Create a Software Bill of Materials for Your Operating System

A software bill of materials (SBOM) has become a crucial piece of documentation, one that can help businesses and developers stay in compliance with security policies and rest assured they aren’t using or building on top of a platform filled with vulnerabilities.

In a previous tutorial, I’ve already covered how to build an SBOM for container images with Syft. This time around we’re going to do the same thing with your operating system. Why would you do this? The best answer for that is to know everything that is installed as well as the version number of everything installed. With this information, you can then find out if any package on your system includes vulnerabilities.

Sounds a bit extra, doesn’t it? Consider this. Your operating system receives regular updates. When that happens, you apply those updates — if not, then you should get into the habit of doing so. Once those updates are installed, your computer is safer, right? Right? Maybe. It all depends on if the vulnerabilities have been patched. If you’re a Linux user, chances are pretty good those vulnerabilities will be patched pretty soon after they are discovered. Windows and macOS users are, unfortunately, under the release cycles of two proprietary OSes, so the vulnerabilities might take a bit more time to patch.

The important thing is, you —the user, developer, IT admin, etc. — can be aware of the problems.

So how do you do this? Let me show you.

Generate an SBOM on Linux

First, we’re going to do this on Linux, because the open source operating system offers the easiest method of doing so.

Let’s start with a Ubuntu-based distribution. I’ll demonstrate on Pop!_OS, which is based on Ubuntu 20.10. To generate the SBOM, open a terminal window and issue the command:

dpkg --list

The output of the command will list every package that has been installed on the system (Figure 1).

Figure 1: Listing out the installed packages on Pop!_OS.

Of course, you’ll probably need that in a text file, so you can use it for an audit. To do that, simply issue the command:

dpkg --list > sbom.txt

You can then view the sbom.txt file or send it to whoever might need it so they can then compare it to a list of known vulnerabilities.

Let’s do the same thing on a distribution based on RHEL, such as AlmaLinux. For this, the command would be:

rpm -qa

You should see a full list of every package installed (Figure 2).

Figure 2: Our list of all installed packages on AlmaLinux.

Again, to export that list to a file, the command would be:

rpm -qa > sbom.txt

Generate an SBOM on Windows

This isn’t nearly as easy. Once upon a time, you used to be able to do this within PowerShell or the cmd tool, or using psinfo. But for some reason, as of Windows 10, I cannot get those tools to list anything but Windows release information.

Fortunately, there’s a simple tool that can help us out. The app in question is called Geek Uninstaller. Once installed, run the tool and then click File > Export to HTML (Figure 3).

Figure 3: Using Geek Uninstaller to create an SBOM on Windows 10.

This will generate an HTML file that you can then browse in your default web browser (Figure 4).

Figure 4: An SBOM generated by Geek Uninstaller.

If you do need a list of the updates that have been applied to Windows, open the cmd tool, with admin rights, and issue the following two commands:

wmic

output:C:\list.txt product get name, version

The last command will generate the file, list.txt, which contains the update versions for Windows 10.

How to generate an SBOM on macOS

The best way to take care of this on macOS is via the GUI. Here’s what you need to do. Click on the Apple menu, then click About this Mac. From the resulting window, click System Report, which will open yet another window. In the left navigation, click on Applications (under Software), which will generate a full report of all software installed on the machine (Figure 5).

Figure 5: Generating a complete list of software on macOS.

Here’s the trick, you can’t export that list to a file through the GUI. However, if you first click on the upper right pane which lists every piece of software, then select every listing with the keyboard shortcut Command+A, and then click in the lower right pane. That should now list all the details (Figure 6). Then click the keyboard shortcut Command+A followed by Command+C, and you’ll have copied every entry listed.

Figure 6: Our list of all applications installed on macOS.

You can now paste the contents of the clipboard into a document so you can scan through the entire SBOM of your Apple laptop or desktop.

Conclusion

You can now take these lists and use them as your software bill of materials for the operating systems you use. This is a good habit to get into. Just remember, when you update applications or the OS, you’ll want to re-run the command, or re-use the GUI, to re-generate a new SBOM, so you’re always up to date. Compare the installed software to your CVE list of choice, and you are better capable of staying on top of the vulnerability game.