Add SBOM policy options for prohibited components and licenses (#34)

* Add SBOM policy options for prohibited components and licenses * Update policy readme for SBOM policy section * Bump to 0.7.0 * Update pyproject.toml * Update __init__.py Co-authored-by: Peter Eacmen <[email protected]>
ReFirmLabs · Sep 25, 2020 · 1232c12 · 1232c12
1 parent ce73d86
commit 1232c12
Show file tree

Hide file tree

Showing 7 changed files with 95 additions and 4 deletions.
diff --git a/centrifuge_cli/__init__.py b/centrifuge_cli/__init__.py
@@ -1 +1 @@
-__version__ = '0.6.3'
+__version__ = '0.7.0'
diff --git a/centrifuge_cli/main.py b/centrifuge_cli/main.py
@@ -319,7 +319,7 @@ def guardian(cli):
 @report.command()
 @pass_cli
 def sbom(cli):
-    result = cli.do_GET(f'/api/report/{cli.ufid}/components/pathmatches')
+    result = cli.do_GET(f'/api/report/{cli.ufid}/sbom')
     cli.echo(result)
     return(result)
 
@@ -418,6 +418,7 @@ def check_policy(cli, ctx, policy_yaml, report_template):
     code_summary_json = json.loads(ctx.invoke(code_summary))
     passhash_json = json.loads(ctx.invoke(passhash))
     checklist_json = json.loads(ctx.invoke(security_checklist))
+    sbom_json = json.loads(ctx.invoke(sbom))
     info_json = json.loads(ctx.invoke(info))
 
     policy_obj = CentrifugePolicyCheck(certificates_json,
@@ -427,6 +428,7 @@ def check_policy(cli, ctx, policy_yaml, report_template):
                                        code_summary_json,
                                        passhash_json,
                                        checklist_json,
+                                       sbom_json,
                                        info_json)
 
     policy_obj.check_rules(policy_yaml)

diff --git a/centrifuge_cli/policy.py b/centrifuge_cli/policy.py
@@ -55,6 +55,12 @@
         "method": "checkSecurityChecklistRule",
         "status": "Fail",
         "reasons": []
+    },
+    "sbom": {
+        "name": "SBOM Components",
+        "method": "checkSBOMRule",
+        "status": "Fail",
+        "reasons": []
     }
 }
 POLICIES = [
@@ -64,7 +70,8 @@
     'code',
     'guardian',
     'binaryHardening',
-    'securityChecklist'
+    'securityChecklist',
+    'sbom'
 ]
 
 
@@ -80,6 +87,7 @@ def __init__(self,
                  code_summary_json,
                  passhash_json,
                  checklist_json,
+                 sbom_json,
                  info_json,
                  verbose=False):
         self.certificates_json = certificates_json
@@ -89,6 +97,7 @@ def __init__(self,
         self.code_summary_json = code_summary_json
         self.passhash_json = passhash_json
         self.checklist_json = checklist_json
+        self.sbom_json = sbom_json
         self.info_json = info_json
         self.verbose = verbose
 
@@ -300,6 +309,34 @@ def checkPasswordHashRule(self, value):
                     rule_passed = False
         return rule_passed, reasons
 
+    def checkSBOMRule(self, value):
+        self.verboseprint("Checking SBOM Rule...")
+        rule_passed = True
+        reasons = []
+        sbom = self.sbom_json
+        prohibitedComponents = value.get("prohibitedComponents")
+        prohibitedLicenses = []
+        for r in value.get("licenses", {}).get("prohibitedLicenses", []):
+            prohibitedLicenses.append(re.compile(r))
+        exceptedLicenseComponents = value.get("licenses", {}).get("exceptions", [])
+        if sbom.get("count") > 0:
+            for component in sbom.get("results"):
+                if component.get("name") in prohibitedComponents:
+                    reason = f'SBOM Component {component["name"]} is prohibited'
+                    reasons.append(reason)
+                    self.verboseprint(f'...failing: {reason}')
+                    rule_passed = False
+                if not component.get("name") in exceptedLicenseComponents:
+                    licenseUsed = component.get('license')
+                    for r in prohibitedLicenses:
+                        if re.match(r, licenseUsed):
+                            reason = f'SBOM Component {component["name"]} uses prohibited license {component["license"]}'
+                            reasons.append(reason)
+                            self.verboseprint(f'...failing: {reason}')
+                            rule_passed = False
+                            break
+        return rule_passed, reasons
+
     def call_policy_method(self, policy_name, ruledef):
         policy_method = getattr(self, POLICY_DETAIL_MAPPING.get(policy_name).get("method"))
         return policy_method(ruledef)

diff --git a/docs/POLICY.md b/docs/POLICY.md
@@ -189,3 +189,33 @@ Checklist results.
   securityChecklist:
     allowed: false
 ```
+
+### Rule: SBOM
+
+Software Bill of Materials (SBOM) identifies open source components that are used in firmware images.
+`prohbitedComponents` can list components that should not be present in final firmware images, such as gdbserver
+or tcpdump.
+`prohibitedLicenses` defines software licenses which are prohibited in the identified components in the firmware.
+The license identifiers match those in the SPDX standard. A common use case could be to block restrictive licenses
+like GPL, but define exceptions for specific components that have been approved for distribution.
+```
+  sbom:
+    # components that are not allowed in firmware
+    prohibitedComponents:
+      - tcpdump
+      - libpcap
+      - gdbserver
+
+    # components using prohibited licenses 
+    licenses:
+      # use SPDX license identifiers (https://spdx.org/licenses/)
+      # can use regex
+      prohibitedLicenses:
+        - GPL-1.0-or-later
+        - GPL-*
+
+      # components approved to use prohibited licenses
+      exceptions:
+        - busybox
+        - dnsmasq
+```
diff --git a/docs/example-policy-simple.yml b/docs/example-policy-simple.yml
@@ -17,3 +17,5 @@ rules:
     include: [/opt/vendor/bin/*, /usr/lib/*]
   securityChecklist:
     allowed: false
+  sbom:
+    prohibitedComponents: [tcpdump, libpcap, gdbserver]
diff --git a/docs/example-policy.yml b/docs/example-policy.yml
@@ -77,3 +77,23 @@ rules:
   securityChecklist:
     # any security checklist results should result in failure in most policies
     allowed: false
+
+  sbom:
+    # components that are not allowed in firmware
+    prohibitedComponents:
+      - tcpdump
+      - libpcap
+      - gdbserver
+
+    # components using prohibited licenses 
+    licenses:
+      # use SPDX license identifiers (https://spdx.org/licenses/)
+      # can use regex
+      prohibitedLicenses:
+        - GPL-1.0-or-later
+        - GPL-*
+
+      # components approved to use prohibited licenses
+      exceptions:
+        - busybox
+        - dnsmasq
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "centrifuge-cli"
-version = "0.6.3"
+version = "0.7.0"
 description = "A command line utility for interacting with the Centrifuge Firmware Analysis Platform's REST API."
 authors = ["Peter Eacmen <[email protected]>"]
 readme = 'README.rst'