Skip to content

Results

MDSBOM operates by accepting as input reports generated by SBOM/SCA tooling, correlating those results with behaviors observed at runtime, and outputing annotated versions of the source report summarizing our analyses. We currently support input reports in SPDX, CycloneDX, and SARIF.

SPDX

We support ingesting SBOM reports in the SPDX 2.3 format. SDPX documents can be represented in five different variants (tag/value, JSON, YAML, RDF/xml, and xls). We only currently support the JSON representation.

SPDX files contain information about the packages present in an image. When processed by MDSBOM, we will create annotations for each package, either providing evidence of where the package was observed at runtime or stating that we have not observed this package in use.

For example, if a package has not been observed at runtime, an annotation like this will be added to the package:

      "annotations": [
        {
          "annotationDate": "2023-11-09T19:21:39.558177176+00:00",
          "annotationType": "REVIEW",
          "annotator": "Tool: mdsbom-0.1.0",
          "comment": "No observed instances of this package being used at runtime."
        }
      ],

Conversely, if a package has been observed at runtime, an annotation like this will be added:

      "annotations": [
        {
          "annotationDate": "2023-11-09T19:21:39.558360025+00:00",
          "annotationType": "REVIEW",
          "annotator": "Tool: mdsbom-0.1.0",
          "comment": "[{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"c704cba7a205e768a9c84ced29a1a5bbf42ef25a69a82a8c28b9423c3cfb3a7c\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"c704cba7a205e768a9c84ced29a1a5bbf42ef25a69a82a8c28b9423c3cfb3a7c\"}]"
        }
      ],

The format for these annotations may be subject to change prior to GA

CycloneDX

We support ingesting SCA reports in the CycloneDX v1.4 and v1.5 formats. CycloneDX reports may also contain SBOM information, we currently only examine the vulnerabilities section however. CycloneDX files can be represented as either JSON or XML. We only currently support the JSON representation.

CycloneDX vulnerabiltiy reports contain information about the vulnerable packages present in an image. When processed by MDSBOM, we will create annotations for each vulnerability, either providing evidence of where the vulnerable package was observed at runtime or stating that we have not observed the vulnerable package in use.

For example, if all packages for a vulnerability have not been observed at runtime, an analysis like this will be added to the vulnerability entry:

      "analysis": {
        "detail": "The vulnerable component(s) are not accessed at runtime.",
        "justification": "code_not_reachable",
        "state": "not_affected"
      },

Conversely, if a vulnerable package has been observed, a property like this will be added:

      "properties": [
        {
          "name": "forallsecure:mdsbom:evidence",
          "value": "[{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"c704cba7a205e768a9c84ced29a1a5bbf42ef25a69a82a8c28b9423c3cfb3a7c\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"c704cba7a205e768a9c84ced29a1a5bbf42ef25a69a82a8c28b9423c3cfb3a7c\"}]"
        }
      ],

SARIF

We support ingesting SCA reports in the SARIF format.

SARIF vulnerabiltiy reports contain information about the vulnerable packages present in an image. When processed by MDSBOM, we will create annotations for each vulnerability, either providing evidence of where the vulnerable package was observed at runtime or stating that we have not observed the vulnerable package in use.

For example, if all packages for a vulnerability have not been observed at runtime, a suppression like this will be added to the vulnerability entry and marked as "underReview" for approval by a reviewer:

          "suppressions": [
            {
              "justification": "The vulnerable component(s) have not been observed in use at runtime.",
              "kind": "external",
              "status": "underReview"
            }
          ]

Conversely, if a vulnerable package has been observed, a property like this will be added:

          "properties": {
            "forAllSecure/mdsbom/evidence": "[{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"786fb88754c03a26974b7766a946df85781c883fd9c85702a00e360697d7d64d\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"6234b3d6faaa85f76cc24f6d0d29043a01a1ecdbc8f45468351699458d905327\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libssl.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"c704cba7a205e768a9c84ced29a1a5bbf42ef25a69a82a8c28b9423c3cfb3a7c\"},{\"type\":\"FileAccess\",\"path\":\"/usr/lib/x86_64-linux-gnu/libcrypto.so.3\",\"program\":\"/usr/local/bin/redis-server\",\"container_unique_id\":\"c704cba7a205e768a9c84ced29a1a5bbf42ef25a69a82a8c28b9423c3cfb3a7c\"}]"
          },

Docker Scout SBOM

We support Docker Scout SBOM reports, which are emitted in a custom JSON format from Docker Scout. Usually you will not deal with these reports directly, but would instead use our Docker Scout Integration to process these.

Other

Support for other report formats, and for more complete file format support for the supported formats, is planned.

Support for VEX is also planned.

Interpreting Results

MDSBOM is designed to reduce the signal:noise ratio developers face when reviewing SCA or other vulnerability scan results. Like any solution based around behavioral analysis, there is a risk of false negatives. In general, the more the target is exercised, the more complete MDSBOM's profiles will be.

If code paths which load vulnerable components are not exercised in a setting observed by MDSBOM, we will not be able to draw the correct conclusion during analysis. The deployment page discusses a bit about different deployment scenarios. In general though, the more the application is exercised, the more confidence can be drawn that the relevant behaviors have been captured. Understanding this while reviewing results is important to get a more complete picture of potential exposure.

It is in general not proper to conclude that a vulnerability is a false positive solely due to it not having been observed by MDSBOM. The evidence provided by MDSBOM can be used though to jump start an impact investigation or corroborate the results of a manual review. The reports generated by MDSBOM should be reviewed by a human and not used as the sole justification for an exemption.

Similarly, vulnerable packages run at build time can have an impact on the security of the produced image, but code which only runs during image build time will not be captured in MDSBOM's report.