Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable.
Why an SBOM inventory is critical
To appreciate why our SBOM inventory is a necessity, one must first grasp the scale of the challenge we face daily. The VMware Tanzu team manages more than 150 products, each built from dozens, if not hundreds, of individual components (think micro-services). Each of these products maintains multiple release lines, all backed by a 2+ year support window. Compounding this, we execute between 100 and 150 releases per month.
This colossal footprint—hundreds of products, thousands of micro-services, and multiple years of active support—is the critical mass that makes manual security tracking impossible.
When the second wave, Shai-Hulud 2, emerged last week with more than 1,000 impacted repositories, our first priority was to ensure customer safety. The excellent news is: The latest NPM supply chain attack was not found in any instances of Tanzu products.
How Tanzu mitigated Shai-Hulud 2
Managing hundreds of products with thousands of components is a challenge no team can tackle manually during a live security event. This is where our accurate, up-to-date SBOM inventory and easy-to-query internal API became a critical line of defense.
Our automated process, built on the internal inventory and API, executed the following steps to validate our entire product line in under 30 seconds:
- Get all products and their release lines.
- Get in-support GA versions (or just the latest GA release) for all products.
- Get the SBOM for each version and all its components.
- Extract the pURLs (package URLs) from the product/component SBOMs.
- Search all 1,035 impacted repositories against our extracted pURLs and flag any matches.
When searching just the latest GA release for all products, the script processed 176,032 pURLs contained within 155 products, covering 732 components across 192 release lines.
The speed and scope of the search delivered immediate validation. For example, our search had a few false matches, such as the compromised NPM repo “atrix” triggering matches on internal components containing the substring “Matrix” in their pURL. However, validating just 92 false matches was an infinitely better task than manually checking 1,035 repositories across 176,032 pURLs!
Get your SBOM in Tanzu Hub
More important than our internal success is the fact that this capability is available to you, our customers, via Tanzu Hub. You have two primary ways to maintain this level of supply chain vigilance:
- Manual Search: You can manually browse the Tanzu Hub to Vulnerability Insights, select individual components, download the component SBOM, and then search through it for any registries you are interested in.
- Example command line SBOM search:
jq -r '[.packages[]?.externalRefs[]? | select(.referenceType == "purl") | .referenceLocator] | unique[]' SBOM.spdx.json | grep -f purl-list-file-to-search -
- Example command line SBOM search:
- Automated Scripting: For larger scale and continuous monitoring, the most effective method is using scripting with the integrated GraphQL API available through Tanzu Hub to automate the process across all Tanzu products you are using.
This SBOM search functionality is also available for applications deployed with Tanzu Platform. For all applications built by the platform, you are able to download the built application SBOM directly from the application view, and, like the example above, this process can be automated with the Tanzu Platform Hub GraphQL API.
The speed and accuracy of this response demonstrate the power of a mature security posture. Look for a future post in the coming weeks that will walk through hands-on examples of using the Hub API—and the GraphQL automation used in this very example—to gather and process vulnerability and inventory information across your own Tanzu products and deployed applications.
