DruBOM: An SBOM for Drupal

Introduction

Securing the software supply chain is a hot topic for organizations globally. The recent SolarWinds hack demonstrated that even the most security-conscious organizations can be vulnerable, and as a result, government agencies and security experts worldwide agreed on the need for standards and best practices to achieve a more secure software ecosystem.

One fundamental element is the ability to identify all components of a software project, including dependencies, and their versions. This is called a Software Bill of Materials (SBOM). With this information, organizations can track the components and their versions, and be able to identify and mitigate vulnerabilities.
There are several initiatives to create standard formats for SBOMs, including CycloneDX, SPDX, and others.

We are working on a Drupal-specific SBOM called DruBOM. In this post, we will explain what DruBOM is, how it works, and how you can use it.

What is DruBOM?

First of all, this is a Drupal module, it needs to be downloaded and installed using Composer, and requires Drupal 9.3 and above or Drupal 10.3 and above.

To generate the SBOM it integrates Anchore Syft, so this needs to be installed on the server. Syft is a CLI tool written in Go that analyzes the contents of a container image or directory on the file system and generates an SBOM in various formats, including CycloneDX and SPDX.

If these requirements are met, DruBOM will generate an SBOM for the Drupal project, including the Drupal core, modules, themes and libraries, as well as PHP and JavaScript dependencies. The default format is CycloneDX, but it can be configured to use other formats supported by Syft.

How does DruBOM work?

The initial version of the module is very simple. It detects the Syft binary and calls it passing the Drupal root directory and the output format as parameters, then saves the output to the key-value store with the drubom.sbom key and the current timestamp.

You can then download the SBOM, or better yet, use it with automated tools to detect vulnerabilities and/or licensing issues.

How to use DruBOM?

The first step is to add the DruBOM module to your Drupal project.
Run composer require sparkfabrik/drubom and then enable the module with drush or via the Drupal administration interface.

After installing and enabling the module, navigate to Administration » Configuration » System » DruBOM settings and specify the path of the Syft binary. The binary must be executable by the PHP process.

Note: the PHP configuration must allow the use of proc_open(), which is equivalent to exec() in terms of security.

Once the configuration is saved, generate the SBOM by clicking the Generate SBOM button on the settings page or by visiting the /drubom/generate path with a user who has the necessary permissions. The generated list will be saved on the Drupal DB and can be downloaded by clicking the Download SBOM button.

Image: Screenshot of a DruBOM administration page

You can also use the drush drubom:generate command to generate the SBOM from the command line. To download it, use the drush drubom:download command.

What’s next?

The scope of the module is very specific, so we don’t expect it to grow much in terms of features. During the Drupal Contribution Weekend 2024 we improved the documentation and the administration interface, added an integration with the System Status page in Drupal administration, and started integrating with Grype to also detect vulnerabilities, which is a step forward in terms of security.

We consider this module to be fully stable and ready for production use, so we encourage you to try it out and give us feedback. If you find any problems, please report them to the issue queue.