Creating an SBoM for Mix projects

Posted 2019-10-24 19:44:48.169213

Any non-trivial modern software project relies, directly or indirectly, on a large number of third party dependencies. Keeping track of updates, known vulnerabilities and license obligations can be a real challenge. Luckily there are tools that can help, both free and commercial.

In order to leverage such tools it is necessary to generate an inventory of the dependencies, including their versions and licenses, in a format the tools can understand. This is called a Software Bill-of-Materials, or SBoM, and an example of an SBoM format is CycloneDX. Tools exist for generating CycloneDX files for various ecosystems, and now there is one for Elixir too.

In this post I will show how to generate an SBoM for a Mix project, and how to use the output with OWASP Dependency-Track.

Continue reading...

Learn you some `:ssl` for much security

Posted 2019-04-09 12:43:35.136065

Here’s the slide deck for my presentation at ElixirConf EU 2019 today.

I created a gist with all the code snippets, for easy copying and pasting into an iex session. I encourage you to try things out yourself!

P.S. Apologies to Fred for abusing the title of his awesome book…

Update: the video is now available:

Bram Verburg Learn you some 'ssl' for much security! - ElixirConfEU 2019

Hex package registry vulnerability

Posted 2019-01-29 14:13:52.780049

Recently I came across a vulnerability in the Hex package manager that would let a malicious or compromised mirror host modified versions of popular packages without detection by the client.

The issue, which affected both the Hex plugin for Mix and the Hex client built into Rebar3, has since been fixed. I hope everyone upgraded to Hex v0.19.0 and Rebar3 v3.8.0 by now.

In this post I will explain the background, the vulnerability, the potential impact and the fix.

Continue reading...

Older posts