SBOMgen
Creating CBOMs Using the IBM Sonar Cryptography SonarQube Plugin
Introduction
This tutorial illustrates how to create a CBOM from Java or Python projects using the SonarQube Sonar Cryptography Plugin.
Requirements
-
SonarQube
-
SonarScanner CLI
-
Sonar Cryptography .jar file.
Installation
SonarQube & SonarScanner
Ensure you have the SonarQube and SonarScanner installed, and ideally on your PATH, via downloading and unzipping the .zip files for SonarQube and SonarScanner.
Sonar Cryptography Plugin
Download the Sonar Cryptography .jar file and place it into your SonarQube plugins/ folder.
Usage
-
Activate SonarQube
-
Create a blank Quality Profile for a specific language (Java or Python).
-
In the Profile, activate More Rules. Find the IBM Cryptography rules for your language (likely under Repository) and activate them.
-
Create a new project, whether it be local or from a repository.
-
Generate a project token and copy and paste the generated SonarScanner CLI command.
-
Run the SonarScanner CLI command in the folder containing your source code.
-
You should see a
cbom.jsonfile in your folder upon the command completion*
Notes
- This tool requires Java 17.
Example SBOM
The following section illustrates a CycloneDX JSON Cryptographic Bill of Materials (CBOM) of the pyopenssl codebase, generated by the SonarQube Cryptography Plugin.
sonarqube
References
-
Anchore. (n.d.). Anchore/syft: CLI Tool and library for generating a software bill of materials from container images and filesystems. GitHub. https://github.com/anchore/syft
-
Code quality tool & secure analysis with SonarQube. Clean Code: Writing Clear, Readable, Understandable & Reliable Quality Code. (n.d.). https://www.sonarsource.com/products/sonarqube/
-
Sonarscanner CLI. SonarQube 10.4. (n.d.). https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/
-
Pyca. (n.d.). GitHub - pyca/pyopenssl: A Python wrapper around the OpenSSL library. GitHub. https://github.com/pyca/pyopenssl/tree/main