Test System Security

cancel
Showing results for 
Search instead for 
Did you mean: 

LabVIEW CycloneDX SBOM Toolkit

I have been working on a tool internally to comply with cybersecurity requirements to produce an SBOM (Software Bill of Materials) for our LabVIEW-based applications and source code. I've recently received approval from my employer to share this with the wider LabVIEW community (to further LabVIEW's standing in cybersecurity) so I have put a very early/initial version over on my personal GitHub site (and as a VIP for install):

 

https://github.com/samsharp99/labview-cyclonedx-sbom

 

The purpose of this toolkit is to generate SBOMs for LabVIEW source code / projects / applications using the CycloneDX JSON standard.

 

The production of an SBOM is a requirement when adhering to Cybersecurity standards/regulations (e.g. NIST SSDF) for secure software development and provides a mechanism by which vulnerabilities in third-party components can be detected and continuously monitored. The inclusion of license information of third-party components also helps to meet company license compliance (e.g. avoiding use of restrictive licenses).

 

It supports adding SBOM metadata (describing your software application) and adding components from VI Packages, NIPKGs and Installer Build Specification 'additional installers' as well as custom components.

 

  • VIP - add VI Packages from a VIPC file or scanning LabVIEW project (using the VIPM API)
  • Add NIPKGs from a list/array of NIPKG information (there is currently no way to scan for NIPKG dependencies)
  • Add 'Additional Installers' from an Installer Build Specification
  • Manually add custom components (e.g. third party installers, .NET assemblies, DLLs etc.)
  • Export as JSON

This is in 'pre-release' stage, so I have not yet published it to VIPM.io, but I would appreciate any input/feedback from the community to help guide and drive its development.

 

Sam_Sharp_0-1723024659842.png

Sam_Sharp_1-1723024683274.png

 

 

 


LabVIEW Champion, CLA, CLED, CTD
(blog)
Message 1 of 7
(241 Views)

Awesome! 😍

0 Kudos
Message 2 of 7
(240 Views)

This is fantastic. I did have to replace some of the open G functions with the latest versions in order to get it to work on my machine. After that changeover, it works perfectly. It also looks like the Open G Zip functions are working for me on 64 bit now in LabVIEW 2021 so I was able to remove the conditional disable stucture there and speed it up some.

 

Just one idea, from the LabVIEW project, you can go to the view menu and select ".NET assemblies in memory" and it loads a list of the .NET functions used by the project. Is there a way to pull those automatically? I'd be nice to be able to just include those assemblies automatically. Assuming LabVIEW can do it easily, I would assume a developer could as well. I just couldn't seem to find a way. If it is possible, I'd be happy to help with integration and testing of this feature as well.

0 Kudos
Message 3 of 7
(223 Views)

Actually it looks like I posted this just a couple of minutes too soon. It looks like you can pull that automatically with some functions in Program Files\National Instruments\LabVIEW X\vi.lib\DotNET\AssemblyVisualizationTool

0 Kudos
Message 4 of 7
(221 Views)
Oh that's great! I'll try and have a look at this as it would be useful/helpful for our use cases as well!

LabVIEW Champion, CLA, CLED, CTD
(blog)
0 Kudos
Message 5 of 7
(218 Views)

Played with the functions and they do work well for getting all of the .net functions in a specific project. Also, not sure if something like this would be helpful, but you could also do something like this that will find all DLLs in a project and include them as well. I'm curious if there is also a way to pull versions of these DLLs too but haven't had enough time to play around with it.

Message 6 of 7
(216 Views)
Almost certainly yes - you can use the 'fileversioninfo' VI(s) to pull the version information from a DLL (providing it's been set by the author). Good shout!


LabVIEW Champion, CLA, CLED, CTD
(blog)
0 Kudos
Message 7 of 7
(213 Views)