Generate CVE Report

An SBOM (Software Bill of Materials) is a detailed inventory of all the software components and dependencies that make up a software application, while CVE (Common Vulnerabilities and Exposures) is a publicly accessible list that provides unique identifiers for known cybersecurity vulnerabilities and exposures in software and hardware. Given an SBOM, EmbedOps CLI can be used to generate a CVE report and send it to the EmbedOps platform.

Prerequisites

• EmbedOps CLI is installed. Check out the How-To Install EmbedOps CLI page.
• Log in to the EmbedOps platform. Check out the How-To Log In page.

Steps

1. Connect your project to the EmbedOps Platform

Running the following command in the root of your project connects it to the EmbedOps platform and creates the configuration files for a dev container and Continuous Integration (CI) pipeline.

host> eo init

Info

If you want to try out SBOM generation, but you don't have a project to try it on, you can clone the nRF53 HIL Quick Start and start from there.

2. Build your project and generate SBOM

You can skip this step if you already have a way to build your project and generate an SBOM.

Using HIL Quickstart

Follow steps 2 and 6a of the Hardware-in-the-Loop (HIL) Quickstart. Then:

1. Open your project in Visual Studio Code.

2. If the Dev Containers extension has not been installed, go to the Extensions tab on the left column, search for Dev Containers, and install it.

3. Open the Command Palette with command + shift + P, search for Dev Containers: Reopen in Container, and press enter. This will create a development container with the directories and files in your project and the necessary dependencies to build the project and generate SBOM.

4. Open the Command Palette again, search for View: Toggle Terminal, and press enter. This will open a terminal in the development container.

5. Pre-populate a build directory.

   container> west spdx --init -d build
   

6. Build your application using the pre-created build directory with CONFIG_BUILD_OUTPUT_META enabled.

   container> west build -d build --pristine --board nrf5340dk_nrf5340_cpuapp -- -DCONFIG_BUILD_OUTPUT_META=y
   

7. Generate SBOM.

   container> west spdx -d build
   

Check out Zephyr documentation for more information.

Info

Install the devcontainer CLI and run it outside of the container.

macOS

host> brew install npm
host> sudo npm install -g @devcontainers/cli
host> devcontainer up --workspace-folder .
host> devcontainer exec --workspace-folder . /bin/bash
container> west spdx --init -d build
container> west build -d build --pristine --board nrf5340dk_nrf5340_cpuapp -- -DCONFIG_BUILD_OUTPUT_META=y
container> west spdx -d build

For installation on other OSes, please follow the official installation guide

3. Generate and send a CVE report to the EmbedOps Platform

The following command parses a given SBOM file, generates a CVE report, and sends the report to the EmbedOps platform.

host> eo report sbom PATH/TO/SPDX/FILE

# An example to send a CVE report for the sample project or a Zephyr project
host> eo report sbom build/spdx/zephyr.spdx

Open the EmbedOps platform on your favorite browser to check out the CVE Report.

You can reach this page by running eo open at the root of the repo (at the same level the .embedops directory exists) and navigate to Security > Binary Analysis.