One of the goals of the Mojaloop PQS (platform quality and security) work-stream this PI is to understand the nature of dependencies that are used in the Mojaloop components that make up the Mojaloop platform, by generating SBOMs (Software Bill of Materials).
This would mean generating and documenting SBOMs for each repository/service and Automation of periodic generation of SBOMs to help with flagging anomalies and discrepancies in SBOMs such as licensing and maintenance issues.
For a (brief) context: A Software Bill of Materials(SBOM) is a machine and human-readable list of a project's entire software inventory which is even more meaningful for projects based on nodejs. SBOMs help with Transparency, Security, Compliance along with Maintenance.
An SBOM typically contains: the list of Open source components, Third-party components, Licenses, Versions of these components. For this exercise, we've also included date of publication of the version used so as to identify maintenance status. CycloneDX is the tool we used after evaluating several openly available tools.
Currently, the implementation provides capability to generate individual SBOMs (as html files based on csv sources) for core repositories along with a centralized list for all core / critical repositories. In addition, this process has been automated to generate these on a periodic (monthly) basis for evaluation.
We believe that this provides Mojaloop capability to react rapidly for any issues that arise with any of the open source libraries / packages / dependencies used along with helping with maintenance. This can help with regulatory requirements regarding licenses (of the platform) and understanding provenance of components used.
This powerful feature is general enough and can be used by other DPGs to achieve similar goals. Thanks to the PQS team and DMP 2024 program contributor and our team member for this project Shuchita, for contributing.
Top comments (0)