Use-case of SBOM Generated by Blint

[phoenix-patrick]

Hi Team,

I was going through blint SBOM output generated from an apk, However I don't see any useful info which can be used to detected vulnerabilities. Let's say If I get a package name & version then I can look into different vuln DBs to see if its vulnerable. But here in this case none of the returned packages has proper version names or proper lib names.

I understand, since we're decompiling an app and then doing this analysis, so it won't be possible to make fully accurate SBOM (in terms of proper deps/version) But how to use SBOM generated by BLINT to identify vulns?

I can see these kind of details in SBOM, but just wanted to check if this purl is of any use?

  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:android/bugsnag-ndk@65d4636b139523371046f97e80854bb9b4c1f0b1?arch=arm64-v8a",
      "group": "",
      "name": "bugsnag-ndk",
      "version": "65d4636b139523371046f97e80854bb9b4c1f0b1",
      "scope": "required",
      "purl": "pkg:android/bugsnag-ndk@65d4636b139523371046f97e80854bb9b4c1f0b1?arch=arm64-v8a",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.5,
          "methods": [
            {
              "technique": "binary-analysis",
              "confidence": 0.5,
              "value": "lib/arm64-v8a/libbugsnag-ndk.so"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "internal:srcFile",
          "value": "lib/arm64-v8a/libbugsnag-ndk.so"
        },
        {
          "name": "internal:appFile",
          "value": "/app/universal-99.99-next-release.apk"
        },
        {
          "name": "internal:functions",
          "value": "Java_com_bugsnag_android_ndk_NativeBridge_clearMetadataTab~~Java_com_bugsnag_android_ndk_NativeBridge_updateIsLaunching~~Java_com_bugsnag_android_NdkPlugin_getBinaryArch~~Java_com_bugsnag_android_NdkPlugin_disableCrashReporting~~Java_com_bugsnag_android_ndk_NativeBridge_updateContext~~std::__throw_bad_alloc()~~Java_com_bugsnag_android_ndk_NativeBridge_updateBuildUUID~~bugsnag_device_get_model~~bugsnag_report_v3_add_breadcrumb~~Java_com_bugsnag_android_ndk_NativeBridge_updateAppVersion~~Java_com_bugsnag_android_ndk_NativeBridge_refreshSymbolTable~~bugsnag_device_get_id~~bugsnag_event_add_metadata_string~~Java_com_bugsnag_android_ndk_NativeBridge_updateUserEmail~~bugsnag_app_set_duration_in_foreground~~bugsnag_event_get_user~~bugsnag_event_get_stacktrace_size~~std::uncaught_exceptions()~~bugsnag_error_set_error_message~~bugsnag_event_clear_metadata_section~~bugsnag_remove_on_error~~bugsnag_device_get_os_version~~bugsnag_device_get_locale~~Java_com_bugsnag_android_ndk_NativeBridge_addBreadcrumb~~bugsnag_device_get_jailbroken~~bugsnag_event_is_unhandled~~Java_com_bugsnag_android_ndk_NativeBridge_updateInForeground~~Java_com_bugsnag_android_ndk_NativeBridge_getCurrentCallbackSetCounts~~bugsnag_event_get_stackframe~~Java_com_bugsnag_android_ndk_NativeBridge_updateOrientation~~bugsnag_event_set_api_key~~Java_com_bugsnag_android_ndk_NativeBridge_updateMetadata~~bugsnag_device_get_orientation~~bugsnag_device_set_total_memory~~bugsnag_device_set_time~~std::get_new_handler()~~std::terminate()~~bugsnag_set_user~~bugsnag_app_set_version~~bugsnag_device_get_total_memory~~std::set_terminate(void (*)())~~bugsnag_device_set_manufacturer~~Java_com_bugsnag_android_ndk_NativeBridge_deliverReportAtPath~~bugsnag_leave_breadcrumb_env~~Java_com_bugsnag_android_ndk_NativeBridge_disableCrashReporting~~Java_com_bugsnag_android_ndk_NativeBridge_setInternalMetricsEnabled~~bugsnag_app_get_version~~bugsnag_error_get_error_class~~bugsnag_app_set_id~~Java_com_bugsnag_android_ndk_NativeBridge_addUnhandledEvent~~Java_com_bugsnag_android_ndk_NativeBridge_notifyRemoveCallback~~bugsnag_device_set_jailbroken~~Java_com_bugsnag_android_ndk_NativeBridge_addMetadataString~~Java_com_bugsnag_android_ndk_NativeBridge_startedSession~~bugsnag_app_set_binary_arch~~bugsnag_device_get_os_name~~bugsnag_notify~~bugsnag_event_get_severity~~Java_com_bugsnag_android_ndk_NativeBridge_install~~Java_com_bugsnag_android_ndk_NativeBridge_addFeatureFlag~~bugsnag_event_set_context~~bugsnag_event_has_metadata~~bugsnag_app_get_duration_in_foreground~~Java_com_bugsnag_android_ndk_NativeBridge_addHandledEvent~~bugsnag_event_set_severity~~bugsnag_error_get_error_message~~Java_com_bugsnag_android_ndk_NativeBridge_clearFeatureFlag~~Java_com_bugsnag_android_ndk_NativeBridge_pausedSession~~bugsnag_device_get_manufacturer~~std::set_unexpected(void (*)())~~bugsnag_device_set_id~~Java_com_bugsnag_android_ndk_NativeBridge_getCurrentNativeApiCallUsage~~bugsnag_app_get_release_stage~~Java_com_bugsnag_android_ndk_NativeBridge_getSignalUnwindStackFunction~~bugsnag_error_set_error_type~~bugsnag_event_set_unhandled~~bugsnag_app_get_type~~bugsnag_event_get_metadata_string~~std::set_new_handler(void (*)())~~bugsnag_app_get_build_uuid~~bugsnag_error_get_error_type~~bugsnag_refresh_symbol_table~~bugsnag_app_get_duration~~bugsnag_app_set_version_code~~bugsnag_app_set_is_launching~~bugsnag_leave_breadcrumb~~Java_com_bugsnag_android_ndk_NativeBridge_addMetadataBoolean~~bugsnag_event_set_user~~std::uncaught_exception()~~Java_com_bugsnag_android_ndk_NativeBridge_removeMetadata~~Java_com_bugsnag_android_ndk_NativeBridge_updateUserName~~Java_com_bugsnag_android_NdkPlugin_enableCrashReporting~~bugsnag_app_set_duration~~bugsnag_device_set_orientation~~bugsnag_event_add_metadata_bool~~bugsnag_app_get_binary_arch~~bugsnag_device_set_model~~bugsnag_event_add_metadata_double~~bugsnag_add_on_error~~bugsnag_notify_env~~Java_com_bugsnag_android_ndk_NativeBridge_setStaticJsonData~~bugsnag_event_set_grouping_hash~~bugsnag_app_get_in_foreground~~bugsnag_set_user_env~~bugsnag_start~~Java_com_bugsnag_android_ndk_NativeBridge_initCallbackCounts~~bugsnag_app_set_type~~bugsnag_device_set_os_version~~bugsnag_app_get_is_launching~~bugsnag_error_set_error_class~~bugsnag_event_get_context~~Java_com_bugsnag_android_ndk_NativeBridge_addMetadataOpaque~~bugsnag_device_set_locale~~Java_com_bugsnag_android_ndk_NativeBridge_updateReleaseStage~~bugsnag_event_get_metadata_double~~bugsnag_app_get_version_code~~Java_com_bugsnag_android_ndk_NativeBridge_enableCrashReporting~~Java_com_bugsnag_android_ndk_NativeBridge_notifyAddCallback~~bugsnag_app_set_release_stage~~bugsnag_device_set_os_name~~Java_com_bugsnag_android_ndk_NativeBridge_clearFeatureFlags~~bugsnag_event_clear_metadata~~Java_com_bugsnag_android_ndk_NativeBridge_updateUserId~~bugsnag_app_set_build_uuid~~bugsnag_event_get_grouping_hash~~bugsnag_device_get_time~~std::rethrow_exception(std::exception_ptr)~~bugsnag_event_get_metadata_bool~~std::get_terminate()~~bugsnag_event_get_api_key~~bugsnag_app_get_id~~bugsnag_app_set_in_foreground~~Java_com_bugsnag_android_ndk_NativeBridge_addMetadataDouble~~Java_com_bugsnag_android_ndk_NativeBridge_updateLowMemory"
        }
      ]
    }
]

[prabhu]

@phoenix-patrick Good question! A confidence value of 0.5 indicates the lower confidence the tool has about the purl it came up with. We are working on a symbols database called blint-db, which blint can use to improve the purl matching and the overall confidence.

The plan is to make the source code available with a sample database for top packages. Users can then utilize these to create and maintain their own custom lookup databases.