SlideShare a Scribd company logo

Presentation for the v0finder and Labrador

Download as PPTX, PDF
T
Tae-Hyoung Choi

The document discusses vulnerabilities in software, particularly focusing on the concept of vulnerability zero (v0) and techniques for detecting vulnerable software through various methodologies, including locality-sensitive hashing and software composition analysis. It introduces key terms and frameworks such as SBOM (Software Bill of Materials) and SPDX, which help track software components and dependencies for better security and risk management in software supply chains. Additionally, it outlines tools and solutions for managing open-source security and governance, emphasizing the need for increased transparency in software supply chains.

Internet
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
V0finder & Labrador 최태형 [thchoi@gtone.co.kr]
V0finder: Discovering the Correct Origin of Publicly Reported Software Vulnerabilities By Seunghoon Woo et al. In the 30th USENIX Security Symposium, 2021 • 2
3 Application & Data Governance  V0(vulnerability zero) : ( 보안 ) 취약점이 발생한 근원지인 특정 버전의 소프트웨어  Locality-Sensitive Hash : 비슷한 데이터에 대해 비슷한 값을 주는 해시함수  CVE(Common Vulnerabilities & Exposures) – 보안취약점 관리 데이터베이스 – C.f., Vulnerability( 보안취약점 ) vs Weakness( 보안약점 ) • 보안취약점 : 내재된 보안약점 등으로 인해 발생한 실재하는 보안상의 취약점 • 보안약점 : 보안취약점으로 발생할 수 있는 코딩 , 프로그램 구조 등의 취약한 부분 Terminologies & Techniques 6. 통계적 머신러닝
4 Application & Data Governance  모든 함수를 추출 , LSH 적용 Detecting vulnerable software
5 Application & Data Governance  취약점 코드에 대한 코드 클론 검출 기능 사용 Detecting vulnerable software
Labrador (from IOTCUBE) • 6
7 Application & Data Governance  소프트웨어 구성 분석 – 오픈소스 컴포넌트 관리를 위한 애플리케이션 보안 방법론 – 관련된 모든 컴포넌트와 지원 라이브러리 , 직간접적인 의존성을 찾음 – 소프트웨어 라이선스의 검출 – 보안취약성이나 잠재적인 익스플로잇 등으로 인해 더 이상 사용하지 않을 의존성 검출 – 관련 도구 • Snyk, Mend, Black Duck Software Composition Analysis, Contrast Security, … SCA
8 Application & Data Governance  VUDDY(VUlnerable coDe clone DiscoverY) – CVE 에 등록된 취약점 코드의 코드 클론을 검출  CENTRIS(CENTRIfuge for Software) – 소프트웨어를 재사용 부분과 자체 제작 부분으로 분리 – 재사용 부분 : 등록된 ( 오픈소스 ) 소스코드를 재사용 , 수정 사용 등 – 자체 제작 : 재사용 부분을 제외한 나머지 직접 작성한 부분  SBOM(Software Bill of Matterials) – 소프트웨어 부품표 – 소프트웨어를 구성하는 컴포넌트에 대한 상세한 내용과 공급망 관계를 포함한 정식 기록 – 형식 : SPDX(ISO), CycloneDX(OWASP) 등 Terminologies & Techniques
9 Application & Data Governance  SBOM 기반 OSS 공급망 안전 관리 솔루션 – SBOM 제공 • CENTRIS 기술 • 형식 : SPDX, CycloneD – 보안취약점 검출 및 패치 제공 • VUDDY 기술 – 라이선스 이슈 검출 – 오픈소스 거버넌스 정책 자동 관리 Labrador OSS
Software Bill-of-Matterials (SBOM)
Application & Data Governance 소프트웨어 공급망 Software Supply Chain
Application & Data Governance 소프트웨어 공급망 투명성의 필요
13 Application & Data Governance  SBOM – 소프트웨어 재료의 목록 , 또는 중첩된 목록 (nested inventory) – 형식을 갖춘 , 또는 공식 데이터 (formal record) • 대상 : 소프트웨어 구축에 사용된 다양한 컴포넌트 • 내용 : 자세한 내용 및 설명과 공급망 (supply chain) 관계 사항 (relationships) SBOM 이란 ?
14 Application & Data Governance – SBOM 은 소프트웨어와 보안에 걸쳐 다양한 유즈케이스를 지원 SBOM 의 활용 분야
15 Application & Data Governance  정리 – SBOM 은 소프트웨어 의존성을 추적을 위한 기술 및 운영 모델 – 더 나은 소프트웨어 보안성과 공급망 위험관리 (risk management) 을 제공 • 보안취약점 관리 • 조달 (procurement) • 새롭게 등장한 위험 (emerging risks) 의 취급 SBOM 의 사용
16 Application & Data Governance  SPDX – SBOM 공개표준 • 컴포넌트 , 라이선스 , 저작권 , 보안참조 등 – SPDX 워크그룹 (hosted in Linux Foundation) 에서 명세 개발  CycloneDX – 소프트웨어 보안 문맥과 공급망 컴포넌트 분석을 위해 특별히 만든 SBOM 표준 – OWASP 에서 기원한 CycloneDX 코어 그룹에서 명세를 유지보수  SWID tags – 설치한 소프트웨어에 대한 유일한 정보를 기록 • 이름 , 판 (edition), 버전 , 번들에 포함된 것인지 여부 등등 – 소프트웨어 목록 (inventory) 과 자산관리계획 (asset management initiatives) 제공 – ISO/IEC 19770-2:2015 SBOM 구현의 비교
17 Application & Data Governance Field SPDX SWID CycloneDX Supplier (3.5) PackageSupplier: <Entity>@role(softwareCreator/publisher), @name publisher Component (3.1) PackageName: <softwareIdentity>@name name Unique Identifier (3.2) SPDXID: <softwareIdentity>@tagID bom/serialNumber and component/bom-ref Version (3.3) PackageVersion: <softwareIdentity>@version version Component Hash (3.10) PackageChecksum: <Payload>/../<File> @[hash-algorithm]:hash hash Relationship (7.1) Relationship: CONTAINS <Link>@rel, @href (Nested assembly/subassembly and/or dependency graphs) SBOM Author (2.8) Creator: <Entity> @role(tagCreator), @name bom-descriptor: metadata/ manufacture/contact SBOM 핵심 필드 구현
18 Application & Data Governance  정의 – SPDX 는 다양한 파일 형태의 소프트웨어 컴포넌트들과 연관하여 , 컴포넌트 , 라이선스 , 저작권 , 보안 정보들을 상호교류하기 위한 표준 언어를 제공한다 .  사용방법 – 다양한 형태의 파일형식으로 표현 가능 (RDF, .xlsx, .spdx 등 ) – 다른 형태로 확장 가능 (.xml, .json, .yaml 등 )  내용 – SPDX Document Creation Information: 분석결과와 연관된 SPDX 파일의 특정 버전과 파일 생성에 관한 메타데이터 – Package Information: 전체 패키지에 대한 공통 특성 – File Information: 패키지에 속할 수 있는 파일들 세부 사항들 – Snippet Information: 파일에 일부분에 해당하는 것들의 세부사항들 – Other licensing information detected: SPDX 라이선스 목록에 없는 다른 라이선스에 대한 , 또는 참조하기 위한 정보 – Relationships Between SPDX Elements: 각각 다른 문서 , 패키지 , 파일들과 어떻게 연관되었는지에 대한 정보 – Annotations: SPDX 파일을 누가 , 언제 리뷰했는지에 대한 정보 SPDX (Software Package Data eXchange)
19 Application & Data Governance Mandator y Field Name Comment O 6.1 SPDX Version 어떤 버전의 SPDX 인가 ? O 6.2 Data License 문서 내 데이터 : CC0-1.0 O 6.3 SPDX Identifier 본 현재 문서의 ID O 6.4 Document Name O 6.5 SPDX Document Namespace URI 6.6 External Document Reference 6.7 License List Version 본 문서의 생성 일시 O 6.8 Creator O 6.9 Created 본 문서의 생성 방법 - 수동 리뷰 ( 누가 ? 언제 ?) - 도구 (ID, 버전 , 언제 ?) 6.10 Creator Comment 생성자의 일반 코멘트 6.11 Document Comment 생성자의 본 문서 소비자에 대한 코멘트 SPDX : Document Creation Information
20 Application & Data Governance Mandator y Field Name Comment O 7.1 Package Name 작성자가 지은 공식명칭 O 7.2 Package SPDX Identifier ID ( 유일해야함 ) 7.3 Package Version 7.4 Package File Name 패키지에 대한 실제 파일명 7.5 Package Supplier 7.6 Package Originator O 7.7 Package Download Location 다운로드 URL 7.8 Files Analyzed 패키지와 연관된 파일들 O 7.9 Package Verification Code special algorithm 7.10 Package Checksum 7.11 Package Home Page 프로젝트 홈페이지 7.12 Source Information O 7.13 Concluded License SPDX : Package Information
21 Application & Data Governance Mandator y Field Name Comment O 7.15 Declared License 7.16 Comments on License 7.17 Copyright Text any copyrights declared? 7.18 Package Summary Description 7.19 Package Detailed Description 7.20 Package Comment 7.21 External Reference 7.22 External Reference Comment 7.23 Package Attribution Text SPDX : Package Information (Cont’d)
22 Application & Data Governance Mandator y Field Name Comment O 8.1 File Name O 8.2 File SPDX Identifier 8.3 File Type O 8.4 File Checksum O 8.5 Concluded License O 8.6 License Information in File 8.7 Comments on License O 8.8 Copyright Text 8.9 Artifact of Project Name 8.12 File Comment 8.13 File Notice 8.14 File Contributor 8.15 File Attribution Text SPDX : File Information * 8.10, 8.11, 8.16 Deprecated
23 Application & Data Governance Mandator y Field Name Comment O 9.1 Snippet SPDX Identifier O 9.2 Snippet from File SPDX Identifier O 9.3 Snippet Byte Range 9.4 Snippet Line Range O 9.5 Snippet Concluded License 9.6 License Information in Snippet 9.7 Snippet Comments on License O 9.8 Snippet Copyright Text 9.9 Snippet Comment 9.10 Snippet Name 9.11 Snippet Attribution Text SPDX : Snippet Information
24 Application & Data Governance Mandator y Field Name Comment Conditional 10.1 License Identifier Conditional 10.2 Extracted Text Conditional 10.3 License Name Conditional 10.4 License Cross Reference Conditional 10.5 License Comment SPDX : Other Licensing Information Detected Mandator y Field Name Comment 11.1 Relationship 11.2 Relationship Comment SPDX : Relationships between SPDX elements information
25 Application & Data Governance Mandator y Field Name Comment Conditional 12.1 Annotator Conditional 12.2 Annotation Date Conditional 12.3 Annotation Type Conditional 12.4 SPDX Identifier Reference Conditional 12.5 Annotation Comment SPDX : Annotations Information
26 Application & Data Governance # SPDX Field Name # SPDX Field Name L1.1 6.1 SPDX Version L2.6 7.8 Files Analyzed L1.2 6.2 Data License L2.7 7.11 Package Home Page L1.3 6.3 SPDX Identifier L2.8 7.13 Concluded License L1.4 6.4 Document Name L2.9 7.15 Declared License L1.5 6.5 SPDX Document Namespace L2.10 7.16 Comments on License L1.6 6.8 Creator L2.11 7.17 Copyright Text L1.7 6.9 Created L2.12 7.20 Package Comment L2.1 7.1 Package Name L3.1 10.1 License Identifier L2.2 7.2 Package SPDX Identifier L3.2 10.2 Extracted Text L2.3 7.3 Package Version L3.3 10.3 License Name L2.4 7.4 Package File Name L3.4 10.5 License Comment L2.5 7.7 Package Download Location SPDX Lite
27 Application & Data Governance SPDX 예제 (1) SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: hello DocumentNamespace: https://swinslow.net/spdx-examples/example1/hello-v3 Creator: Person: Steve Winslow (steve@swinslow.net) Creator: Tool: github.com/spdx/tools-golang/builder Creator: Tool: github.com/spdx/tools-golang/idsearcher Created: 2021-08-26T01:46:00Z ##### Package: hello PackageName: hello SPDXID: SPDXRef-Package-hello PackageDownloadLocation: git+https://github.com/swinslow/spdx- examples.git#example1/content FilesAnalyzed: true PackageVerificationCode: 9d20237bb72087e87069f96afb41c6ca2fa2a342 PackageLicenseConcluded: GPL-3.0-or-later PackageLicenseInfoFromFiles: GPL-3.0-or-later PackageLicenseDeclared: GPL-3.0-or-later PackageCopyrightText: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-hello FileName: /build/hello SPDXID: SPDXRef-hello-binary FileType: BINARY FileChecksum: SHA1: 20291a81ef065ff891b537b64d4fdccaf6f5ac02 FileChecksum: SHA256: 83a33ff09648bb5fc5272baca88cf2b59fd81ac4cc6817b86998136af368708e FileChecksum: MD5: 08a12c966d776864cc1eb41fd03c3c3d LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: NOASSERTION FileCopyrightText: NOASSERTION FileName: /src/Makefile SPDXID: SPDXRef-Makefile FileType: SOURCE FileChecksum: SHA1: 69a2e85696fff1865c3f0686d6c3824b59915c80 FileChecksum: SHA256: 5da19033ba058e322e21c90e6d6d859c90b1b544e7840859c12cae5da005e79c FileChecksum: MD5: 559424589a4f3f75fd542810473d8bc1 LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: NOASSERTION FileName: /src/hello.c SPDXID: SPDXRef-hello-src FileType: SOURCE FileChecksum: SHA1: 20862a6d08391d07d09344029533ec644fac6b21 FileChecksum: SHA256: b4e5ca56d1f9110ca94ed0bf4e6d9ac11c2186eb7cd95159c6fdb50e8db5a823 FileChecksum: MD5: 935054fe899ca782e11003bbae5e166c LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: Copyright Contributors to the spdx-examples project. Relationship: SPDXRef-hello-binary GENERATED_FROM SPDXRef-hello-src Relationship: SPDXRef-hello-binary GENERATED_FROM SPDXRef-Makefile Relationship: SPDXRef-Makefile BUILD_TOOL_OF SPDXRef-Package-hello
28 Application & Data Governance SPDX 예제 (2) SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: hello-bin DocumentNamespace: https://swinslow.net/spdx-examples/example2/hello-bin-v4 ExternalDocumentRef:DocumentRef-hello-src https://swinslow.net/spdx-examples/example2- hello-src-v3 SHA1: bb991e91fc62ce239d7baf30783c678506f9d17b Creator: Person: Steve Winslow (steve@swinslow.net) Creator: Tool: github.com/spdx/tools-golang/builder Creator: Tool: github.com/spdx/tools-golang/idsearcher Created: 2021-08-26T01:49:00Z ##### Package: hello-bin PackageName: hello-bin SPDXID: SPDXRef-Package-hello-bin PackageDownloadLocation: git+https://github.com/swinslow/spdx-examples.git#example2/ content/build FilesAnalyzed: true PackageVerificationCode: d7aa17dad30d1d1d468a10ea1ec5e100e471c064 PackageLicenseConcluded: GPL-3.0-or-later PackageLicenseInfoFromFiles: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-hello-bin FileName: /hello SPDXID: SPDXRef-hello-binary FileType: BINARY FileChecksum: SHA1: 20291a81ef065ff891b537b64d4fdccaf6f5ac02 FileChecksum: SHA256: 83a33ff09648bb5fc5272baca88cf2b59fd81ac4cc6817b86998136af368708e FileChecksum: MD5: 08a12c966d776864cc1eb41fd03c3c3d LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: NOASSERTION FileCopyrightText: NOASSERTION ##### Relationships Relationship: SPDXRef-hello-binary GENERATED_FROM DocumentRef-hello-src:SPDXRef-hello-src Relationship: SPDXRef-hello-binary GENERATED_FROM DocumentRef-hello-src:SPDXRef-Makefile SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: hello-src DocumentNamespace: https://swinslow.net/spdx-examples/example2/hello-src-v3 Creator: Person: Steve Winslow (steve@swinslow.net) Creator: Tool: github.com/spdx/tools-golang/builder Creator: Tool: github.com/spdx/tools-golang/idsearcher Created: 2021-08-26T01:47:00Z ##### Package: hello-src PackageName: hello-src SPDXID: SPDXRef-Package-hello-src PackageDownloadLocation: git+https://github.com/swinslow/spdx-examples.git#example2/ content/src FilesAnalyzed: true PackageVerificationCode: c6cb0949d7cd7439fce8690262a0946374824639 PackageLicenseConcluded: NOASSERTION PackageLicenseInfoFromFiles: GPL-3.0-or-later PackageLicenseDeclared: GPL-3.0-or-later PackageCopyrightText: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-hello-src FileName: /Makefile SPDXID: SPDXRef-Makefile FileType: SOURCE FileChecksum: SHA1: 69a2e85696fff1865c3f0686d6c3824b59915c80 FileChecksum: SHA256: 5da19033ba058e322e21c90e6d6d859c90b1b544e7840859c12cae5da005e79c FileChecksum: MD5: 559424589a4f3f75fd542810473d8bc1 LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: NOASSERTION FileName: /hello.c SPDXID: SPDXRef-hello-src FileType: SOURCE FileChecksum: SHA1: 20862a6d08391d07d09344029533ec644fac6b21 FileChecksum: SHA256: b4e5ca56d1f9110ca94ed0bf4e6d9ac11c2186eb7cd95159c6fdb50e8db5a823 FileChecksum: MD5: 935054fe899ca782e11003bbae5e166c LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: Copyright Contributors to the spdx-examples project. ##### Relationships Relationship: SPDXRef-Makefile BUILD_TOOL_OF SPDXRef-Package-hello-src
29 Application & Data Governance  정의 – By NIST : SWID 태그는 소프트웨어 제품의 설치절차 (installation process) 의 부분으로서 추가되고 , 제품의 제거절차 (uninstall process) 때 삭제되는 생명주기 (lifecycle) 를 정의 – 기기 상에 소프트웨어 제품의 존재를 나타내는 표준 지표 (standard indicators) 이며 , 제품 이름과 버전 등의 상세정보를 담은 일관성 있는 레이블을 사용  내용 – Corpus Tags : 소프트웨어의 전설치 단계 (pre-installation phase) 를 기술 (tar, zip, executable file) – Primary Tags : 제품명 , 태그의 ID(global), 태그 생성자를 식별하는 기본 정보 등을 제공 – Patch Tags : 제품에 적용된 패치를 식별하고 기술 – Supplemental Tags : Primary 또는 Patch 태그에 세부 사항을 추가 SWID(SoftWare IDentification) Tags
30 Application & Data Governance SW Lifecyle supported by SWID Tags
31 Application & Data Governance <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/ schema.xsd" name="ACME Roadrunner Management Suite Coyote Edition" tagId="com.acme.rms-ce-v4-1-5-0" tagVersion="0" version="4.1.5"> <Entity name="The ACME Corporation" regid="acme.com" role="tagCreator softwareCreator"/> … </SoftwareIdentity> SWID Examples : Primary Tags & Supplemental Tags <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/ schema.xsd" name="ACME Roadrunner Management Suite Coyote Edition" tagId="com.acme.rms-sensor-1" supplemental="true"> <Entity name="The ACME Corporation" regid="acme.com" role="tagCreator softwareCreator"/> <Link rel="related" href="swid:com.acme.rms-ce-v4-1-5-0"> … </SoftwareIdentity>
32 Application & Data Governance <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/ schema.xsd" name="ACME Roadrunner Service Pack 1" tagId="com.acme.rms-ce-sp1-v1-0-0" patch="true" version="1.0.0"> <Entity name="The ACME Corporation" regid="acme.com" role="tagCreator softwareCreator"/> <Link rel="patches" href="swid:com.acme.rms-ce-v4-1-5-0"> … </SoftwareIdentity> SWID Examples : Patch Tags
33 Application & Data Governance <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <swid:software_identification_tag xsi:schemaLocation="http://standards.iso.org/iso/19770/-2/2008/schema.xsd software_identification_tag.xsd " xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:swid="http://standards.iso.org/iso/19770/-2/2008/ schema.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" " xmlns:fs="http://www.flexerasoftware.com"> <!-- Mandatory elements --> <swid:entitlement_required_indicator>true</swid:entitlement_required_indicator> <swid:product_title>ProductABC</swid:product_title> <swid:product_version> <swid:name>4.00.0000</swid:name> <swid:numeric> <swid:major>4</swid:major> <swid:minor>0</swid:minor> <swid:build>0</swid:build> <swid:review>0</swid:review> </swid:numeric> </swid:product_version> <swid:software_creator> <swid:name>Flexera Software LLC</swid:name> <swid:regid>regid.1986-12.com.flexera</swid:regid> </swid:software_creator> <swid:software_licensor> <swid:name>Flexera Software LLC</swid:name> <swid:regid>regid.1986-12.com.flexera</swid:regid> </swid:software_licensor> <swid:software_id> <swid:unique_id>ProductABC_4.0.0_D8F6AD25-2351-D3D1-D235-13JSL23HS151</swid:unique_id> <swid:tag_creator_regid>regid.2009-06.com.flexerasoftware,AdminStudio</swid:tag_creator_regid> </swid:software_id> <swid:tag_creator> <swid:name>Flexera Software LLC</swid:name> <swid:regid>regid.2009-06.com.flexerasoftware,AdminStudio</swid:regid> </swid:tag_creator> SWID Examples : Flexera Software
34 Application & Data Governance SWID Examples : Flexera Software (Cont’d) <swid:extended_information> <fs:original_arp_guid>D8F6AD25-2351-D3D1-D235-13JSL23HS151</fs:original_arp_guid> <fs:original_arp_publisher>Flexera Software LLC</fs:original_arp_publisher> <fs:original_arp_display_name>Product ABC 4.0</fs:original_arp_display_name> <fs:original_arp_display_version>4.0.0</fs:original_arp_display_version> <fs:current_arp_guid>D8F6AD25-2351-D3D1-D235-13JSL23HS151</fs:current_arp_guid> <fs:current_arp_publisher>Flexera Software LLC</fs:current_publisher> <fs:current_arp_display_name>Product ABC 4.0</fs:current_arp_display_name> <fs:current_arp_display_version>4.0.0</fs:current_arp_display_version> <fs:adminstudio_app_catalog_package_id>13</fs:adminstudio_app_catalog_package_id> <fs:adminstudio_app_catalog_machine_name>sch101</fs:adminstudio_app_catalog_machine_name> <fs:adminstudio_app_catalog_db_name>jan18_1</fs:adminstudio_app_catalog_db_name> <fs:adminstudio_app_catalog_guid>9BC14888-65EA-8F03</fs:adminstudio_app_catalog_guid> </swid:extended_information> </swid:software_identification_tag>
35 Application & Data Governance  정의 – 애플리케이션 보안 분야와 공급망 컴포넌트 분석 (supply chain component analysis) 에서 사용하도록 설계된 경량 (lightweight) SBOM 표준  사용방법 – .XML, .JSON, 프로토콜 버퍼 등의 다양한 형식으로 표현  내용 – BOM Metadata : 공급자 , 생산자 , 대상 컴포넌트 , BOM 생성 도구 , BOM 라이선스 정보 – Components : first-party 와 third-party 컴포넌트 목록을 기술 • Coordinates (group, name, version) • Package URL • Common Platform Enumeration (CPE) • SWID • Cryptographic hash functions (SHA-1, SHA-2, SHA-3, BLAKE2b, BLAKE3) – Services : 소프트웨어 호출 외부 API 와 데이터 흐름과 방향을 기술 – Dependencies: 직접 또는 전이관계로 나타나는 의존성 그래프를 통한 컴포넌트 간의 의존성을 기술 – Extensions : 향후 유즈케이스와 기능을 제공하기 위한 확장지점 CycloneDX
36 Application & Data Governance CycloneDX : High-Level Object Model
37 Application & Data Governance CycloneDX Examples : Inventory { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f- a58921a69b79", "version": 1, "components": [ { "type": "library", "name": "acme-library", "version": "1.0.0" } ] } <?xml version="1.0" encoding="UTF-8"?> <bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f- a58921a69b79" version="1"> <components> <component type="library"> <name>acme-library</name> <version>1.0.0</version> <!-- The minimum required fields are: component type and name. --> </component> <!-- More components here --> </components> </bom>
38 Application & Data Governance CycloneDX Examples : Known Vulnerability { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "components": [ { "type": "application", "name": "Acme Application", "version": "9.1.1", "cpe": "cpe:/a:acme:application:9.1.1", "swid": { "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", "name": "Acme Application", "version": "9.1.1", "text": { "contentType": "text/xml", "encoding": "base64", "content": …… } } }, { "type": "library", "group": "org.apache.tomcat", "name": "tomcat-catalina", "version": "9.0.14", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14" } ] } * Components that have a cpe, swid, or purl defined can be analyzed for known vulnerabilities.
39 Application & Data Governance CycloneDX Examples : Integrity Verification { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "components": [ { "type": "library", "name": "acme-example", "version": "1.0.0", "hashes": [{ "alg": "MD5", "content": "641b6e166f8b33c5e959e2adcc18b1c7" },{ "alg": "SHA-1", "content": "9188560f22e0b73070d2efce670c74af2bdf30af" },{ "alg": "SHA-256", "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964" },{ "alg": "SHA-384", "content": "d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad" },{ "alg": "SHA-512", "content": "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6" },{ "alg": "SHA3-256", "content": "7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa" },{ "alg": "SHA3-384", "content": "a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5" },{ "alg": "SHA3-512", "content": "7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20" },{ "alg": "BLAKE2b-256", "content": "d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237" },{ "alg": "BLAKE2b-384", "content": "e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a" },{ "alg": "BLAKE2b-512", "content": "f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d" },{ "alg": "BLAKE3", "content": "26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf" }] } ]
40 Application & Data Governance CycloneDX Examples : Package Evaluation { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "components": [ { "type": "library", "group": "org.apache.tomcat", "name": "tomcat-catalina", "version": "9.0.14", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14" }, { "type": "library", "group": "org.acme", "name": "card-verifier", "version": "1.0.2", "purl": "pkg:maven/org.acme/card-verifier@1.0.2?repository_url=repo.acme.org/maven" } ] }
41 Application & Data Governance CycloneDX Examples : License Compliance { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f- a58921a69b79", "version": 1, "components": [ { "type": "library", "group": "com.acme", "name": "tomcat-catalina", "version": "9.0.14", "licenses": [ { "license": { "id": "Apache-2.0", "text": { "contentType": "text/plain", "encoding": "base64", "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWF uIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0 eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBka XJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKIC AgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW5 5IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBT b3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY 3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaG FsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGl maWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBG b3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zL AogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYX MgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGV ybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3Vi bGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZ Swgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3 IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY29 1bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUg ZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvb nM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdG hlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGF uZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNl cyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0a CB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2 UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB 0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9s ZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb 24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudC B5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ 5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25z KSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZ Wx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIH RvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICA gICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBh bmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyL AogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eS wgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl 0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBv d24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZ SIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIF lvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlk gS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZ S4=" }, "url": "https://www.apache.org/licenses/LICENSE- 2.0.txt" } { "type": "library", "group": "org.acme", "name": "card-verifier", "version": "1.0.2", "licenses": [ { "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath- exception-2.0" } ] }, { "type": "library", "group": "com.example", "name": "util", "version": "2.0.0", "licenses": [ { "license": { "name": "Example, Inc. Commercial License", "text": { "contentType": "text/plain", "encoding": "base64", "content": "VGhlIHRleHQgZm9yIHRoZSBFeGFtcGxlLCBJbmMuIENvbW1lcmNpYWwgTGljZW5zZSBnb2VzIGhlcmU=" } } } ] } ] }
42 Application & Data Governance CycloneDX Examples : Dependency Graph { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "metadata": { "component": { "bom-ref": "acme-app", "type": "application", "name": "Acme Application", "version": "9.1.1" } }, "components": [ { "bom-ref": "pkg:maven/org.acme/web-framework@1.0.0", "type": "library", "group": "org.acme", "name": "web-framework", "version": "1.0.0", "purl": "pkg:maven/org.acme/web-framework@1.0.0" }, { "bom-ref": "pkg:maven/org.acme/persistence@3.1.0", "type": "library", "group": "org.acme", "name": "persistence", "version": "3.1.0", "purl": "pkg:maven/org.acme/persistence@3.1.0" }, { "bom-ref": "pkg:maven/org.acme/common-util@3.0.0", "type": "library", "group": "org.acme", "name": "common-util", "version": "3.0.0", "purl": "pkg:maven/org.acme/common-util@3.0.0" } ], "dependencies": [ { "ref": "acme-app", "dependsOn": [ "pkg:maven/org.acme/web-framework@1.0.0", "pkg:maven/org.acme/persistence@3.1.0" ] }, { "ref": "pkg:maven/org.acme/web-framework@1.0.0", "dependsOn": [ "pkg:maven/org.acme/common-util@3.0.0" ] }, { "ref": "pkg:maven/org.acme/persistence@3.1.0", "dependsOn": [ "pkg:maven/org.acme/common-util@3.0.0" ] }, { "ref": "pkg:maven/org.acme/common-util@3.0.0", "dependsOn": [] } ] }
Thank you !!! 지티원㈜ 서울시 영등포구 문래동 3 가 55-20 에이스하이테크시티 2 동 501 호 TEL (02) 2167-3456( 代 ) FAX (02) 2167-3470 http://www.gtone.co.kr

More Related Content

PDF
[AWS Dev Day] 이머징 테크 | Libra 소스코드분석 및 AWS에서 블록체인 기반 지불 시스템 최적화 방법 - 박혜영 AWS 솔...
Amazon Web Services Korea
 
PDF
Distributed Tracing with Jaeger
Inho Kang
 
PDF
Opentracing jaeger
Oracle Korea
 
PPTX
OpenChain Webinar #50 - An Overview of SPDX 3.0
Shane Coughlan
 
PDF
네트워크 가상화 보안현황 및 보안연관성
NAIM Networks, Inc.
 
PPTX
Statistics Study for Computer Scientists
Tae-Hyoung Choi
 
PPTX
Knowledge Graph Industry Survey Report.pptx
Tae-Hyoung Choi
 
PPTX
PROV Tutorials (Data Provenance Standard)
Tae-Hyoung Choi
 
[AWS Dev Day] 이머징 테크 | Libra 소스코드분석 및 AWS에서 블록체인 기반 지불 시스템 최적화 방법 - 박혜영 AWS 솔...
Amazon Web Services Korea
 
Distributed Tracing with Jaeger
Inho Kang
 
Opentracing jaeger
Oracle Korea
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
Shane Coughlan
 
네트워크 가상화 보안현황 및 보안연관성
NAIM Networks, Inc.
 
Statistics Study for Computer Scientists
Tae-Hyoung Choi
 
Knowledge Graph Industry Survey Report.pptx
Tae-Hyoung Choi
 
PROV Tutorials (Data Provenance Standard)
Tae-Hyoung Choi
 

Recently uploaded (20)

PPTX
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PPTX
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
PPTX
Top Website Bugs That Hurt User Experience – And How Expert Web Design Fixes
e-Definers Technology
 
PDF
Exploring The Internet Of Things(IOT).ppt
rakeshk19831911
 
PPT
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
PDF
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
PDF
BIOCHEM CH2 OVERVIEW OF MICROBIOLOGY.pdf
tbasharababneh
 
PPT
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
PDF
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
PPTX
Reading as a good Form of Recreation
Raj Kumble
 
PPTX
Database Information System - Management Information System
faizhossain3
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PDF
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PDF
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
PPTX
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PPTX
curriculumandpedagogyinearlychildhoodcurriculum-171021103104 - Copy.pptx
HeneszaAvenido1
 
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
Top Website Bugs That Hurt User Experience – And How Expert Web Design Fixes
e-Definers Technology
 
Exploring The Internet Of Things(IOT).ppt
rakeshk19831911
 
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
BIOCHEM CH2 OVERVIEW OF MICROBIOLOGY.pdf
tbasharababneh
 
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
Reading as a good Form of Recreation
Raj Kumble
 
Database Information System - Management Information System
faizhossain3
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
Ethics in Information System - Management Information System
faizhossain3
 
curriculumandpedagogyinearlychildhoodcurriculum-171021103104 - Copy.pptx
HeneszaAvenido1
 
Ad

Featured (20)

PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
PDF
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
PDF
Everything You Need To Know About ChatGPT
Expeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
PDF
Skeleton Culture Code
Skeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
contently
 
PPTX
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
PDF
Getting into the tech field. what next
Tessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
PDF
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Ad

Presentation for the v0finder and Labrador

  • 1. V0finder & Labrador 최태형 [thchoi@gtone.co.kr]
  • 2. V0finder: Discovering the Correct Origin of Publicly Reported Software Vulnerabilities By Seunghoon Woo et al. In the 30th USENIX Security Symposium, 2021 • 2
  • 3. 3 Application & Data Governance  V0(vulnerability zero) : ( 보안 ) 취약점이 발생한 근원지인 특정 버전의 소프트웨어  Locality-Sensitive Hash : 비슷한 데이터에 대해 비슷한 값을 주는 해시함수  CVE(Common Vulnerabilities & Exposures) – 보안취약점 관리 데이터베이스 – C.f., Vulnerability( 보안취약점 ) vs Weakness( 보안약점 ) • 보안취약점 : 내재된 보안약점 등으로 인해 발생한 실재하는 보안상의 취약점 • 보안약점 : 보안취약점으로 발생할 수 있는 코딩 , 프로그램 구조 등의 취약한 부분 Terminologies & Techniques 6. 통계적 머신러닝
  • 4. 4 Application & Data Governance  모든 함수를 추출 , LSH 적용 Detecting vulnerable software
  • 5. 5 Application & Data Governance  취약점 코드에 대한 코드 클론 검출 기능 사용 Detecting vulnerable software
  • 7. 7 Application & Data Governance  소프트웨어 구성 분석 – 오픈소스 컴포넌트 관리를 위한 애플리케이션 보안 방법론 – 관련된 모든 컴포넌트와 지원 라이브러리 , 직간접적인 의존성을 찾음 – 소프트웨어 라이선스의 검출 – 보안취약성이나 잠재적인 익스플로잇 등으로 인해 더 이상 사용하지 않을 의존성 검출 – 관련 도구 • Snyk, Mend, Black Duck Software Composition Analysis, Contrast Security, … SCA
  • 8. 8 Application & Data Governance  VUDDY(VUlnerable coDe clone DiscoverY) – CVE 에 등록된 취약점 코드의 코드 클론을 검출  CENTRIS(CENTRIfuge for Software) – 소프트웨어를 재사용 부분과 자체 제작 부분으로 분리 – 재사용 부분 : 등록된 ( 오픈소스 ) 소스코드를 재사용 , 수정 사용 등 – 자체 제작 : 재사용 부분을 제외한 나머지 직접 작성한 부분  SBOM(Software Bill of Matterials) – 소프트웨어 부품표 – 소프트웨어를 구성하는 컴포넌트에 대한 상세한 내용과 공급망 관계를 포함한 정식 기록 – 형식 : SPDX(ISO), CycloneDX(OWASP) 등 Terminologies & Techniques
  • 9. 9 Application & Data Governance  SBOM 기반 OSS 공급망 안전 관리 솔루션 – SBOM 제공 • CENTRIS 기술 • 형식 : SPDX, CycloneD – 보안취약점 검출 및 패치 제공 • VUDDY 기술 – 라이선스 이슈 검출 – 오픈소스 거버넌스 정책 자동 관리 Labrador OSS
  • 11. Application & Data Governance 소프트웨어 공급망 Software Supply Chain
  • 12. Application & Data Governance 소프트웨어 공급망 투명성의 필요
  • 13. 13 Application & Data Governance  SBOM – 소프트웨어 재료의 목록 , 또는 중첩된 목록 (nested inventory) – 형식을 갖춘 , 또는 공식 데이터 (formal record) • 대상 : 소프트웨어 구축에 사용된 다양한 컴포넌트 • 내용 : 자세한 내용 및 설명과 공급망 (supply chain) 관계 사항 (relationships) SBOM 이란 ?
  • 14. 14 Application & Data Governance – SBOM 은 소프트웨어와 보안에 걸쳐 다양한 유즈케이스를 지원 SBOM 의 활용 분야
  • 15. 15 Application & Data Governance  정리 – SBOM 은 소프트웨어 의존성을 추적을 위한 기술 및 운영 모델 – 더 나은 소프트웨어 보안성과 공급망 위험관리 (risk management) 을 제공 • 보안취약점 관리 • 조달 (procurement) • 새롭게 등장한 위험 (emerging risks) 의 취급 SBOM 의 사용
  • 16. 16 Application & Data Governance  SPDX – SBOM 공개표준 • 컴포넌트 , 라이선스 , 저작권 , 보안참조 등 – SPDX 워크그룹 (hosted in Linux Foundation) 에서 명세 개발  CycloneDX – 소프트웨어 보안 문맥과 공급망 컴포넌트 분석을 위해 특별히 만든 SBOM 표준 – OWASP 에서 기원한 CycloneDX 코어 그룹에서 명세를 유지보수  SWID tags – 설치한 소프트웨어에 대한 유일한 정보를 기록 • 이름 , 판 (edition), 버전 , 번들에 포함된 것인지 여부 등등 – 소프트웨어 목록 (inventory) 과 자산관리계획 (asset management initiatives) 제공 – ISO/IEC 19770-2:2015 SBOM 구현의 비교
  • 17. 17 Application & Data Governance Field SPDX SWID CycloneDX Supplier (3.5) PackageSupplier: <Entity>@role(softwareCreator/publisher), @name publisher Component (3.1) PackageName: <softwareIdentity>@name name Unique Identifier (3.2) SPDXID: <softwareIdentity>@tagID bom/serialNumber and component/bom-ref Version (3.3) PackageVersion: <softwareIdentity>@version version Component Hash (3.10) PackageChecksum: <Payload>/../<File> @[hash-algorithm]:hash hash Relationship (7.1) Relationship: CONTAINS <Link>@rel, @href (Nested assembly/subassembly and/or dependency graphs) SBOM Author (2.8) Creator: <Entity> @role(tagCreator), @name bom-descriptor: metadata/ manufacture/contact SBOM 핵심 필드 구현
  • 18. 18 Application & Data Governance  정의 – SPDX 는 다양한 파일 형태의 소프트웨어 컴포넌트들과 연관하여 , 컴포넌트 , 라이선스 , 저작권 , 보안 정보들을 상호교류하기 위한 표준 언어를 제공한다 .  사용방법 – 다양한 형태의 파일형식으로 표현 가능 (RDF, .xlsx, .spdx 등 ) – 다른 형태로 확장 가능 (.xml, .json, .yaml 등 )  내용 – SPDX Document Creation Information: 분석결과와 연관된 SPDX 파일의 특정 버전과 파일 생성에 관한 메타데이터 – Package Information: 전체 패키지에 대한 공통 특성 – File Information: 패키지에 속할 수 있는 파일들 세부 사항들 – Snippet Information: 파일에 일부분에 해당하는 것들의 세부사항들 – Other licensing information detected: SPDX 라이선스 목록에 없는 다른 라이선스에 대한 , 또는 참조하기 위한 정보 – Relationships Between SPDX Elements: 각각 다른 문서 , 패키지 , 파일들과 어떻게 연관되었는지에 대한 정보 – Annotations: SPDX 파일을 누가 , 언제 리뷰했는지에 대한 정보 SPDX (Software Package Data eXchange)
  • 19. 19 Application & Data Governance Mandator y Field Name Comment O 6.1 SPDX Version 어떤 버전의 SPDX 인가 ? O 6.2 Data License 문서 내 데이터 : CC0-1.0 O 6.3 SPDX Identifier 본 현재 문서의 ID O 6.4 Document Name O 6.5 SPDX Document Namespace URI 6.6 External Document Reference 6.7 License List Version 본 문서의 생성 일시 O 6.8 Creator O 6.9 Created 본 문서의 생성 방법 - 수동 리뷰 ( 누가 ? 언제 ?) - 도구 (ID, 버전 , 언제 ?) 6.10 Creator Comment 생성자의 일반 코멘트 6.11 Document Comment 생성자의 본 문서 소비자에 대한 코멘트 SPDX : Document Creation Information
  • 20. 20 Application & Data Governance Mandator y Field Name Comment O 7.1 Package Name 작성자가 지은 공식명칭 O 7.2 Package SPDX Identifier ID ( 유일해야함 ) 7.3 Package Version 7.4 Package File Name 패키지에 대한 실제 파일명 7.5 Package Supplier 7.6 Package Originator O 7.7 Package Download Location 다운로드 URL 7.8 Files Analyzed 패키지와 연관된 파일들 O 7.9 Package Verification Code special algorithm 7.10 Package Checksum 7.11 Package Home Page 프로젝트 홈페이지 7.12 Source Information O 7.13 Concluded License SPDX : Package Information
  • 21. 21 Application & Data Governance Mandator y Field Name Comment O 7.15 Declared License 7.16 Comments on License 7.17 Copyright Text any copyrights declared? 7.18 Package Summary Description 7.19 Package Detailed Description 7.20 Package Comment 7.21 External Reference 7.22 External Reference Comment 7.23 Package Attribution Text SPDX : Package Information (Cont’d)
  • 22. 22 Application & Data Governance Mandator y Field Name Comment O 8.1 File Name O 8.2 File SPDX Identifier 8.3 File Type O 8.4 File Checksum O 8.5 Concluded License O 8.6 License Information in File 8.7 Comments on License O 8.8 Copyright Text 8.9 Artifact of Project Name 8.12 File Comment 8.13 File Notice 8.14 File Contributor 8.15 File Attribution Text SPDX : File Information * 8.10, 8.11, 8.16 Deprecated
  • 23. 23 Application & Data Governance Mandator y Field Name Comment O 9.1 Snippet SPDX Identifier O 9.2 Snippet from File SPDX Identifier O 9.3 Snippet Byte Range 9.4 Snippet Line Range O 9.5 Snippet Concluded License 9.6 License Information in Snippet 9.7 Snippet Comments on License O 9.8 Snippet Copyright Text 9.9 Snippet Comment 9.10 Snippet Name 9.11 Snippet Attribution Text SPDX : Snippet Information
  • 24. 24 Application & Data Governance Mandator y Field Name Comment Conditional 10.1 License Identifier Conditional 10.2 Extracted Text Conditional 10.3 License Name Conditional 10.4 License Cross Reference Conditional 10.5 License Comment SPDX : Other Licensing Information Detected Mandator y Field Name Comment 11.1 Relationship 11.2 Relationship Comment SPDX : Relationships between SPDX elements information
  • 25. 25 Application & Data Governance Mandator y Field Name Comment Conditional 12.1 Annotator Conditional 12.2 Annotation Date Conditional 12.3 Annotation Type Conditional 12.4 SPDX Identifier Reference Conditional 12.5 Annotation Comment SPDX : Annotations Information
  • 26. 26 Application & Data Governance # SPDX Field Name # SPDX Field Name L1.1 6.1 SPDX Version L2.6 7.8 Files Analyzed L1.2 6.2 Data License L2.7 7.11 Package Home Page L1.3 6.3 SPDX Identifier L2.8 7.13 Concluded License L1.4 6.4 Document Name L2.9 7.15 Declared License L1.5 6.5 SPDX Document Namespace L2.10 7.16 Comments on License L1.6 6.8 Creator L2.11 7.17 Copyright Text L1.7 6.9 Created L2.12 7.20 Package Comment L2.1 7.1 Package Name L3.1 10.1 License Identifier L2.2 7.2 Package SPDX Identifier L3.2 10.2 Extracted Text L2.3 7.3 Package Version L3.3 10.3 License Name L2.4 7.4 Package File Name L3.4 10.5 License Comment L2.5 7.7 Package Download Location SPDX Lite
  • 27. 27 Application & Data Governance SPDX 예제 (1) SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: hello DocumentNamespace: https://swinslow.net/spdx-examples/example1/hello-v3 Creator: Person: Steve Winslow (steve@swinslow.net) Creator: Tool: github.com/spdx/tools-golang/builder Creator: Tool: github.com/spdx/tools-golang/idsearcher Created: 2021-08-26T01:46:00Z ##### Package: hello PackageName: hello SPDXID: SPDXRef-Package-hello PackageDownloadLocation: git+https://github.com/swinslow/spdx- examples.git#example1/content FilesAnalyzed: true PackageVerificationCode: 9d20237bb72087e87069f96afb41c6ca2fa2a342 PackageLicenseConcluded: GPL-3.0-or-later PackageLicenseInfoFromFiles: GPL-3.0-or-later PackageLicenseDeclared: GPL-3.0-or-later PackageCopyrightText: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-hello FileName: /build/hello SPDXID: SPDXRef-hello-binary FileType: BINARY FileChecksum: SHA1: 20291a81ef065ff891b537b64d4fdccaf6f5ac02 FileChecksum: SHA256: 83a33ff09648bb5fc5272baca88cf2b59fd81ac4cc6817b86998136af368708e FileChecksum: MD5: 08a12c966d776864cc1eb41fd03c3c3d LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: NOASSERTION FileCopyrightText: NOASSERTION FileName: /src/Makefile SPDXID: SPDXRef-Makefile FileType: SOURCE FileChecksum: SHA1: 69a2e85696fff1865c3f0686d6c3824b59915c80 FileChecksum: SHA256: 5da19033ba058e322e21c90e6d6d859c90b1b544e7840859c12cae5da005e79c FileChecksum: MD5: 559424589a4f3f75fd542810473d8bc1 LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: NOASSERTION FileName: /src/hello.c SPDXID: SPDXRef-hello-src FileType: SOURCE FileChecksum: SHA1: 20862a6d08391d07d09344029533ec644fac6b21 FileChecksum: SHA256: b4e5ca56d1f9110ca94ed0bf4e6d9ac11c2186eb7cd95159c6fdb50e8db5a823 FileChecksum: MD5: 935054fe899ca782e11003bbae5e166c LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: Copyright Contributors to the spdx-examples project. Relationship: SPDXRef-hello-binary GENERATED_FROM SPDXRef-hello-src Relationship: SPDXRef-hello-binary GENERATED_FROM SPDXRef-Makefile Relationship: SPDXRef-Makefile BUILD_TOOL_OF SPDXRef-Package-hello
  • 28. 28 Application & Data Governance SPDX 예제 (2) SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: hello-bin DocumentNamespace: https://swinslow.net/spdx-examples/example2/hello-bin-v4 ExternalDocumentRef:DocumentRef-hello-src https://swinslow.net/spdx-examples/example2- hello-src-v3 SHA1: bb991e91fc62ce239d7baf30783c678506f9d17b Creator: Person: Steve Winslow (steve@swinslow.net) Creator: Tool: github.com/spdx/tools-golang/builder Creator: Tool: github.com/spdx/tools-golang/idsearcher Created: 2021-08-26T01:49:00Z ##### Package: hello-bin PackageName: hello-bin SPDXID: SPDXRef-Package-hello-bin PackageDownloadLocation: git+https://github.com/swinslow/spdx-examples.git#example2/ content/build FilesAnalyzed: true PackageVerificationCode: d7aa17dad30d1d1d468a10ea1ec5e100e471c064 PackageLicenseConcluded: GPL-3.0-or-later PackageLicenseInfoFromFiles: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-hello-bin FileName: /hello SPDXID: SPDXRef-hello-binary FileType: BINARY FileChecksum: SHA1: 20291a81ef065ff891b537b64d4fdccaf6f5ac02 FileChecksum: SHA256: 83a33ff09648bb5fc5272baca88cf2b59fd81ac4cc6817b86998136af368708e FileChecksum: MD5: 08a12c966d776864cc1eb41fd03c3c3d LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: NOASSERTION FileCopyrightText: NOASSERTION ##### Relationships Relationship: SPDXRef-hello-binary GENERATED_FROM DocumentRef-hello-src:SPDXRef-hello-src Relationship: SPDXRef-hello-binary GENERATED_FROM DocumentRef-hello-src:SPDXRef-Makefile SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: hello-src DocumentNamespace: https://swinslow.net/spdx-examples/example2/hello-src-v3 Creator: Person: Steve Winslow (steve@swinslow.net) Creator: Tool: github.com/spdx/tools-golang/builder Creator: Tool: github.com/spdx/tools-golang/idsearcher Created: 2021-08-26T01:47:00Z ##### Package: hello-src PackageName: hello-src SPDXID: SPDXRef-Package-hello-src PackageDownloadLocation: git+https://github.com/swinslow/spdx-examples.git#example2/ content/src FilesAnalyzed: true PackageVerificationCode: c6cb0949d7cd7439fce8690262a0946374824639 PackageLicenseConcluded: NOASSERTION PackageLicenseInfoFromFiles: GPL-3.0-or-later PackageLicenseDeclared: GPL-3.0-or-later PackageCopyrightText: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-hello-src FileName: /Makefile SPDXID: SPDXRef-Makefile FileType: SOURCE FileChecksum: SHA1: 69a2e85696fff1865c3f0686d6c3824b59915c80 FileChecksum: SHA256: 5da19033ba058e322e21c90e6d6d859c90b1b544e7840859c12cae5da005e79c FileChecksum: MD5: 559424589a4f3f75fd542810473d8bc1 LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: NOASSERTION FileName: /hello.c SPDXID: SPDXRef-hello-src FileType: SOURCE FileChecksum: SHA1: 20862a6d08391d07d09344029533ec644fac6b21 FileChecksum: SHA256: b4e5ca56d1f9110ca94ed0bf4e6d9ac11c2186eb7cd95159c6fdb50e8db5a823 FileChecksum: MD5: 935054fe899ca782e11003bbae5e166c LicenseConcluded: GPL-3.0-or-later LicenseInfoInFile: GPL-3.0-or-later FileCopyrightText: Copyright Contributors to the spdx-examples project. ##### Relationships Relationship: SPDXRef-Makefile BUILD_TOOL_OF SPDXRef-Package-hello-src
  • 29. 29 Application & Data Governance  정의 – By NIST : SWID 태그는 소프트웨어 제품의 설치절차 (installation process) 의 부분으로서 추가되고 , 제품의 제거절차 (uninstall process) 때 삭제되는 생명주기 (lifecycle) 를 정의 – 기기 상에 소프트웨어 제품의 존재를 나타내는 표준 지표 (standard indicators) 이며 , 제품 이름과 버전 등의 상세정보를 담은 일관성 있는 레이블을 사용  내용 – Corpus Tags : 소프트웨어의 전설치 단계 (pre-installation phase) 를 기술 (tar, zip, executable file) – Primary Tags : 제품명 , 태그의 ID(global), 태그 생성자를 식별하는 기본 정보 등을 제공 – Patch Tags : 제품에 적용된 패치를 식별하고 기술 – Supplemental Tags : Primary 또는 Patch 태그에 세부 사항을 추가 SWID(SoftWare IDentification) Tags
  • 30. 30 Application & Data Governance SW Lifecyle supported by SWID Tags
  • 31. 31 Application & Data Governance <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/ schema.xsd" name="ACME Roadrunner Management Suite Coyote Edition" tagId="com.acme.rms-ce-v4-1-5-0" tagVersion="0" version="4.1.5"> <Entity name="The ACME Corporation" regid="acme.com" role="tagCreator softwareCreator"/> … </SoftwareIdentity> SWID Examples : Primary Tags & Supplemental Tags <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/ schema.xsd" name="ACME Roadrunner Management Suite Coyote Edition" tagId="com.acme.rms-sensor-1" supplemental="true"> <Entity name="The ACME Corporation" regid="acme.com" role="tagCreator softwareCreator"/> <Link rel="related" href="swid:com.acme.rms-ce-v4-1-5-0"> … </SoftwareIdentity>
  • 32. 32 Application & Data Governance <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/ schema.xsd" name="ACME Roadrunner Service Pack 1" tagId="com.acme.rms-ce-sp1-v1-0-0" patch="true" version="1.0.0"> <Entity name="The ACME Corporation" regid="acme.com" role="tagCreator softwareCreator"/> <Link rel="patches" href="swid:com.acme.rms-ce-v4-1-5-0"> … </SoftwareIdentity> SWID Examples : Patch Tags
  • 33. 33 Application & Data Governance <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <swid:software_identification_tag xsi:schemaLocation="http://standards.iso.org/iso/19770/-2/2008/schema.xsd software_identification_tag.xsd " xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:swid="http://standards.iso.org/iso/19770/-2/2008/ schema.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" " xmlns:fs="http://www.flexerasoftware.com"> <!-- Mandatory elements --> <swid:entitlement_required_indicator>true</swid:entitlement_required_indicator> <swid:product_title>ProductABC</swid:product_title> <swid:product_version> <swid:name>4.00.0000</swid:name> <swid:numeric> <swid:major>4</swid:major> <swid:minor>0</swid:minor> <swid:build>0</swid:build> <swid:review>0</swid:review> </swid:numeric> </swid:product_version> <swid:software_creator> <swid:name>Flexera Software LLC</swid:name> <swid:regid>regid.1986-12.com.flexera</swid:regid> </swid:software_creator> <swid:software_licensor> <swid:name>Flexera Software LLC</swid:name> <swid:regid>regid.1986-12.com.flexera</swid:regid> </swid:software_licensor> <swid:software_id> <swid:unique_id>ProductABC_4.0.0_D8F6AD25-2351-D3D1-D235-13JSL23HS151</swid:unique_id> <swid:tag_creator_regid>regid.2009-06.com.flexerasoftware,AdminStudio</swid:tag_creator_regid> </swid:software_id> <swid:tag_creator> <swid:name>Flexera Software LLC</swid:name> <swid:regid>regid.2009-06.com.flexerasoftware,AdminStudio</swid:regid> </swid:tag_creator> SWID Examples : Flexera Software
  • 34. 34 Application & Data Governance SWID Examples : Flexera Software (Cont’d) <swid:extended_information> <fs:original_arp_guid>D8F6AD25-2351-D3D1-D235-13JSL23HS151</fs:original_arp_guid> <fs:original_arp_publisher>Flexera Software LLC</fs:original_arp_publisher> <fs:original_arp_display_name>Product ABC 4.0</fs:original_arp_display_name> <fs:original_arp_display_version>4.0.0</fs:original_arp_display_version> <fs:current_arp_guid>D8F6AD25-2351-D3D1-D235-13JSL23HS151</fs:current_arp_guid> <fs:current_arp_publisher>Flexera Software LLC</fs:current_publisher> <fs:current_arp_display_name>Product ABC 4.0</fs:current_arp_display_name> <fs:current_arp_display_version>4.0.0</fs:current_arp_display_version> <fs:adminstudio_app_catalog_package_id>13</fs:adminstudio_app_catalog_package_id> <fs:adminstudio_app_catalog_machine_name>sch101</fs:adminstudio_app_catalog_machine_name> <fs:adminstudio_app_catalog_db_name>jan18_1</fs:adminstudio_app_catalog_db_name> <fs:adminstudio_app_catalog_guid>9BC14888-65EA-8F03</fs:adminstudio_app_catalog_guid> </swid:extended_information> </swid:software_identification_tag>
  • 35. 35 Application & Data Governance  정의 – 애플리케이션 보안 분야와 공급망 컴포넌트 분석 (supply chain component analysis) 에서 사용하도록 설계된 경량 (lightweight) SBOM 표준  사용방법 – .XML, .JSON, 프로토콜 버퍼 등의 다양한 형식으로 표현  내용 – BOM Metadata : 공급자 , 생산자 , 대상 컴포넌트 , BOM 생성 도구 , BOM 라이선스 정보 – Components : first-party 와 third-party 컴포넌트 목록을 기술 • Coordinates (group, name, version) • Package URL • Common Platform Enumeration (CPE) • SWID • Cryptographic hash functions (SHA-1, SHA-2, SHA-3, BLAKE2b, BLAKE3) – Services : 소프트웨어 호출 외부 API 와 데이터 흐름과 방향을 기술 – Dependencies: 직접 또는 전이관계로 나타나는 의존성 그래프를 통한 컴포넌트 간의 의존성을 기술 – Extensions : 향후 유즈케이스와 기능을 제공하기 위한 확장지점 CycloneDX
  • 36. 36 Application & Data Governance CycloneDX : High-Level Object Model
  • 37. 37 Application & Data Governance CycloneDX Examples : Inventory { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f- a58921a69b79", "version": 1, "components": [ { "type": "library", "name": "acme-library", "version": "1.0.0" } ] } <?xml version="1.0" encoding="UTF-8"?> <bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f- a58921a69b79" version="1"> <components> <component type="library"> <name>acme-library</name> <version>1.0.0</version> <!-- The minimum required fields are: component type and name. --> </component> <!-- More components here --> </components> </bom>
  • 38. 38 Application & Data Governance CycloneDX Examples : Known Vulnerability { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "components": [ { "type": "application", "name": "Acme Application", "version": "9.1.1", "cpe": "cpe:/a:acme:application:9.1.1", "swid": { "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", "name": "Acme Application", "version": "9.1.1", "text": { "contentType": "text/xml", "encoding": "base64", "content": …… } } }, { "type": "library", "group": "org.apache.tomcat", "name": "tomcat-catalina", "version": "9.0.14", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14" } ] } * Components that have a cpe, swid, or purl defined can be analyzed for known vulnerabilities.
  • 39. 39 Application & Data Governance CycloneDX Examples : Integrity Verification { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "components": [ { "type": "library", "name": "acme-example", "version": "1.0.0", "hashes": [{ "alg": "MD5", "content": "641b6e166f8b33c5e959e2adcc18b1c7" },{ "alg": "SHA-1", "content": "9188560f22e0b73070d2efce670c74af2bdf30af" },{ "alg": "SHA-256", "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964" },{ "alg": "SHA-384", "content": "d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad" },{ "alg": "SHA-512", "content": "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6" },{ "alg": "SHA3-256", "content": "7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa" },{ "alg": "SHA3-384", "content": "a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5" },{ "alg": "SHA3-512", "content": "7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20" },{ "alg": "BLAKE2b-256", "content": "d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237" },{ "alg": "BLAKE2b-384", "content": "e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a" },{ "alg": "BLAKE2b-512", "content": "f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d" },{ "alg": "BLAKE3", "content": "26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf" }] } ]
  • 40. 40 Application & Data Governance CycloneDX Examples : Package Evaluation { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "components": [ { "type": "library", "group": "org.apache.tomcat", "name": "tomcat-catalina", "version": "9.0.14", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14" }, { "type": "library", "group": "org.acme", "name": "card-verifier", "version": "1.0.2", "purl": "pkg:maven/org.acme/card-verifier@1.0.2?repository_url=repo.acme.org/maven" } ] }
  • 41. 41 Application & Data Governance CycloneDX Examples : License Compliance { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f- a58921a69b79", "version": 1, "components": [ { "type": "library", "group": "com.acme", "name": "tomcat-catalina", "version": "9.0.14", "licenses": [ { "license": { "id": "Apache-2.0", "text": { "contentType": "text/plain", "encoding": "base64", "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWF uIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0 eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBka XJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKIC AgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW5 5IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBT b3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY 3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaG FsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGl maWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBG b3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zL AogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYX MgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGV ybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3Vi bGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZ Swgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3 IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY29 1bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUg ZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvb nM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdG hlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGF uZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNl cyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0a CB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2 UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB 0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9s ZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb 24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudC B5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ 5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25z KSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZ Wx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIH RvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICA gICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBh bmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyL AogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eS wgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl 0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBv d24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZ SIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIF lvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlk gS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZ S4=" }, "url": "https://www.apache.org/licenses/LICENSE- 2.0.txt" } { "type": "library", "group": "org.acme", "name": "card-verifier", "version": "1.0.2", "licenses": [ { "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath- exception-2.0" } ] }, { "type": "library", "group": "com.example", "name": "util", "version": "2.0.0", "licenses": [ { "license": { "name": "Example, Inc. Commercial License", "text": { "contentType": "text/plain", "encoding": "base64", "content": "VGhlIHRleHQgZm9yIHRoZSBFeGFtcGxlLCBJbmMuIENvbW1lcmNpYWwgTGljZW5zZSBnb2VzIGhlcmU=" } } } ] } ] }
  • 42. 42 Application & Data Governance CycloneDX Examples : Dependency Graph { "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "metadata": { "component": { "bom-ref": "acme-app", "type": "application", "name": "Acme Application", "version": "9.1.1" } }, "components": [ { "bom-ref": "pkg:maven/org.acme/web-framework@1.0.0", "type": "library", "group": "org.acme", "name": "web-framework", "version": "1.0.0", "purl": "pkg:maven/org.acme/web-framework@1.0.0" }, { "bom-ref": "pkg:maven/org.acme/persistence@3.1.0", "type": "library", "group": "org.acme", "name": "persistence", "version": "3.1.0", "purl": "pkg:maven/org.acme/persistence@3.1.0" }, { "bom-ref": "pkg:maven/org.acme/common-util@3.0.0", "type": "library", "group": "org.acme", "name": "common-util", "version": "3.0.0", "purl": "pkg:maven/org.acme/common-util@3.0.0" } ], "dependencies": [ { "ref": "acme-app", "dependsOn": [ "pkg:maven/org.acme/web-framework@1.0.0", "pkg:maven/org.acme/persistence@3.1.0" ] }, { "ref": "pkg:maven/org.acme/web-framework@1.0.0", "dependsOn": [ "pkg:maven/org.acme/common-util@3.0.0" ] }, { "ref": "pkg:maven/org.acme/persistence@3.1.0", "dependsOn": [ "pkg:maven/org.acme/common-util@3.0.0" ] }, { "ref": "pkg:maven/org.acme/common-util@3.0.0", "dependsOn": [] } ] }
  • 43. Thank you !!! 지티원㈜ 서울시 영등포구 문래동 3 가 55-20 에이스하이테크시티 2 동 501 호 TEL (02) 2167-3456( 代 ) FAX (02) 2167-3470 http://www.gtone.co.kr

Editor's Notes

  • #8: SPDX : open standard for communicating software bill of material information, including components, licenses, copyrights, and security references (ISO/IEC 5962:2021) CycloneDX : lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis from OWASP