in software security and software supply chain management. SBOM is an inventory presented as a list of the components that make up software. In recent years, whether software products contain vulnerabilities is a phenomenon that should be checked regularly by the users of that product. This paper deals with the systematic identification and vulnerability analysis of software components based on the concept of software bill of materials. The fact that a software product itself does not contain vulnerabilities does not mean that the software product is secure. Even if software projects do not contain any vulnerabilities when examined alone, there may be vulnerabilities in their components. Vulnerabilities in the dependencies or components of the product may be sufficient for cyber attackers to exploit that product. Minimizing the damage caused by vulnerabilities in software components is the basis of cyber security efforts. In this study, the necessity of automatically generating software bill of materials in software development/deployment environments (CI/CD) and performing vulnerability analysis on this bill of materials is demonstrated and a suitable model is proposed.

Publisher

Seref Sagiroglu

Reference24 articles.

1. [1] E. Peters and G. K. Aggrey, “An iso 25010 based quality model for erp systems,” Adv. Sci. Technol. Eng. Syst. J, vol. 5, no. 2, pp. 578–583, 2020.

2. [2] A. A. Pratama and A. B. Mutiara, “Software quality analysis for halodoc application using iso 25010: 2011,” Int. J. Adv. Comput. Sci. Appl, vol. 12, no. 8, pp. 383–392, 2021.

3. [3] A. Arora and C. Garman, “Analysis of software bill of materials tools,” Cyber Security: A Peer-Reviewed Journal, vol. 6, no. 4, pp. 334–355, 2023.

4. [4] S. Butler, J. Gamalielsson, B. Lundell, C. Brax, A. Mattsson, T. Gustavsson, J. Feist, B. Kvarnstr¨om, and E. L¨onroth, “Considerations and challenges for the adoption of open source components in software-intensive businesses,” Journal of Systems and Software, vol. 186, p. 111152, 2022.

5. [5] V. Axelsson and F. Larsson, “Understanding the software bill of material for supply-chain management in open source projects,” 2023.