Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
SBOMを利用したソフトウェアサプライチェーンの保護
Search
Masahiro331
August 05, 2022
Technology
4
2.6k
SBOMを利用したソフトウェアサプライチェーンの保護
Masahiro331
August 05, 2022
Tweet
Share
More Decks by Masahiro331
See All by Masahiro331
Model Context Protocol 勉強会
masahiro331
0
48
OSSに新機能を追加するまでの苦労話
masahiro331
0
190
Analyze Filesystem in Virtual Machine Image
masahiro331
0
180
Introduction Supply Chain Security
masahiro331
0
150
Container Security with Trivy
masahiro331
0
210
VirtualMachine Image scanning PoC with Molysis
masahiro331
0
170
Other Decks in Technology
See All in Technology
Platform開発が先行する Platform Engineeringの違和感
kintotechdev
4
590
Django's GeneratedField by example - DjangoCon US 2025
pauloxnet
0
160
バイブスに「型」を!Kent Beckに学ぶ、AI時代のテスト駆動開発
amixedcolor
2
590
20250913_JAWS_sysad_kobe
takuyay0ne
2
250
2025/09/16 仕様駆動開発とAI-DLCが導くAI駆動開発の新フェーズ
masahiro_okamura
0
130
RSCの時代にReactとフレームワークの境界を探る
uhyo
10
3.5k
今日から始めるAWSセキュリティ対策 3ステップでわかる実践ガイド
yoshidatakeshi1994
0
120
メルカリIBISの紹介
0gm
0
190
AWSを利用する上で知っておきたい名前解決のはなし(10分版)
nagisa53
10
3.2k
スマートファクトリーの第一歩 〜AWSマネージドサービスで 実現する予知保全と生成AI活用まで
ganota
2
320
使いやすいプラットフォームの作り方 ー LINEヤフーのKubernetes基盤に学ぶ理論と実践
lycorptech_jp
PRO
1
150
Rustから学ぶ 非同期処理の仕組み
skanehira
1
150
Featured
See All Featured
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Rails Girls Zürich Keynote
gr2m
95
14k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.7k
GraphQLとの向き合い方2022年版
quramy
49
14k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Side Projects
sachag
455
43k
Facilitating Awesome Meetings
lara
55
6.5k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
YesSQL, Process and Tooling at Scale
rocio
173
14k
A designer walks into a library…
pauljervisheath
207
24k
Transcript
Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with
SBOM CloudNative Security Conference 2022
ຊͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ • Supply Chain Security ͱʁ • SBOMͱʁ
• SBOMͷੜͱ੬ऑੑݕʹ͍ͭͯ • SBOM๊͕͑Δ՝
ࠓ͞ͳ͍͜ͱ • SBOMͷৄࡉͳ༷ͷղઆ • SBOMͷ੬ऑੑݕͷৄࡉ
ࣗݾհ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project
(Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜͱ੬ऑੑݕΛ࣮
ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ
ࡢࠓͷ߈ܸͷಈ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑΛѱ༻ͨ͠߈ܸ͕ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠ΔใηΩϡϦςΟͷ10େڴҖʹϥϯΫΠϯ͍ͯ͠Δ
ࡢࠓͷ߈ܸͷಈ • Sonatype͔ΒϨϙʔτ͕ग़͍ͯΔ • 2020ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ
Supply Chain Security ͱʁ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor
OSS Artifact Production Server Server / Network Machine
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸͷରࡦ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞιϑτΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓͷൣғ ͜Ε*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server Artifact OSS
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ Artifact ࠓͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS
OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ߹ɺαʔόͰҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell
(Java) Event-Stream (Node.js) • 200ສμϯϩʔυΛ͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟ΥϨοτΛ౪͏ͱ͢Δίʔυ͕ೖ͞Ε͍ͯͨ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ґଘ ਪҠతґଘ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔...
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏
SBOMͱʁ
SBOMͱ • ιϑτΣΞͷߏཁૉΛ෦දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ༷4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX
(Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub Βͳ͍…
SBOMʹ͍ͭͯ • ιϑτΣΞͷߏґଘؔΛڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ
ԿͷͨΊʹSBOMΛ͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕͳͲ͕Մೳ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ
ͦͷଞͷ༻్ • ։ൃϕϯμʔϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτΣΞɾϥΠηϯεͷཧ Vendor A Vendor B Vendor
C Engineer AͷSBOM ιϑτΣΞBͷSBOM CͷSBOM
ੈͷதͷಈ • ถࠃͰɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠SBOMͷ࡞Λཁ݅Խ͍ͯ͠Δ • ຊͰɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ
σϞ
SBOMͷੜ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯
σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container
σϞͷղઆ ղੳ ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application
Application Library Application Application Library Container
ิ • CycloneDXͷSBOMͰɺ෦ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼ந͕ߴͯ͘ɺ࣮ͨ͠ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍
SBOMΛ༻͍ͨ੬ऑੑݕ ࡞ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯
σϞͷղઆ Container OS OS Package Application Application Library Application Application
Library CycloneDX ੬ऑੑݕ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ
͍··Ͱ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ੬ऑੑݕ
͜Ε͔Β ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ར׆༻ʢྫ͑੬ऑੑݕʣ ଞͷ׆༻ํ๏ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ
SBOMͰશͯͷιϑτΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!
ͱͳΒͳ͍…
࣮ࡍʹ SBOM Λੜɺݕ͢ΔπʔϧΛ ։ൃ͢Δͱɺଟͷ՝Λݟ͚ͭΔ (CycloneDXͷࣄྫΛհ)
1. શͯͷґଘؔΛՄࢹԽͰ͖ΔΘ͚Ͱͳ͍ • ίϯςφΛղੳ͢ΔTrivyGrypeͳͲͷπʔϧͰ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱͰ͖ͳ͍ ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱͰ͖ͳ͍
2. ʮඪ४ϑΥʔϚοτʯޓੑ͕͋Δͱݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ͪΖΜ͓ޓ͍ͷSBOMͰਖ਼͘͠ݕͰ͖ͳ͍
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ • ͦͦґଘؔͱʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔଘࡏ
• μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ DependencyʹΑΔґଘؔ
4. ༷͕ेͰͳ͍͜ͱ͋Δ • SBOM੬ऑੑΛݕ͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ༷Ͱਖ਼͘͠੬ऑੑݕͰ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰΓͳ͍
·ͱΊ • ύοέʔδߏϑΝΠϧDocker Image͔Β؆୯ʹSBOM͕ੜͰ͖Δ • ੜͨ͠SBOM͔Β੬ऑੑݕ͕Մೳ • SBOMࠓ·࣮ͩݧஈ֊Ͱ՝ଟ͘ݟΒΕΔ • ੜ͢Δπʔϧͷ༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ
• ੜπʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ
༨ஊ • SBOMͷະདྷͷ
SBOMͷະདྷͷ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻அͰ͖ΔΑ͏ʹ͢Δ͜ͱ
Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠ͷɻ Software Attestation Digital Identity Attestation ͷҰछ
Software Attestationͱ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠ͷɻ
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
Thank you for attention
ͪͳΈʹ SBOMͷ༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ༷ʹߩݙ