Getting Started
Prerequisites
Before installing the SBOM-GAP (Generation and Analysis Platform) tool, ensure you have the following prerequisites installed on your machine:
-
Node.js: Version
16.16.0or newer. SBOM-GAP relies on Node.js to run. You can check your current Node version by runningnode --versionin your terminal. npm (Node Package Manager): Version8.7.0or newer, which usually comes with Node.js. Verify your npm version withnpm --version. -
Docker: Docker is required for running certain services that SBOM-GAP depends on.
-
Docker Compose: Docker Compose is used for managing multi-container Docker applications.
Installation Guide
Clone the SBOM-GAP Repository:
Clone the official repository to get started with SBOM-GAP.
git clone https://github.com/nqminds/SBOM-GAP.git
Download the vulnerability-reports folder and place it in SBOM-GAP module:
- vulnerability-reports directory can be downloaded from here. This also contains all the (National Vulnerability Database)NVD CPE/CWE data. (recommended)
Download the cpe2.3 database
- Cpe2.3 database link
- Unzip this and add it to data/
Ensure Node.js and npm are Installed:
Verify the installation and versions of Node.js and npm.
node --version
v16.16.0
npm --version
8.11.0
Install Docker and Docker Compose:
Make sure Docker and Docker Compose are installed and correctly set up on your machine. Instructions can be found on their respective websites.
Add Current User to Docker Group:
This step allows you to run Docker commands without sudo.
sudo usermod -aG docker $USER
Make Docker Compose Executable:
Ensure Docker Compose can be executed by making it executable.
sudo chmod +x /usr/local/bin/docker-compose
Install SBOM-GAP Dependencies:
Navigate to the SBOM-GAP directory and install all required dependencies.
cd SBOM-GAP
npm install
If, after running npm install, you do not see a list of Docker containers like the following when running docker ps -a:
vboxuser@testbinwaLlk:~$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5a2541bb6992 sbom-gap-nqmvul "python ./ccscanner/.." 2 days ago Exited (2) 2 days ago sbom-gap-nqmvul-1
717bb93ecc87 ionutngm/depscanner:latest "python ./ccscanner/.." 2 days ago Exited (1) 2 days ago sbom-gap-ccscanner-1
6bb149d9d68e anchore/grype "/grype" 2 days ago Exited (1) 2 days ago sbom-gap-grype-1
4442271050da anchore/syft "/syft" 2 days ago Exited (1) 2 days ago sbom-gap-syft-1
4d9869d9be3a ionutngm/binwalk_v4:latest "binwalk" 2 days ago Exited (1) 2 days ago sbom-gap-binwalk-1
This could indicate that the Docker Compose version on your system differs from the expected version, or that the container images haven't been downloaded. To resolve this, you can try the following:
-
Check Docker and Docker Compose Installation: Ensure Docker and Docker Compose are installed and functioning correctly. Run
docker --versionanddocker-compose --versionordocker compose versionto verify their versions. -
Run Docker Compose with Root Permissions: If you suspect permission issues, you can run the following command to ensure all containers are started:
sudo docker compose up -d
or
sudo docker-compose up -d
Create a Global Symlink to nqmvul Tool:
Make the nqmvul tool globally accessible by creating a symlink.
npm link
Configure Git Advisory Database Path:
If you're using GHSA vulnerability codes, download the Git Advisory Database and update the config/config.json path accordingly.
{
"gitAdvisoryDbPath": "/path/to/advisory-database/advisories"
}
Obtain and Configure NIST API Key:
For improved performance with NIST API requests, obtain an API key and add it to a .env file in the root directory.
NIST_API_KEY=your_NIST_api_key
Include OpenAI API Key:
For advanced classification of weaknesses, include your OpenAI API key in the .env file.
OPENAI_API_KEY=your_OpenAi_api_key