A Software Bill of Materials (SBOM) is a structured list of the components, libraries, and versions that make up a software product. The SBOM is used by vulnerability scanners to issue advisories of vulnerable components and is therefore key to vulnerability management. The quality and accuracy of the image SBOM is considered to be critical to the completeness of the vulnerability report (and advisories) issued for the image. Minimus images carry signed SBOMs that adhere to the latest best practices with dependency scanning and provenance tracking.

Minimus SBOMs

Minimus creates its image SBOMs during the build process to ensure the SBOMs are accurate, complete, comprehensive, and fully transparent. Generating the SBOM at the post-build stage can miss locally built components, leading to incomplete inventories.

Minimus offers signed SBOMs for download for all of its images. SBOM details are also provided in a convenient table format with quick filtering options directly in the Minimus Gallery in the image version card.

Note that the SBOM is specific to the image build (this can be identified by the image digest). Every image version has its own version-specific SBOM, and there can be differences in both the type and version of packages included in each image.

Direct and indirect dependencies

Minimus SBOMs include all transitive dependencies. Transitive dependencies include both:

  • Direct dependencies that are explicitly declared in the project
  • Indirect dependencies which are dependencies of your dependencies. That is, they are second order dependencies.

Minimus reduces complex dependency trees that can be difficult to graph and track into a flat, straight-forward list that ensures that security scanners don’t miss any vulnerabilities and cause false-negatives (unreported vulnerabilities that present risk but go undetected).

Understand why SBOMs are key to software supply chain security

SBOMs became mandatory by executive order for all U.S. government agencies in 2021 following the SolarWinds attack. Revisiting key points about the attack is helpful in understanding why SBOMs are crucial to ensuring software supply chain security in any organization of any size.

The SolarWinds attack

The SolarWinds 2020 attack, arguably the biggest cybersecurity attack breach of the 21st century to date, marked a turning point for software supply chain management, and particularly, led to SBOMs becoming ubiquitous.

SolarWinds Orion, was an IT performance monitoring system with privileged access to IT systems to obtain log and system performance data. The attack introduced a backdoor by injecting malicious code known as Sunburst (hence the alternate name for the attack).

SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software. The hack compromised the data, networks and systems of thousands of organizations, including the US departments of Homeland Security, State, Commerce and Treasury and a long list of Tech giants, including Microsoft, Intel, Cisco, and Deloitte. In total, 18k of Orions’ 30k customers had installed the compromised upgrade. The fallout was exponential, exposing not only SolarWinds Orion direct users but also their customers and partners.

FireEye analysis determined that the attack was rolled out between September 2019 and March 2020, but wasn’t discovered until December 2020, meaning the attack dwell time was well over a year! The attack was clearly led by a nation-state, with Russia being the prime suspect, but China involvement suggested as well.

The aftermath

SolarWinds was a catalyst for rapid, broad change in the cybersecurity industry and spurred vast regulatory changes: