Various technical components are put together to design D-SBOM solution. The components are the building blocks of the D-SBOM. It is designed to manage the complexity in smaller manageable components. The D-SBOM architecture follows the Service Oriented Architecture (SOA). A SBOM function in the architecture is performed by bunch of components talking to each other. The implementation of D-SBOM architecture will be executed on Component Based Development (CBD).
The D-SBOM plugin is designed to integrate with DevOps pipeline. The aim of the plugin to facilitates a secure functionality of generation, storage, and registration of a SBOM. A software will be built for each commit to the source code repository. After the build stage, the D-SBOM plugin will add stages to generate, store and register SBOM for the software. The number of stages will be configured by the customer. All 3 operations could be performed in manual or fully automated one or multiple stages in the pipeline.
A private permissioned IPFS cluster will be implemented for the D-SBOM. The cluster will consist of multiple IPFS peers. asvin will deploy and maintain peers in the cluster. Once the cluster is stable, asvin will allow its customers to contribute to the cluster with their own nodes hosted in their environment. The IPFS cluster services will be exposed using REST API endpoints which are ubiquitous. The IPFS backend server will be written in Node.js. It will not have any GUI. It will provide APIs to upload and download SBOM from the IPFS cluster. The communication between IPFS backend and IPFS cluster will also happen over HTTPs.
The Blockchain Server will provide distributed ledger. All critical information in th D-SBOM will be stored on distributed ledger. The Blockchain Server enables to make unbroken chain of trust, software provenance, transparency and integrity. It will be written in Node.js express framework without graphical interface.
The D-SBOM Portal provides an intuitive graphical user interface to manage SBOM life cycle and monitor the libraries included in SBOMs for known vulnerabilities recorded in CVE database. Additionally, the portal will facilitate user management, support, and subscription plan management to the customers. The Besu will not be accessible outside the localhost for HTTP endpoints. Only port 30303 will be opened to sync with other nodes in the network.
The Authorization Server brings API security in the D-SBOM architecture. All servers in the D-SBOM will expose its services using REST APIs. Therefore, API security is important. The Authorization server will be written in Node.js Express framework. On top of that, HMAC encryption will be integrated to provide extra layer of security.