JFrog Simplifies Compliance with India’s new CERT SBOM Guidelines

Overview

The Indian Computer Emergency Response Team (CERT-In) is the national agency responsible for addressing cybersecurity incidents in India. Established in 2004 and operating under the Ministry of Electronics and Information Technology (MeitY), CERT-In is dedicated to enhancing the security of India’s digital infrastructure.

The organization plays a vital role in preventing, detecting, and responding to cybersecurity threats that could impact Indian networks, government agencies, businesses, and citizens. CERT-In has also mandated that certain sectors report cybersecurity incidents within specified timelines to improve incident response and national security.

In October 2024, CERT-In released technical guidelines on Software Bill of Materials (SBOM) for the Indian public sector, government, essential services, and organizations involved in software export and the software services industry. This document highlights the value of SBOMs, outlines the processes and practices for its implementation, and provides recommendations and best practices.

Now let’s take a look at what these regulations require and how the JFrog Platform provides everything DevOps and Security teams need to supply an SBOM that is both accurate and complies with the latest CERT requirements.

SBOM Requirements

To enhance software security and resilience, the updated CERT-In guidelines mandate that all companies developing software for regulated organizations incorporate SBOM practices into their operations. These regulations apply to both new and existing software, including legacy systems.

According to the new CERT Guidelines, it is recommended that SBOM’s should include the following information: 

Component Information

• Component Name: This is the specific name of the software component or library included in the SBOM, providing a clear identification of what is being used in the application.

• Component Version: This indicates the specific version number of the component, which is critical for tracking known vulnerabilities and ensuring compatibility with other system components.

• Component Description: A brief summary of the component’s functionality or purpose, giving context about how it fits into the overall software system.

• Component Supplier: This refers to the organization or entity that developed or maintains the component, providing insight into the source of the software and its trustworthiness.

• Component Dependencies: This details other software components that are required for the specified component to function properly, helping to understand the broader software ecosystem and potential vulnerabilities in interconnected systems.

Vulnerability Information

• Vulnerability Identifiers: Specific IDs for known vulnerabilities, typically from standard databases like CVE (Common Vulnerabilities and Exposures).

• Severity Ratings: Information on the severity of each vulnerability, often indicated by scores from standards like CVSS (Common Vulnerability Scoring System).

• Affected Components: Detailed information on which components or dependencies are impacted by the vulnerabilities.

• Remediation Information: Recommendations or links to patches or updates that address the vulnerabilities.

• Version Information: The affected version(s) of the software components in order to help organizations identify if they are at risk.

• Exploitability Information: Insights into whether the vulnerability can be easily exploited in real-world scenarios.

Release Information

• Release Date: This is the date when the software or component was officially released. It helps in tracking the version history and understanding when specific features or fixes were introduced.

• Checksums or Hashes: These are cryptographic hashes (like MD5, SHA-256) that are used to verify the integrity of the software or component. They ensure that the file has not been altered or corrupted during transmission or storage.

• Author of SBOM Data: This is the individual or organization responsible for creating and maintaining the SBOM data. It provides accountability and a point of contact for any questions or issues related to the SBOM.

• Timestamp: This is the exact date and time when the SBOM data was last updated or generated. It helps in tracking the freshness and relevance of the SBOM, ensuring that it reflects the most current state of the software or component.

Property Information

• Executable Property: Executable files include compiled binaries, interpreted code and shared libraries. It does not include non-executables such as configuration files, graphic images and documentation.

• Archive Property: An archive is a combination of multiple components. This includes both standard and compressed archive formats.

• Structured Property: Structured archives contain metadata so that the original components can still be determined afterwards. Examples include containers, packages, ISO images, and archives such as .zip, .tar, .tar.gz, and.7z archive formats. As opposed to structured archives, unstructured formats do not contain metadata that is embedded in the file.  Examples of unstructured archives include firmware images that cannot be reconstructed into their original components.

SBOMs must provide a detailed list of key software components to meet CERT-In guidelines  

The JFrog SBOM Solution

To generate SBOMs according to the latest requirements, the JFrog Platform leverages JFrog Artifactory as a single source of truth for all software artifacts and JFrog Xray with its unparalleled security insights  to provide:

JFrog Artifactory

1. Centralized Artifact Management

Artifactory provides a centralized repository for all your software artifacts, including binaries, dependencies, and configurations. This centralization makes it easier to manage and track all components of your software. Additionally, Artifactory maintains a detailed history of all artifact versions, including release dates and timestamps. This ensures that you can always trace back to specific versions of your software, providing a clear and comprehensive version history.

2. Automated SBOM Generation

Artifactory can automatically generate SBOMs for your artifacts, including detailed information about each component, such as its name, version, and other metadata. Furthermore, Artifactory integrates seamlessly with build tools like Maven, Gradle, and npm, ensuring that SBOMs are generated as part of your build process.

3. Security and Compliance

Artifactory offers fine-grained access control, allowing you to manage who can view and modify artifacts. This helps in maintaining the integrity and security of your SBOM data. It also generates detailed audit logs that track all actions performed on an artifact, providing a trail of changes and access for compliance purposes.

JFrog Xray

1. Vulnerability Identification and Patch Management

Xray performs deep recursive scanning of artifacts to identify known vulnerabilities, including those listed in the National Vulnerability Database (NVD) and other sources . This directly helps organizations adhere to Cert-In’s requirement for vulnerability identification and patch management.

2. License Compliance

Xray helps ensure compliance with licensing requirements by identifying open-source licenses and potential violations . This aligns with Cert-In’s emphasis on proper licensing practices.

3. Compliant SBOM Formats

Xray can provide SBOMs in standard formats such as SPDX and CycloneDX , facilitating compliance with CERT-In’s requirements for machine-readable SBOMs. These SBOMs provide a comprehensive inventory of software components, versions, and dependencies, enabling better visibility and management of software composition.

4. Integration with CI/CD

Xray integrates with CI/CD pipelines, enabling continuous security and compliance analysis throughout the SDLC, as recommended by Cert-In . This allows for automated SBOM generation and updates whenever new software is built or deployed .

5. Enhanced Security Management

By providing detailed information about software components and their potential vulnerabilities, Xray enables organizations to implement effective security management practices, including vulnerability assessment and risk mitigation .

6. Effective Incident Response

In case of a security incident, the SBOM generated by Xray helps identify affected components and speed up remediation efforts .

7. Supply Chain Security

Xray’s SBOMs enhance supply chain security by providing transparency into the origin and composition of software components . This helps organizations understand the provenance of their software and identify potential risks associated with third-party components.

Ensure SBOM Compliance with JFrog

Streamlined compliance can be achieved through the combination of Artifactory and Xray, which ensures that your SBOMs are automatically generated and can then be checked to make sure they are aligned with CERT-In guidelines. This automation significantly reduces the manual effort required to maintain compliance, making the process more efficient and reliable.

Enhanced security is another key benefit, as Xray’s continuous monitoring and vulnerability scanning help you stay ahead of potential threats. This ensures that your software remains secure and compliant. 

The detailed and structured data provided by Artifactory and Xray guarantees that your SBOMs are accurate and complete, meeting the stringent requirements of the CERT-In guidelines. Both Artifactory and Xray also offer user-friendly interfaces, making it easy to manage artifacts, generate SBOMs, and view security reports.

By leveraging JFrog Artifactory and JFrog Xray, you can streamline the process of generating and maintaining SBOMs, ensuring that your software is secure, compliant, and meets the new CERT-In guidelines.

If you would like to automatically generate quick, accurate and compliant SBOMs, then feel free to take an online tour or schedule a one-on-one demo at your convenience.