From Friday, January 17th 11 PM CDT (January 18th 5 AM UTC) through Saturday, January 18th 11:30 AM CDT (January 18th 5:30 PM UTC), ni.com will undergo system upgrades that may result in temporary service interruption.

We appreciate your patience as we improve our online experience.

Home Community User Groups Special Interest Groups Test System Security Forum Topic

Test System Security

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LabVIEW CycloneDX SBOM Toolkit

LabVIEW CycloneDX SBOM Toolkit

‎08-07-2024 04:58 AM

I have been working on a tool internally to comply with cybersecurity requirements to produce an SBOM (Software Bill of Materials) for our LabVIEW-based applications and source code. I've recently received approval from my employer to share this with the wider LabVIEW community (to further LabVIEW's standing in cybersecurity) so I have put a very early/initial version over on my personal GitHub site (and as a VIP for install):

 

https://github.com/samsharp99/labview-cyclonedx-sbom

 

The purpose of this toolkit is to generate SBOMs for LabVIEW source code / projects / applications using the CycloneDX JSON standard.

 

The production of an SBOM is a requirement when adhering to Cybersecurity standards/regulations (e.g. NIST SSDF) for secure software development and provides a mechanism by which vulnerabilities in third-party components can be detected and continuously monitored. The inclusion of license information of third-party components also helps to meet company license compliance (e.g. avoiding use of restrictive licenses).

 

It supports adding SBOM metadata (describing your software application) and adding components from VI Packages, NIPKGs and Installer Build Specification 'additional installers' as well as custom components.

 

  • VIP - add VI Packages from a VIPC file or scanning LabVIEW project (using the VIPM API)
  • Add NIPKGs from a list/array of NIPKG information (there is currently no way to scan for NIPKG dependencies)
  • Add 'Additional Installers' from an Installer Build Specification
  • Manually add custom components (e.g. third party installers, .NET assemblies, DLLs etc.)
  • Export as JSON

This is in 'pre-release' stage, so I have not yet published it to VIPM.io, but I would appreciate any input/feedback from the community to help guide and drive its development.

 

Sam_Sharp_0-1723024659842.png

Sam_Sharp_1-1723024683274.png

 

 

 

LabVIEW Champion, CLA, CLED, CTD
(blog)
Message 1 of 7
(456 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-07-2024 05:04 AM

Awesome! 😍

0 Kudos
Message 2 of 7
(455 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 09:21 AM

This is fantastic. I did have to replace some of the open G functions with the latest versions in order to get it to work on my machine. After that changeover, it works perfectly. It also looks like the Open G Zip functions are working for me on 64 bit now in LabVIEW 2021 so I was able to remove the conditional disable stucture there and speed it up some.

 

Just one idea, from the LabVIEW project, you can go to the view menu and select ".NET assemblies in memory" and it loads a list of the .NET functions used by the project. Is there a way to pull those automatically? I'd be nice to be able to just include those assemblies automatically. Assuming LabVIEW can do it easily, I would assume a developer could as well. I just couldn't seem to find a way. If it is possible, I'd be happy to help with integration and testing of this feature as well.

0 Kudos
Message 3 of 7
(438 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 09:29 AM

Actually it looks like I posted this just a couple of minutes too soon. It looks like you can pull that automatically with some functions in Program Files\National Instruments\LabVIEW X\vi.lib\DotNET\AssemblyVisualizationTool

0 Kudos
Message 4 of 7
(436 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 01:11 PM

Oh that's great! I'll try and have a look at this as it would be useful/helpful for our use cases as well!
LabVIEW Champion, CLA, CLED, CTD
(blog)
0 Kudos
Message 5 of 7
(433 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 02:19 PM

Played with the functions and they do work well for getting all of the .net functions in a specific project. Also, not sure if something like this would be helpful, but you could also do something like this that will find all DLLs in a project and include them as well. I'm curious if there is also a way to pull versions of these DLLs too but haven't had enough time to play around with it.

Message 6 of 7
(431 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-09-2024 04:26 AM

Almost certainly yes - you can use the 'fileversioninfo' VI(s) to pull the version information from a DLL (providing it's been set by the author). Good shout!

LabVIEW Champion, CLA, CLED, CTD
(blog)
0 Kudos
Message 7 of 7
(428 Views)
Reply