08-07-2024 04:58 AM
I have been working on a tool internally to comply with cybersecurity requirements to produce an SBOM (Software Bill of Materials) for our LabVIEW-based applications and source code. I've recently received approval from my employer to share this with the wider LabVIEW community (to further LabVIEW's standing in cybersecurity) so I have put a very early/initial version over on my personal GitHub site (and as a VIP for install):
https://github.com/samsharp99/labview-cyclonedx-sbom
The purpose of this toolkit is to generate SBOMs for LabVIEW source code / projects / applications using the CycloneDX JSON standard.
The production of an SBOM is a requirement when adhering to Cybersecurity standards/regulations (e.g. NIST SSDF) for secure software development and provides a mechanism by which vulnerabilities in third-party components can be detected and continuously monitored. The inclusion of license information of third-party components also helps to meet company license compliance (e.g. avoiding use of restrictive licenses).
It supports adding SBOM metadata (describing your software application) and adding components from VI Packages, NIPKGs and Installer Build Specification 'additional installers' as well as custom components.
This is in 'pre-release' stage, so I have not yet published it to VIPM.io, but I would appreciate any input/feedback from the community to help guide and drive its development.
08-07-2024 05:04 AM
Awesome! 😍
08-08-2024 09:21 AM
This is fantastic. I did have to replace some of the open G functions with the latest versions in order to get it to work on my machine. After that changeover, it works perfectly. It also looks like the Open G Zip functions are working for me on 64 bit now in LabVIEW 2021 so I was able to remove the conditional disable stucture there and speed it up some.
Just one idea, from the LabVIEW project, you can go to the view menu and select ".NET assemblies in memory" and it loads a list of the .NET functions used by the project. Is there a way to pull those automatically? I'd be nice to be able to just include those assemblies automatically. Assuming LabVIEW can do it easily, I would assume a developer could as well. I just couldn't seem to find a way. If it is possible, I'd be happy to help with integration and testing of this feature as well.
08-08-2024 09:29 AM
Actually it looks like I posted this just a couple of minutes too soon. It looks like you can pull that automatically with some functions in Program Files\National Instruments\LabVIEW X\vi.lib\DotNET\AssemblyVisualizationTool
08-08-2024 01:11 PM
08-08-2024 02:19 PM
Played with the functions and they do work well for getting all of the .net functions in a specific project. Also, not sure if something like this would be helpful, but you could also do something like this that will find all DLLs in a project and include them as well. I'm curious if there is also a way to pull versions of these DLLs too but haven't had enough time to play around with it.
08-09-2024 04:26 AM