Skip to content

ADR 013: Software Supply Chain Security and SBOMs

Status: Accepted Type: Feature Created: 2024-07-17 Related-ADRs: 006, 008, 010

Context and Goals

Ensuring the security of the software supply chain is critical to the integrity and reliability of the Hop3 platform. With increasing threats to software security, it is essential to adopt best practices that enhance the transparency, traceability, and security of software components. The goal is to implement robust measures for software supply chain security, including the use of Software Bill of Materials (SBOMs) to provide a detailed inventory of software components.

Decision

Hop3 adopts a proactive stance towards software supply chain security by integrating comprehensive SBOMs and rigorous security practices throughout the development and delivery pipeline. Dependencies are made transparent, verifiable, and secure, and each release carries a compliance-ready CycloneDX SBOM. Any SBOM generator that produces valid CycloneDX output meets the requirement; Genealogos is a candidate tool but not a committed dependency.

Key Components

Software Supply Chain Security

  1. Dependency Management:

  2. Nix Package Management: Nix provides deterministic builds and dependency management, ensuring that all software dependencies are explicitly defined, reproducible, and isolated.

  3. Dependency Auditing: Dependencies are audited for known vulnerabilities using automated tools (pip-audit via Nox), and security patches are kept up to date.

  4. Secure Development Practices:

  5. Code Reviews: Thorough code reviews and security audits are enforced for all changes to the codebase.

  6. Continuous Integration: Security checks are integrated into the CI pipeline to detect and address vulnerabilities early in the development process.

  7. REUSE-compliant licensing: Every source file carries a REUSE-compliant license header, enforced in CI.

  8. Software Bill of Materials (SBOMs):

  9. Generation: CycloneDX SBOMs are generated for software releases using supply-chain tooling declared in the project (ADR 004): cyclonedx-bom, spdx-tools, pip-audit, deptry, import-linter.

  10. Transparency and Compliance: SBOMs provide a detailed inventory of software components, including their versions, licenses, and known vulnerabilities, to enhance transparency and compliance with regulations like the Cyber Resilience Act (CRA).

Implementation Strategy

  1. Integration of Nix:

  2. Hermetic Builds: Tier-1 applications (per the ADR 008 reproducibility taxonomy) — Go and Rust apps from nixpkgs — build in a pure Nix sandbox against hash-pinned inputs, providing a consistent and secure build environment. Tier-2 applications (Python-venv, PHP-composer, Node-prebuilt, Ruby-bundler) use __noChroot, which weakens hermeticity; this trade-off is documented in ADR 008.

  3. Content-addressed closures: Every Nix-built app has a content-addressed closure whose full dependency graph is inspectable via nix-store -qR, and update deltas are minimal — only changed store paths transfer.

  4. CI/CD Pipeline Enhancements:

  5. Security Scans: Automated security scans are integrated into the CI pipeline to monitor for vulnerabilities and compliance issues.

  6. SBOM Inclusion: SBOMs are generated and included in the release pipeline so that each release carries a detailed inventory of all components.

Continuous Improvement

  1. Monitoring and Auditing:

  2. Regular Audits: Regular security audits and reviews of the software supply chain identify and mitigate potential risks.

  3. Performance Monitoring: The performance and security of the CI/CD pipeline are continuously monitored to ensure they meet the highest standards of software supply chain security.

  4. Community Engagement:

  5. Feedback Loop: A feedback loop with users and contributors continuously improves supply chain security practices based on real-world usage and feedback.

  6. Documentation and Training: Comprehensive documentation and training are provided to the community on best practices for supply chain security and the use of SBOMs.

Consequences

Benefits

  • Enhanced Security: Improves the security and integrity of the software supply chain by ensuring all dependencies are transparent and verifiable.
  • Compliance: Ensures compliance with industry standards and regulations such as the Cyber Resilience Act (CRA) through detailed SBOMs.
  • Transparency: Increases transparency and trust by providing a comprehensive inventory of software components and their security status.

Drawbacks

  • Implementation Effort: Requires significant effort to integrate and maintain SBOM generation and supply chain security practices.
  • Complexity: Adds complexity to the development and delivery pipeline, necessitating robust tools and processes to manage it effectively.

Risks

  • Security Threats: Ongoing risk of evolving security threats. Mitigation involves continuous monitoring, regular updates, and proactive security measures.
  • Toolchain Integration: Potential challenges in integrating SBOM generation tools with the existing CI/CD pipeline. Mitigation includes thorough testing and community support.

Future Work

  • Signature attestation (Sigstore / in-toto / cosign) for release artefacts and for the SBOM itself, likely required for Cyber Resilience Act compliance.
  • Reproducible-builds verification as a CI gate: two independent rebuilds of each Tier-1 app, bit-compared.
  • Upstream source mirroring to insulate against PyPI / registry deletions.

Related ADRs: ADR 006: Nix Integration with Hop3, ADR 008: Template-Based Nix Expression Generation, ADR 010: Security and Resilience (Umbrella)