Labels | Stack | Fluid Attacks Help

Labels

Rationale

We decided to develop Labels as a custom SBOM generator to meet internal needs for accuracy, integration, and metadata coverage.
  1. Existing tools lacked support for essential metadata, such as file-level and line-level location information.
  2. Internal parsers developed for other tools reported significantly more dependencies.
  3. Compatibility with the results produced by the internal software composition analysis (SCA) system was required.
  4. A tailored JSON structure was needed for seamless communication with the internal platform.
  5. The logic had to be encapsulated in a lightweight, installable, and versioned Python library for internal reuse.
  6. Control over the data model, output, and evolution was considered strategically important.
  7. Avoiding external architectural mismatches and unnecessary complexity was a key technical requirement.
  8. In-house expertise in parsers and code analysis tools to improve detection accuracy and tailor metadata extraction to internal workflows.

Alternatives

Syft

  1. Use Syft as-is:
    1. Requires no initial development effort.
    2. Maintained by the open-source community.
    3. Reports fewer dependencies than internal tools.
    4. Lacks support for detailed metadata (e.g., line numbers).
    5. Breaks compatibility with internal SCA results.
    6. Introduces a Go-based runtime, increasing stack complexity.
    7. Offers minimal control over behavior or evolution, making adaptation to internal needs difficult.
  2. Use Syft as a base and tailor it:
    1. Allows building on an existing and actively maintained foundation.
    2. Enables extending functionality to partially meet internal requirements.
    3. Requires development in Go and deeper understanding of Syft's internals, as well as applying patches to ensure proper integration with the current stack.
    4. Introduces maintenance overhead due to divergence from upstream.
    5. Adds complexity to the stack by mixing language runtimes.
    6. Provides moderate control and flexibility to evolve the tool, but still constrained by Syft's core design.
Info
Syft was last reviewed on July 25, 2023

Usage

We use Labels in the following ways:
  1. To feed other tools such as Fluid Attacks' scanners in order to complete the final report of vulnerabilities.
  2. To display detailed information about packages in their dedicated view within the platform.
  3. To generate SBOM files on demand in standard formats such as CycloneDX and SPDX.
  1. Initial design of the SBOM product