Friday, December 1, 2023

We have a winner!


In our last OWASP SBOM Forum meeting before Thanksgiving, we started by discussing CISA’s new Request for Comments  on their recent document (written with DHS) on software naming, which I – ahem! – reviewed in this post. Since I didn’t have anything to add to that post but several people wanted to develop our own response, I encouraged the group to submit one and set up a Google Doc for it. However, nobody has even started to write a response, so I’m assuming our group won’t do that.

It turns out that is for the best. During the meeting, we discussed how the CISA document concludes: It lays out three “candidates” (my word) for a universal software identifier. They are CPE (used in the NVD and databases derived from it), purl (which we wrote about extensively in the document on the naming problem that the SBOM Forum published in 2022), and OmniBOR. Like all good academic documents, it calls for more study to determine which of those is most deserving of the title of Universal Software Identifier.

When I originally read this I smiled, since I don’t think a universal software identifier is needed at all. A universal identifier might have been important in 1970, when there was no way to build a database with multiple identifiers for the primary field. But the last time I checked it was 2023, and we can build a database that uses multiple identifiers for software as easily as we can build one that has multiple identifiers for people (legal name, nickname, name on Facebook, etc.).

However, it struck me initially that the three candidates for universal software identifier hardly have the same standing with respect to the use case that concerns most people in the SBOM community: vulnerability management.

1.      CPE is heavily used now because it is the only identifier supported by the NVD. However, I regard CPE as the problem, not the solution, to the question of software identification. On pages 4-6 of the SBOM Forum document linked above, we described in great detail the problems with CPE. There is no good way to fix those problems going forward, although because there is so much vulnerability information linked to CPE names – I’m referring to the entire CVE.org database – CPE will not go away anytime soon. But as much as possible, new vulnerability information needs to be linked with a better software identifier than CPE.

2.      OmniBOR is a really cool idea. I was quite impressed with the idea when its predecessor idea, GitBom, was discussed by its developer at one of the NTIA SBOM meetings in 2021. However, implementing it universally will (I’m told) require all compiler vendors to implement the necessary changes in their products, and then for all new software products to be developed using these revised compilers. I’m interested in changes that have a chance of being in place during the next 5-10 years, which OmniBOR isn’t. However, I hope the people working on that will continue their efforts.

Does this mean purl is the Universal Software Identifier? The fact that it’s without much doubt taken over the open source world seems to indicate that, but before I could award the USI title to purl, I needed to know if there are any alternatives. In the meeting, I asked if anyone knew of a single major vulnerability database that used any identifier other than CPE or purl. This was a question I’m always wondered about, but had never thought to ask when I was meeting with people with enough knowledge to answer it.

Nobody in the meeting knew of any alternative to CPE and purl that is being used by a major vulnerability database. In fact, one of the participants in the meeting was Philippe Ombredanne, the developer of purl, who has spent a lot of time looking at software identifiers. He didn’t know of any current alternative to CPE or purl.

Therefore, there is no question in my mind that purl is the best candidate for a Universal Software Identifier. However, there is still one problem: It’s not currently universal. It currently only works for identifying software that is available for download from a specific internet location – e.g., a package manager. The majority of open source software products (but certainly not all) meet this description, but most proprietary software does not.

Steve Springett, leader of the OWASP CycloneDX project and a purl maintainer, pointed out that proprietary software that is available in online “stores” like the Apple Store and Google Play could probably be incorporated into purl (as long as an appropriate purl “type” is created). However, most proprietary software isn’t available in stores.

In our naming paper, we included an idea of Steve’s for incorporating proprietary software into purl: Have manufacturers create SWID tags and add a new type to purl, so that a user who knows the contents of the SWID tag for a product they use can create a purl that will allow them to search for vulnerabilities in that software.

What we didn’t do in the paper was specify a way that the contents of SWID tags could be made accessible to users, especially for legacy software. I can think of at least one or two ways that might be done (and I’m sure there are others), but they haven’t been discussed yet (and of course, there might be other ways to do this that don’t involve SWID). Once a scheme is decided on and there has been an education campaign for it (since it will presumably require software suppliers to participate in some way, like putting purls for their products at a particular location on their website), purl really will be the universal software identifier!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

I lead the OWASP SBOM Forum. If you would like to learn more about what that group does or contribute to our group, please go here.

 

No comments:

Post a Comment