Surfactant: gather file information for SBOM generation and dependency analysis
Surfactant
A modular framework to gather file information for SBOM generation and dependency analysis.
Surfactant can be used to gather information from a set of files to generate an SBOM, along with manipulating SBOMs and analyzing the information in them. It pulls information from recognized file types (such as PE, ELF, or MSI files) contained within a directory structure corresponding to an extracted software package. By default, the information is “surface-level” metadata contained in the files that do not require running the files or decompilation.
Understanding the SBOM Output
Software
This section contains a list of entries relating to each piece of software found in the sample. Metadata including file size, vendor, version, etc are included in this section along with a uuid to uniquely identify the software entry.
Relationships
This section contains information on how each of the software entries in the previous section are linked.
Uses: this relationship type means that x software uses y software i.e. y is a helper module to x
Contains: this relationship type means that x software contains y software (often x software is an installer or archive such as a zip file)
Observations:
This section contains information about notable observations about individual software components. This could be vulnerabilities, observed features, etc
