Delivery Bill of Materials (DBOM)

DBOM Overview

The DBOM or Delivery bill of actions and materials displays the details of the application lifecycle throughout, till it is deployed. It captures the end-to-end visibility into all artifacts and related actions taken (code analysis and scanning, dependency validation, approvals, etc.) for software delivery and deployment.

DBOM is an integral component of OpsMx Secure Software Delivery solutions. It enhances software delivery transparency and attestation, and gives visibility over continuous delivery and deployment.

The DBOM page displays the data collected from DevOps tools, results of rule validation performed on the data and security alerts generated as part of the evaluation. The data is categorized into four stages of application delivery namely Source, Build, Artifact and Deploy.

On clicking the respective stage, an in-depth analysis report of all the builds along with alerts related to the selected stage is displayed.

Source:

The source stage shows the details about the tools, processes and people related to the source code. For example, the git repository and the list of policies to secure it. Validations related to source code scanning and PR approval process.

Build:

This stage shows details of the build process. It talks about how the build got triggered, what software was used to build the image, what were the different stages of the build pipeline, who is involved in the build process etc.

Artifact:

This stage shows the details about the artifact or the image itself. It elaborates on the location of the artifact, where it was stored, when it got uploaded, and what checks of validations are performed to make sure that the artifact is secure. For example, artifact scanning to identify CVEs and unknown dependencies.

Deploy:

This stage details the delivery part of the pipeline. It connects to deployment tools and deployment targets, assuring that the secure practices were followed. For example, making sure CIS benchmark validation was running on the deployment target, and showing the report associated with it.

DBOM - Application

The delivery bill of materials or DBOM for an application is a collection of all policies evaluated for the application, along with a number of services in which they failed or passed. It contains the different stages and their app-level risk status/score and the overall risk status of the application.

To View DBOM for Application

Select the Applications tab. Click on any application for which you want to view DBOM.
In the Application Status page, navigate to the application Risk Status summary section.
Click View DBOM.

A summary page is displayed. On clicking the respective stages (Source, Build, Artifact, Deploy) the details related to each stage is displayed. In each stage, the policies are grouped and the alerts count for each rule is displayed along with the success and failure count.

On expanding each row, an expanded view of the rule and alerts are displayed as shown below:

On clicking View Security Issues corresponding to each policy, the View Open Security Issues page is displayed that gives a detailed summary of the failed alerts as shown below:

DBOM - Services

The delivery bill of materials or DBOM for the current deployments is a collection of all policies evaluated across all the deployments in an application, along with a number of services in which they failed or passed. It contain the different stages and their app-level risk status/score and the overall risk status of the application.

To View DBOM for Services

Navigate to Application Status > Current Deployments.
Select the deployment for which you want to view the DBOM and click View in the corresponding DBOM column.

A detailed summary page is displayed. In each stage, the policies are grouped and the alerts count for each rule is displayed along with the success and failure count.