DevOps

Empowering SBOM Analysis With a Custom Google Cloud Kubernetes Engine (GKE) Backend

How we guided CryptoSoft in the process of automating SBOMs, validating them and identifying vulnerabilities.

Overview

CryptoSoft partnered with D3V to generate automated SBOMs and organize all third-party software components. A software Bill of Materials (or an SBOM) is a list of all open-source and third-party components and dependencies present in a codebase. It also lists the licenses that govern these components, vulnerabilities within the dependencies, and the versions of the components used in a particular project. This information helps organization managers to make critical decisions when buying software.

To ensure a smooth customer experience, CryptoSoft wanted to collect and structure information on open-source components, third-party dependencies, and vulnerabilities. They also expected D3V to maintain a secure database by identifying any vulnerabilities.

D3V collaborated with CryptoSoft to deliver a comprehensive solution tailored for individual organizations/customers. The key initiatives included the development of a specialized WordPress platform, utilization of Dependency Track hosting services in Google Kubernetes Engine (GKE) and the implementation of namespace-based isolation with OSS ISTIO for the multi-tenancy cluster. This empowered CryptoSoft customers to create Dependency Tracks ensuring secure and efficient management of software components, dependencies, and vulnerabilities.

Challenge

While there are several open-source libraries available to generate an SBOM for a particular project, they have their limitations when it comes to tracking data in large-scale organizations with hundreds of repositories across different projects.

CryptoSoft needed help to keep generating SBOMs using GitHub actions and Jenkins pipeline with every GH repository and manage them effectively for customers. To come up with an efficient cloud-based system to keep track of the SBOMs generated for specific projects and any changes made in them or the repositories. D3V needed to automate the process of generating SBOMs and uploading to the Dependency tracker. Moreover, since SBOMs are usually large files containing lots of lines of information, a system would have to be developed to extract the relevant information in an elegant manner with an easy-to-use interface.

The main challenge was to create a multi-tenant environment in which each Cryptosoft customer could have their own isolated Dependency Track instance while maintaining a centralized infrastructure. This required careful planning and implementation of namespace-based isolation within a Kubernetes Engine (GKE) cluster using OSS Istio. Generating SBOM using GitHub actions and Jenkins Pipeline. Additionally, ensuring daily database backups for each organization/customer and setting up effective project and user monitoring based on subscription plans were vital challenges to address.

Our Solution

D3V implemented a comprehensive solution by developing a WordPress platform for creating a Dependency Tracker leveraging GKE with namespace-based isolation facilitated by OSS ISTIO. Leveraged GKE to host Dependency Tracker instances for individual organizations/customers, utilizing namespaces for isolation and autoscaling for optimal resource utilization. Implemented namespace-based isolation in the GKE cluster using OSS Istio to ensure that each customer’s Dependency Tracker instance remained isolated and secure.

The above image represents Path-based routing but in our case, it has to be changed to domain-based routing organization.example.com.

The routing for each organisation/customer instance utilizes the namespace name as the hostname, directing traffic to the designated namespace dedicated to a specific organization/customer. Each namespace is given a CPU and memory allocation and shares excess capacity during spikes. Selected the most suitable machine type for GKE nodes to provide the necessary performance and cost-efficiency. The team implemented automated processes using Terraform scripts for deploying Dependency Track services, including frontend, backend, and self-hosted databases. Daily database backups were streamlined using Google Cloud Storage (GCS) buckets. Automated the creation and upload of SBOMs (Software Bill of Materials) from GitHub repositories to the corresponding customer’s dependency tracker. GitHub Actions and Jenkins were seamlessly integrated for SBOM automation and uploaded to their Dependency Track instance. User management functionalities were enhanced on the CryptoSoft WordPress website, ensuring a smooth experience with request approval, denial, and subscription handling.

Key Accomplishments

D3V successfully created and implemented a multi-tenant GKE cluster with Dependency Tracker hosting service for Cryptosoft, enabling their customers to effectively manage their software supply chains. The solution utilizes namespace-based isolation in a GKE cluster with OSS Istio to ensure secure and isolated Dependency Tracker instances for each customer. Additionally, it features autoscaling for optimal resource utilization, daily database backups, and automated SBOM generation using GitHub actions and Jenkins. D3V followed best practices for Google Kubernetes Engine and used a combination of GCE VMs. The website also includes enhanced user management functionalities for request approval, denial, and subscription handling, along with subscription-based monitoring to enforce usage restrictions.

To summarize, our key accomplishments under the CryptoSoft project include:

  • Multi-Tenant DTrack Hosting: Created a scalable and secure multi-tenant DTrack hosting service that enables Cryptosoft to provide individualized DTrack instances to their customers.
  • Namespace-Based Isolation: Implemented robust namespace-based isolation using OSS Istio, ensuring that each customer’s DTrack environment remains secure and isolated from others.
  • Automated Deployment and Management: Leveraged Terraform automation scripts to streamline the deployment and management of DTrack services, reducing manual effort and increasing efficiency.
  • Optimized Infrastructure: Selection of the best machine type for GKE nodes and setting up autoscaling for the node pool ensured efficient resource utilization.
  • Streamlined SBOM Generation and Upload: Automated the creation and upload of SBOMs from GitHub repositories using GH actions, Jenkins and simplifying the process of software supply chain management.
  • Robust Backup Strategy: Daily database backups for individual organizations/customers were seamlessly implemented and stored in GCS buckets.
  • Enhanced User Management: CryptoSoft’s WordPress website saw improved user management functionalities, including request processing, denial, and subscription handling.
  • Proactive Monitoring: Effective monitoring of projects and user limits, aligned with subscription plans, was implemented within the website portal.