Home Community User Groups Special Interest Groups Test System Security Forum Topic

Test System Security

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LabVIEW CycloneDX SBOM Toolkit

LabVIEW CycloneDX SBOM Toolkit

‎08-07-2024 04:58 AM

I have been working on a tool internally to comply with cybersecurity requirements to produce an SBOM (Software Bill of Materials) for our LabVIEW-based applications and source code. I've recently received approval from my employer to share this with the wider LabVIEW community (to further LabVIEW's standing in cybersecurity) so I have put a very early/initial version over on my personal GitHub site (and as a VIP for install):

 

https://github.com/samsharp99/labview-cyclonedx-sbom

 

The purpose of this toolkit is to generate SBOMs for LabVIEW source code / projects / applications using the CycloneDX JSON standard.

 

The production of an SBOM is a requirement when adhering to Cybersecurity standards/regulations (e.g. NIST SSDF) for secure software development and provides a mechanism by which vulnerabilities in third-party components can be detected and continuously monitored. The inclusion of license information of third-party components also helps to meet company license compliance (e.g. avoiding use of restrictive licenses).

 

It supports adding SBOM metadata (describing your software application) and adding components from VI Packages, NIPKGs and Installer Build Specification 'additional installers' as well as custom components.

 

  • VIP - add VI Packages from a VIPC file or scanning LabVIEW project (using the VIPM API)
  • Add NIPKGs from a list/array of NIPKG information (there is currently no way to scan for NIPKG dependencies)
  • Add 'Additional Installers' from an Installer Build Specification
  • Manually add custom components (e.g. third party installers, .NET assemblies, DLLs etc.)
  • Export as JSON

This is in 'pre-release' stage, so I have not yet published it to VIPM.io, but I would appreciate any input/feedback from the community to help guide and drive its development.

 

Sam_Sharp_0-1723024659842.png

Sam_Sharp_1-1723024683274.png

 

 

 

LabVIEW Champion, CLA, CLED, CTD
(blog)
Message 1 of 8
(773 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-07-2024 05:04 AM

Awesome! 😍

0 Kudos
Message 2 of 8
(772 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 09:21 AM

This is fantastic. I did have to replace some of the open G functions with the latest versions in order to get it to work on my machine. After that changeover, it works perfectly. It also looks like the Open G Zip functions are working for me on 64 bit now in LabVIEW 2021 so I was able to remove the conditional disable stucture there and speed it up some.

 

Just one idea, from the LabVIEW project, you can go to the view menu and select ".NET assemblies in memory" and it loads a list of the .NET functions used by the project. Is there a way to pull those automatically? I'd be nice to be able to just include those assemblies automatically. Assuming LabVIEW can do it easily, I would assume a developer could as well. I just couldn't seem to find a way. If it is possible, I'd be happy to help with integration and testing of this feature as well.

0 Kudos
Message 3 of 8
(755 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 09:29 AM

Actually it looks like I posted this just a couple of minutes too soon. It looks like you can pull that automatically with some functions in Program Files\National Instruments\LabVIEW X\vi.lib\DotNET\AssemblyVisualizationTool

0 Kudos
Message 4 of 8
(753 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 01:11 PM

Oh that's great! I'll try and have a look at this as it would be useful/helpful for our use cases as well!
LabVIEW Champion, CLA, CLED, CTD
(blog)
0 Kudos
Message 5 of 8
(750 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-08-2024 02:19 PM

Played with the functions and they do work well for getting all of the .net functions in a specific project. Also, not sure if something like this would be helpful, but you could also do something like this that will find all DLLs in a project and include them as well. I'm curious if there is also a way to pull versions of these DLLs too but haven't had enough time to play around with it.

Message 6 of 8
(748 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎08-09-2024 04:26 AM

Almost certainly yes - you can use the 'fileversioninfo' VI(s) to pull the version information from a DLL (providing it's been set by the author). Good shout!

LabVIEW Champion, CLA, CLED, CTD
(blog)
0 Kudos
Message 7 of 8
(745 Views)
Reply

Re: LabVIEW CycloneDX SBOM Toolkit

‎03-18-2025 06:09 AM

I noticed that the additional installers from the project XML become outdated when updating LabVIEW. The build will actually bundle the currently installed version from the MDF folder, so it should be refreshed for the SBOM.

 

Here is a method using the application builder API to get the current versions. It takes a while to run, probably because it needs to scan the MDF folder. It also explains why opening an installer build spec in the UI takes so long.

 

MSI additional installers AB_APIMSI additional installers AB_API

 

The trick to open the installer comes from here: https://forums.ni.com/t5/LabVIEW-APIs-Discussions/Get-progress-when-building-an-EXE-with-Application...

 

 

0 Kudos
Message 8 of 8
(118 Views)
Reply