Thomas Vitale
Devoxx Belgium
Oct 6th, 2023
Securing the Supply Chain
For Your Java Applications
@vitalethomas
Slide 2
Slide 2 text
Systematic
• Software Engineer and Cloud
Architect.
• Author of “Cloud Native Spring
in Action” (Manning).
• OSS contributor (Java, Spring,
Cloud Native Technologies)
Thomas Vitale
thomasvitale.com @vitalethomas
Slide 3
Slide 3 text
Software Supply Chain
@vitalethomas
Slide 4
Slide 4 text
Software Supply Chain
The set of everything needed to deliver software to
production, including code, dependencies, tools,
practices, and people.
@vitalethomas
Software Supply Chain
Every step has multiple security risks and impacts
CNCF Software Supply Chain Security Paper
https://github.com/cncf/tag-security/tree/main/supply-chain-security
Source Code Build
Dependencies
Artifacts Deployment
@vitalethomas
Slide 7
Slide 7 text
Supply Chain Security
Tools are not enough
PEOPLE
PRACTICES
TOOLS
@vitalethomas
Slide 8
Slide 8 text
Where to begin?
@vitalethomas
Slide 9
Slide 9 text
1. Securing the Source Code
@vitalethomas
Slide 10
Slide 10 text
Git
Source control
Audit trail
of every change
Can we trust it?
Who did this
change?
@vitalethomas
Slide 11
Slide 11 text
Require signed commits
Make the audit trail trustworthy
Traditional Git
signing with keys
(GPG, SSH…)
Reject unveri
fi
ed
commits
Keyless Git signing
with Gitsign
@vitalethomas
$ git commit -S -m “My changes”
Slide 12
Slide 12 text
Require signed commits
Git signing with GPG keys
# Sign all commits
git config --local commit.gpgsign true
# Sign all tags
git config --local tag.gpgsign true
# Set the GPG signing key ID
git config --local user.signingkey
@vitalethomas
Slide 13
Slide 13 text
Require signed commits
Keyless Git signing with Sigstore
Sigstore Gitsign
https://github.com/sigstore/gitsign
# Sign all commits
git config --local commit.gpgsign true
# Sign all tags
git config --local tag.gpgsign true
# Use Gitsign for signing
git config --local gpg.x509.program gitsign
# Gitsign expects x509 args
git config --local gpg.format x509
@vitalethomas
Provenance
Proved and validated history of a software
component across its supply chain.
@vitalethomas
Slide 16
Slide 16 text
2. Securing the Dependencies
@vitalethomas
Slide 17
Slide 17 text
Dependency Management
Java
@vitalethomas
Slide 18
Slide 18 text
Dependency Management
Java
Where are we
fetching the
dependencies
from?
How are
dependency
con
fl
icts solved?
Which
dependencies are
we fetching?
@vitalethomas
Slide 19
Slide 19 text
Locking Dependency Versions
Generating a lock
fi
le with Gradle
@vitalethomas
$ gradle dependencies —write-locks
dependencyLocking {
lockAllConfigurations()
}
build.gradle
Slide 20
Slide 20 text
Locking Dependency Versions
Generating a lock
fi
le with a Maven plugin
@vitalethomas
$ mvn se.vandmo:dependency-lock-maven-plugin:lock
se.vandmo
dependency-lock-maven-plugin
1.0
check
validate
check
pom.xml
Slide 21
Slide 21 text
SBOM
“A Software Bill of Materials (SBOM) is a
nested inventory for software, a list of
ingredients that make up software
components.”
NTIA
https://ntia.gov/SBOM
@vitalethomas
Slide 22
Slide 22 text
SBOMs
Data Exchange Formats
@vitalethomas
Slide 23
Slide 23 text
SBOMs
What can we use them for?
Inventory of all
software
components
Validate the
licenses for each
component
Check for security
vulnerabilities
@vitalethomas
Find outdated
components
Verify integrity for
each component
Slide 24
Slide 24 text
When?
@vitalethomas
Slide 25
Slide 25 text
SBOM from an artifact
Using Syft
Syft
https://github.com/anchore/syft
syft band-service.jar
• Generate a SBOM from a JAR
syft ghcr.io/thomasvitale/band-service
• Generate a SBOM from an OCI image
@vitalethomas
Slide 26
Slide 26 text
SBOM from the source code
Using the CycloneDX Generator
cdxgen
https://cyclonedx.github.io/cdxgen
cdxgen -o bom.json
• Generate a SBOM from the source code
@vitalethomas
Slide 27
Slide 27 text
SBOM as part of the build lifecycle
Using the CycloneDX Gradle plugin
CycloneDX Gradle Plugin
https://github.com/CycloneDX/cyclonedx-gradle-plugin
@vitalethomas
$ gradle build
plugins {
id 'org.cyclonedx.bom' version '1.7.4'
}
tasks.build.finalizedBy 'cyclonedxBom'
build.gradle
Slide 28
Slide 28 text
SBOM as part of the build lifecycle
Using the CycloneDX Maven plugin
@vitalethomas
$ mvn package
org.cyclonedx
cyclonedx-maven-plugin
package
makeAggregateBom
pom.xml
CycloneDX Maven Plugin
https://github.com/CycloneDX/cyclonedx-maven-plugin
Slide 29
Slide 29 text
Now what?
@vitalethomas
Slide 30
Slide 30 text
Vulnerability scanning
Scan for security vulnerabilities with Trivy
Trivy
https://trivy.dev
@vitalethomas
$ trivy sbom bom.json
VEX
“Vulnerability Exploitability eXchange (VEX) is a
vulnerability document designed to complement a
Software Bill of Materials (SBOM) that informs
users of a software product about the applicability
of one or more vulnerability findings.”
OpenVEX
http://openvex.dev
@vitalethomas
Slide 33
Slide 33 text
3. Securing the Build
@vitalethomas
Slide 34
Slide 34 text
Packaging Spring Boot
JAR & Container Image
JAR
OCI Image
Gradle
bootJar
Maven
package
Gradle
bootBuildImage
Maven
spring-boot:build-image
@vitalethomas
Native
Gradle
nativeCompile
Maven
-Pnative native:compile
Slide 35
Slide 35 text
“Friends don’t let friends write Dockerfiles!”
- Josh Long
@vitalethomas
Slide 36
Slide 36 text
Dockerfiles
“Dockerfiles are easy to write, but the current
development guidelines do not produce
containers that are repeatable and hardened.”
CNCF Software Supply Chain Security Paper
https://github.com/cncf/tag-security/tree/main/supply-chain-security
@vitalethomas
Slide 37
Slide 37 text
Image
pack build
Cloud Native Buildpacks
From source code to container image
@vitalethomas
Cloud Native Buildpacks
https://buildpacks.io
Slide 38
Slide 38 text
Image
pack build
gradle bootBuildImage
Cloud Native Buildpacks
From source code to container image
@vitalethomas
Cloud Native Buildpacks
https://buildpacks.io
Slide 39
Slide 39 text
Eliminate sources of non-determinism
Reproducible builds with Cloud Native Buildpacks
Cloud Native Buildpacks
https://buildpacks.io
Image
pack build
Image
pack build
Time
=
=
@vitalethomas
Slide 40
Slide 40 text
4. Securing the Artifacts
@vitalethomas
Slide 41
Slide 41 text
Sign every step in the build process
Signing artifacts with Sigstore Cosign
Sigstore Cosign
https://github.com/sigstore/cosign
@vitalethomas
Sign binaries (JAR,
native executable)
Sign SBOM
Sign OCI image
Slide 42
Slide 42 text
Sign every step in the build process
Signing artifacts with Sigstore Cosign
cosign sign band-service
• Sign container image
cosign attach sbom --sbom bom.json band-service
• Attach SBOM to container image
Sigstore Cosign
https://github.com/sigstore/cosign
@vitalethomas
cosign sign band-service:.sbom
• Sign SBOM
Slide 43
Slide 43 text
SLSA
@vitalethomas
Slide 44
Slide 44 text
SLSA
https://slsa.dev
@vitalethomas
Slide 45
Slide 45 text
SLSA
https://slsa.dev
@vitalethomas
Slide 46
Slide 46 text
Provenance
Proved and validated history of a software
component across its supply chain.
@vitalethomas
Slide 47
Slide 47 text
SLSA Build
Supply chain security levels for the build provenance
Level 1 The artifact has provenance showing how it was built.
Level 2
The build runs on a hosted build platform that generates
and signs the provenance itself.
SLSA
https://slsa.dev
Level 3
The build runs on a hardened build platform that offers
strong tamper protection (non-falsi
fi
able provenance).
@vitalethomas
Validating artifacts metadata
Verify provenance with SLSA Veri
fi
er
SLSA Veri
fi
er
https://github.com/slsa-framework/slsa-veri
fi
er
$ slsa-verifier verify-image \
ghcr.io/thomasvitale/band-service: \
—source-uri github.com/ThomasVitale/band-service
Slide 54
Slide 54 text
Perform verification of artifacts
Verifying signatures and provenance with Kyverno
• Keyless veri
fi
cation of image signature
• If missing compliance, the deployment is blocked
• Keyless veri
fi
cation of the SLSA provenance metadata
• If missing compliance, the deployment is blocked.
Kyverno
https://kyverno.io
@vitalethomas
Slide 55
Slide 55 text
Resources
@vitalethomas
Slide 56
Slide 56 text
Resources
Software supply chain security
• Presentation source code
• How to create SBOMs in Java with Maven and Gradle
• SnakeYaml 2.0: Solving the unsafe deserialization vulnerability
• What Are Cloud Native Buildpacks and How Do They Work?
• OWASP Dependency Track and CycloneDX SBOM Standard
• Chainguard Academy
@vitalethomas
Slide 57
Slide 57 text
Thomas Vitale
Devoxx Belgium
Oct 6th, 2023
Securing the Supply Chain
For Your Java Applications
@vitalethomas