• Stars
    star
    111
  • Rank 314,510 (Top 7 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

jbom



jbom generates Runtime and Static SBOMs for local and remote Java apps

Every project should create a Software Bill of Materials (SBOM) and make it available, so that people know what ingredients are inside. You've got a few options for generating SBOMs:

  • GOOD -- Static SBOM (source) - This works fine, but you'll miss runtime libraries from appservers and runtime platforms. You'll also include libraries that don't matter like test frameworks. You'll also have no idea which libraries are actually active in the running application.

  • BETTER -- Static SBOM (binary) - You'll still miss parts, because code can be located in a variety of different places. And you'll also probably include libraries that don't matter but happen to be on the filesystem.

  • BEST -- Runtime SBOM - This is what 'jbom' is all about. Runtime SBOM is the most accurate approach as it captures the exact libraries used by the application, even if they are in the platform, appserver, plugins, or anywhere else. This approach can also include details of services invoked and which libraries are active.

jbom advantages:

  • very fast, complete, and accurate
  • produces standard CycloneDX SBOM in JSON format
  • works on both running apps/APIs and binaries
  • finds all libraries, including platform, appserver, plug-in, and dynamic sources.
  • doesn't report test or other libraries not present at runtime
  • handles nested jar, war, ear, and zip files (including Spring)
  • handles jars using common shaded and relocation techniques
  • no source code required

Discussion and jbom Demo on YouTube

jbom-screenshot

Why should you use RUNTIME security tools

Instrumentation has been around for decades, is widely used in performance tools, debugging and profiling, and app frameworks. Many security tools scan from the 'outside-in' and don't have the full context of the running application. This leads to false-positives, false-negatives, and long scan times.

Instrumentation allows us to do security analysis from within the running application - by watching the code run. Directly measuring security from within the running code has speed, coverage, and accuracy benefits. Using instrumentation to analyze for vulnerabilities is often called IAST (Interactive Application Security Testing). Using instrumentation to identify attacks and prevent exploit is often called RASP (Runtime Application Self-Protection).

Remember, you may be getting false results from other approaches. Scanning file systems, code repos, or containers could easily fail to detect libraries accurately.

  • library could be buried in a fat jar, war, or ear
  • library could be shaded in another jar
  • library could be included in the appserver, not the code repo
  • library could be part of dynamically loaded code or plugin
  • library could be many different versions with different classloaders in a single app
  • library could be masked by use of slf4j or other layers
  • library could be renamed, recompiled, or otherwise changed

Examples

Download the latest release.

Generate an SBOM for all Java processes running locally

java -jar jbom-1.2.jar

Generate an SBOM for all Java processes on a remote host

java -jar jbom-1.2.jar -h 192.168.1.42

Generate an SBOM for a local archive file (.jar, .war, .ear, .zip)

java -jar jbom-1.2.jar -f mywebapp.jar

Generate an SBOM for all archive files in a directory

java -jar jbom-1.2.jar -d mywebapp

Generate an SBOM for all archive files in a remote directory

java -jar jbom-1.2.jar -h 192.168.1.42 -d /var/tomcat/webapps

Usage

Usage: java -jar sbom-1.2.jar [-D] [-d=<dir>] [-f=<file>] [-h=<host>] [-o=<outputDir>]
                    [-p=<pid>] [-P=<pass>] [-r=<remoteDir>] [-t=<tag>]
                    [-U=<user>] [-x=<exclude>]
  -d, --dir=<dir>              Directory to be scanned
  -D, --debug                  Enable debug output
  -f, --file=<file>            File to be scanned
  -h, --host=<host>            Hostname or IP address to connect to
  -o, --outputDir=<outputDir>  Output directory
  -p, --pid=<pid>              Java process pid to attach to or 'all'
  -P, --password=<pass>        Password for user
  -r, --remote=<remoteDir>     Remote directory to use (default: /tmp/jbom)
  -t, --tag=<tag>              Tag to use in output filenames
  -U, --user=<user>            Username of user to connect as
  -x, --exclude=<exclude>      Java process pid to exclude

Building and Contributing

We welcome pull requests and issues. Thanks!

git clone 
mvn clean install
java -jar target/jbom-1.2.jar

License

This software is licensed under the Apache 2 license

Copyright 2021 Contrast Security - https://contrastsecurity.com

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this project except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

mosquitto

Eclipse Mosquitto - An open source MQTT broker
C
7,649
star
2

che

Kubernetes based Cloud Development Environments for Enterprise Teams
TypeScript
6,868
star
3

jetty.project

Eclipse Jettyยฎ - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more
Java
3,655
star
4

paho.mqtt.android

MQTT Android
Java
2,708
star
5

paho.mqtt.golang

Go
2,381
star
6

eclipse-collections

Eclipse Collections is a collections framework for Java with optimized data structures and a rich, functional and fluent API.
Java
2,283
star
7

paho.mqtt.java

Eclipse Paho Java MQTT client library. Paho is an Eclipse IoT project.
Java
2,095
star
8

paho.mqtt.python

paho.mqtt.python
Python
1,946
star
9

sumo

Eclipse SUMO is an open source, highly portable, microscopic and continuous traffic simulation package designed to handle large networks. It allows for intermodal simulation including pedestrians and comes with a large set of tools for scenario creation.
1,902
star
10

paho.mqtt.c

An Eclipse Paho C client library for MQTT for Windows, Linux and MacOS. API documentation: https://eclipse.github.io/paho.mqtt.c/
C
1,736
star
11

eclipse.jdt.ls

Java language server
Java
1,410
star
12

mraa

Linux Library for low speed IO Communication in C with bindings for C++, Python, Node.js & Java. Supports generic io platforms, as well as Intel Edison, Intel Joule, Raspberry Pi and many more.
C
1,349
star
13

paho.mqtt.embedded-c

Paho MQTT C client library for embedded systems. Paho is an Eclipse IoT project (https://iot.eclipse.org/)
C
1,307
star
14

openvsx

An open-source registry for VS Code extensions
Java
1,181
star
15

paho.mqtt.javascript

paho.mqtt.javascript
JavaScript
1,145
star
16

paho.mqtt.cpp

C++
976
star
17

milo

Eclipse Miloโ„ข - an open source implementation of OPC UA (IEC 62541).
Java
976
star
18

omr

Eclipse OMRโ„ข Cross platform components for building reliable, high performance language runtimes
C++
917
star
19

xtext

Eclipse Xtextโ„ข is a language development framework
Java
715
star
20

upm

UPM is a high level repository that provides software drivers for a wide variety of commonly used sensors and actuators. These software drivers interact with the underlying hardware platform through calls to MRAA APIs.
C++
651
star
21

microprofile

Repository for important documentation - the index to the project / community
Java
635
star
22

californium

CoAP/DTLS Java Implementation
Java
620
star
23

leshan

Java Library for LWM2M
Java
614
star
24

paho.mqtt-spy

mqtt-spy is an open source desktop & command line utility intended to help you with monitoring activity on MQTT topics
Java
605
star
25

steady

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/
Java
518
star
26

sprotty

A diagramming framework for the web
TypeScript
514
star
27

paho.mqtt.m2mqtt

C#
513
star
28

jifa

๐Ÿ”ฌ Online Heap Dump, GC Log, Thread Dump & JFR File Analyzer.
Java
509
star
29

buildship

The Eclipse Plug-ins for Gradle project.
Java
507
star
30

lsp4j

A Java implementation of the language server protocol intended to be consumed by tools and language servers implemented in Java.
Java
473
star
31

kura

Eclipse Kuraโ„ข project
Java
469
star
32

wakaama

Eclipse Wakaama is a C implementation of the Open Mobile Alliance's LightWeight M2M protocol (LWM2M).
C
465
star
33

streamsheets

An open-source tool for processing stream data using a spreadsheet-like interface.
JavaScript
449
star
34

paho.mqtt.rust

paho.mqtt.rust
Rust
422
star
35

hawkbit

Eclipse hawkBitโ„ข
Java
416
star
36

eclipse-collections-kata

Eclipse Collections Katas
Java
411
star
37

hono

Eclipse Honoโ„ข Project
Java
378
star
38

repairnator

Software development bots for Github. Join the bot revolution! ๐ŸŒŸ๐Ÿค–๐ŸŒŸ๐Ÿ’ž
Java
370
star
39

ponte

Ponte Project
JavaScript
360
star
40

birt

Eclipse BIRTโ„ข The open source reporting and data visualization project.
Java
355
star
41

paho.golang

Go libraries
Go
324
star
42

rdf4j

Eclipse RDF4J: scalable RDF for Java
Java
323
star
43

paho.mqtt-sn.embedded-c

Paho C MQTT-SN gateway and libraries for embedded systems. Paho is an Eclipse IoT project.
C++
313
star
44

lemminx

XML Language Server
Java
255
star
45

vorto

Vorto Project
Java
221
star
46

tahu

Eclipse Tahu addresses the existence of legacy SCADA/DCS/ICS protocols and infrastructures and provides a much-needed definition of how best to apply MQTT into these existing industrial operational environments.
Java
220
star
47

kapua

Java
218
star
48

elk

Eclipse Layout Kernel - Automatic layout for Java applications.
Java
211
star
49

jnosql

Eclipse JNoSQL is a framework which has the goal to help Java developers to create Jakarta EE applications with NoSQL.
Java
210
star
50

corrosion

Eclipse Corrosion - Rust edition in Eclipse IDE
Java
199
star
51

capella

Open Source Solution for Model-Based Systems Engineering
Java
197
star
52

dirigible

Eclipse Dirigibleโ„ข Project
JavaScript
196
star
53

microprofile-config

MicroProfile Configuration Feature
Java
182
star
54

wildwebdeveloper

Simple and productive Web Development Tools in the Eclipse IDE
Java
181
star
55

pdt

PHP Development Tools project (PDT)
PHP
178
star
56

org.aspectj

Java
172
star
57

xacc

XACC - eXtreme-scale Accelerator programming framework
C++
137
star
58

thingweb.node-wot

thingweb.node-wot
TypeScript
130
star
59

microprofile-rest-client

MicroProfile Rest Client
Java
124
star
60

tycho

Tycho project repository (tycho)
Java
119
star
61

microprofile-conference

Microprofile.io Demo Code - Web Services Conference Application
Java
117
star
62

microprofile-fault-tolerance

microprofile fault tolerance
Java
115
star
63

microprofile-samples

Micro Profile Samples
Java
115
star
64

xtext-core

xtext-core
Java
114
star
65

microprofile-open-api

Microprofile open api
Java
112
star
66

gef

Eclipse GEFโ„ข
Java
111
star
67

transformer

Eclipse Transformer provides tools and runtime components that transform Java binaries, such as individual class files and complete JARs and WARs, mapping changes to Java packages, type names, and related resource names.
Java
108
star
68

paho.mqtt.testing

An Eclipse Paho project - a Python broker for testing
Python
104
star
69

tinydtls

Eclipse tinydtls
C
102
star
70

xtext-xtend

xtext-xtend
Java
100
star
71

microprofile-graphql

microprofile-graphql
Java
98
star
72

microprofile-lra

microprofile-lra
Java
97
star
73

microprofile-health

microprofile-health
Java
95
star
74

microprofile-metrics

microprofile-metrics
Java
94
star
75

kuksa.val

kuksa.val
C++
93
star
76

sw360

SW360 project
Java
92
star
77

microprofile-jwt-auth

Java
92
star
78

mosaic

Eclipse MOSAIC is a Multi-Domain and Multi-Scale Simulation Framework for Automated and Connected Mobility Scenarios.
Java
88
star
79

nebula

Nebula Project
Java
84
star
80

microprofile-reactive-streams-operators

Microprofile project
Java
79
star
81

mosquitto.rsmb

Mosquitto rsmb
C
75
star
82

microprofile-starter

MicroProfile project generator source code
Java
69
star
83

aCute

Eclipse aCute - C# edition in Eclipse IDE
Java
65
star
84

ditto-examples

Eclipse Dittoโ„ข: Digital Twin framework - Examples
Java
63
star
85

epsilon

Epsilon is a family of Java-based scripting languages for automating common model-based software engineering tasks, such as code generation, model-to-model transformation and model validation, that work out of the box with EMF (including Xtext and Sirius), UML (including Cameo/MagicDraw), Simulink, XML and other types of models.
Java
61
star
86

lsp4e

Language Server Protocol support in Eclipse IDE
Java
60
star
87

tm4e

TextMate support in Eclipse IDE
Java
60
star
88

californium.tools

Californium project
Java
59
star
89

microprofile-reactive-messaging

Java
59
star
90

microprofile-opentracing

microprofile-opentracing
Java
57
star
91

eclemma

๐ŸŒ˜ใ€€Java Code Coverage for Eclipse IDE
Java
57
star
92

texlipse

Eclipse Texlipse
Java
56
star
93

mita

mita
Xtend
55
star
94

dartboard

Dart Plugin for Eclipse
Java
55
star
95

jnosql-databases

This project contains Eclipse JNoSQL databases
Java
54
star
96

windowbuilder

Eclipse Windowbuilder
Java
54
star
97

xtext-eclipse

xtext-eclipse
Java
49
star
98

adore

Eclipse ADORe is a ROS based modular software library and toolkit for decision making, planning, control and simulation of automated vehicles supporting CARLA and SUMO.
Makefile
48
star
99

packages

IoT Packages project
Smarty
46
star
100

amlen

Message Broker for IoT/Mobile/Web. Mainly uses MQTT v3.x and v5. Aims to be easy to use, scalable and reliable
C
46
star