Feature Request: Reuse Existing SBOM For CVE Rechecking Without Full Rescan

In the realm of firmware security analysis, efficient vulnerability scanning is paramount. The current workflow for rechecking Common Vulnerabilities and Exposures (CVEs) in EMBA involves rescanning the entire firmware, even when the underlying components remain unchanged. This process is time-consuming and resource-intensive, especially when dealing with numerous firmware images. This article delves into the need for a feature that allows EMBA to reuse existing Software Bill of Materials (SBOMs) for CVE rechecking, without the need for a full rescan, enhancing efficiency and scalability.

The Problem: Inefficient CVE Rechecking

EMBA excels at generating comprehensive SBOMs and SBOM+VEX JSON files as part of its firmware scans, a functionality that is highly valued. These files, located in the /SBOM directory within the log directory specified by the -l argument, provide a detailed inventory of firmware components. However, the duration of these scans, particularly with the default-scan.emba or default-scan-long.emba profiles, can extend from one to two hours or even longer. The time taken is influenced by the firmware file size and the number of kernels and components identified. The current challenge arises when new CVEs are published or existing ones are updated. The existing process requires a complete rescan to ascertain if the firmware is affected.

This approach presents inefficiencies, particularly when the firmware components remain unaltered. Organizations managing hundreds of firmware images face significant time and resource burdens. The ability to re-evaluate known components against the latest CVE data without repeating the full static/dynamic analysis is crucial. This highlights the need for a more streamlined process that leverages existing SBOM data to efficiently identify newly disclosed vulnerabilities.

The existing workflow necessitates a full rescan to check for new or updated CVEs, which is far from ideal. This is especially cumbersome when dealing with a large number of firmware images. Consider a scenario where an organization needs to scan hundreds of firmware images regularly. The time and resources required to perform a full scan each time new CVE data is released can be substantial. This can lead to delays in vulnerability detection and remediation, potentially increasing the risk of exploitation.

Furthermore, the computational cost associated with full rescans is significant. EMBA performs a comprehensive analysis of the firmware, including static and dynamic analysis techniques, to identify components and their versions. This process consumes considerable CPU and memory resources. Repeating this analysis unnecessarily wastes these resources and can impact the overall performance of the system. It is crucial to optimize the process of CVE rechecking to minimize resource consumption and improve efficiency.

Proposed Solution: SBOM Reuse for Efficient CVE Rechecking

The ideal solution involves enabling EMBA to leverage previously generated SBOMs for CVE rechecking. This approach would significantly reduce the time and resources required to identify new vulnerabilities. The proposed solution includes introducing a new command-line option that allows users to specify an existing SBOM file for analysis. This would enable EMBA to parse the SBOM, identify the software components and their versions, and then check these components against the latest CVE databases.

Introducing a new command-line option, such as --reuse-sbom, would allow EMBA to accept an existing SBOM file (e.g., JSON or JSON+VEX format) as input. This command-line option would signal to EMBA that it should skip the component discovery phase and instead focus on rechecking the components listed in the provided SBOM against the latest CVE data. For example:

./emba.sh --reuse-sbom SBOM/EMBA_cyclonedx_sbom.spdx

Or, to get an updated VEX report:

./emba.sh --reuse-sbom SBOM/EMBA_cyclonedx_vex_sbom.json

This functionality would entail parsing the SBOM to extract a comprehensive list of identified software components and their respective versions. This list would then be used as the basis for vulnerability analysis, eliminating the need to rediscover these components. By focusing on the components already identified in the SBOM, EMBA can significantly reduce the time and resources required for CVE rechecking.

Subsequently, EMBA would fetch the most recent CVE data from established feeds, such as NVD, EPSS, and GAD. This ensures that the vulnerability analysis is based on the latest available information. The fetched CVE data would be used to match the components identified in the SBOM against known vulnerabilities. This matching process would identify any newly discovered vulnerabilities that affect the components in the firmware.

The final step in this process involves generating a new report that includes any newly discovered vulnerabilities. This report would provide a clear and concise overview of the vulnerabilities affecting the firmware, allowing security teams to prioritize remediation efforts. The report should include details such as the affected component, the CVE identifier, the severity of the vulnerability, and any available patches or workarounds.

Alternatively, this functionality could be implemented as a new module within EMBA. This module could be optionally configured in custom scan profiles, allowing users to incorporate SBOM reuse into their standard scanning workflows. For instance, users could employ default-scan-long.emba for the initial scan and then utilize a default-rescan.emba profile for subsequent re-scans. This new module would implicitly skip or blacklist any modules not required to regenerate an updated SBOM, further optimizing the rechecking process.

Alternatives Considered and Their Limitations

The current workaround involves rerunning the full EMBA scan for each CVE update, a process that, as previously discussed, is time and resource-intensive. Other alternatives have been explored, but they fall short of providing a comprehensive solution. Feeding EMBA-produced SBOMs into tools like grype yielded fewer CVEs compared to the original SBOM+VEX JSON, indicating a gap in vulnerability detection. Similarly, attempts to use cve-bin-tool for vulnerability reporting based on the SBOM encountered errors, further highlighting the need for a native solution within EMBA.

One alternative considered was to leverage existing vulnerability scanning tools, such as grype, to analyze the EMBA-generated SBOMs. However, this approach has limitations. While grype is a powerful tool for vulnerability scanning, it may not be fully compatible with the specific SBOM format produced by EMBA. As a result, it may not be able to identify all the vulnerabilities present in the firmware. In the tests conducted, grype returned significantly fewer CVEs than originally found in the SBOM+VEX JSON, indicating a substantial gap in vulnerability detection.

Another approach explored was the use of cve-bin-tool to generate vulnerability reports from the SBOM. cve-bin-tool is a command-line tool that identifies components and known CVEs. However, this approach also encountered challenges. The tool produced numerous errors, including invalid license errors and other exceptions. These errors prevented the tool from generating a complete and accurate vulnerability report. This experience highlights the need for a more robust and reliable solution for CVE rechecking.

The idea of extracting the SBOM and developing an external tool for manual CVE rechecking was also considered. This approach would involve parsing the SBOM, extracting the list of components and their versions, and then using this information to query CVE databases. However, this approach was deemed redundant given EMBA's existing SBOM structure and CVE-matching capabilities. Developing a separate tool would require significant effort and would duplicate functionality already present in EMBA. Furthermore, maintaining a separate tool would add complexity and increase the risk of errors.

Priority and Alignment with Industry Trends

This feature request is of high priority, especially for organizations committed to continuous security monitoring and vulnerability management. The ability to reuse SBOMs for CVE rechecking aligns with industry trends towards SBOM utilization and incremental vulnerability scanning. As software supply chain security gains prominence, the need for efficient and scalable vulnerability management solutions becomes increasingly critical.

The increasing adoption of SBOMs in the software industry underscores the importance of this feature request. SBOMs provide a comprehensive inventory of software components, allowing organizations to better understand their software supply chain and identify potential vulnerabilities. The ability to reuse SBOMs for CVE rechecking is a natural extension of this trend, enabling organizations to efficiently monitor their software for new vulnerabilities.

Incremental vulnerability scanning is another key industry trend that supports the need for this feature. Traditional vulnerability scanning approaches often involve rescanning the entire system or application, even when only a small number of components have changed. This approach is inefficient and time-consuming. Incremental vulnerability scanning, on the other hand, focuses on scanning only the components that have changed, significantly reducing the time and resources required for vulnerability management. The ability to reuse SBOMs for CVE rechecking is a critical enabler of incremental vulnerability scanning.

Conclusion

Enabling EMBA to reuse existing SBOMs for CVE rechecking represents a significant enhancement in efficiency and scalability for firmware security analysis. By reducing the need for full rescans, this feature would save time and resources while ensuring timely vulnerability detection. This aligns with industry best practices for SBOM utilization and incremental scanning, making it a crucial addition to EMBA's capabilities. The implementation of this feature would empower organizations to proactively manage vulnerabilities in their firmware, mitigating potential risks and enhancing overall security posture.