Added SBOM page (#100)

kchudy · web-flow · commit e1c826122e51 · 2025-10-01T15:54:53.000+02:00
diff --git a/src/pages/sbom.astro b/src/pages/sbom.astro
@@ -0,0 +1,288 @@
+---
+// File suggestion: src/pages/security/sbom.astro
+// This page is designed to be data‑driven. Replace the mock `components` and
+// `vulnReports` with content generated in CI (e.g., from Trivy + SBOM artifacts).
+// You can also load JSON via `Astro.fetchContent` or import from `src/content`.
+
+import Navigation from "../components/base/Navigation.astro";
+import ProductLayout from "../layouts/ProductLayout.astro";
+import FlexibleSection from "../components/FlexibleSection.astro";
+// Fetch SBOM/advisories directly from GitHub Releases
+
+// Per-component metadata (id, name, version, repo) to build exact URLs
+interface ComponentDef { id: 'defguard' | 'defguard-client' | 'defguard-mobile' | 'defguard-proxy' | 'defguard-gateway'; name: string; version: string; repo: string; status: string }
+const COMPONENTS: ComponentDef[] = [
+  { id: 'defguard', name: 'Core', version: '1.5.1', repo: 'defguard', status: 'Fix in testing' },
+  { id: 'defguard-proxy', name: 'Proxy', version: '1.5.1', repo: 'proxy', status: '' },
+  { id: 'defguard-gateway', name: 'Gateway', version: '1.5.1', repo: 'gateway', status: '' },
+  { id: 'defguard-client', name: 'Desktop App', version: '1.5.1', repo: 'client', status: ''  },
+  { id: 'defguard-mobile', name: 'Mobile App', version: '1.5.1', repo: 'mobile-client', status: ''  },
+];
+
+const buildReleaseTag = (version: string): string => `v${version}`;
+// const basePath = 'sboms';
+const basePath = 'https://github.com/DefGuard';
+const buildBaseUrl = (repo: string, version: string): string => `${basePath}/${repo}/releases/download/${buildReleaseTag(version)}/`;
+const buildSbomUrl = (c: ComponentDef): string => `${buildBaseUrl(c.repo, c.version)}${c.id}-${c.version}.sbom.json`;
+const buildAdvisoriesUrl = (c: ComponentDef): string => `${buildBaseUrl(c.repo, c.version)}${c.id}-${c.version}.advisories.json`;
+
+const severityOrder: string[] = ['critical','high','medium','low','unknown'];
+const pickHighestSeverity = (items: string[]): string => {
+  let highest: string = 'unknown';
+  for (const s of items) {
+    const normalized = (s || '').toLowerCase();
+    const idx = severityOrder.indexOf(normalized);
+    const cur = severityOrder.indexOf(highest);
+    if (idx !== -1 && (cur === -1 || idx < cur)) highest = normalized;
+  }
+  return highest;
+};
+
+// Group by component/version
+interface SbomEntry { name: string; version: string; url: string; status: string }
+interface Vulnerability { Severity?: string; VulnerabilityID?: string }
+interface AdvisoryResult { Vulnerabilities?: Vulnerability[] }
+interface AdvisoryFile { CreatedAt?: string; Metadata?: { CreatedAt?: string }; Results?: AdvisoryResult[] }
+
+const sboms = new Map<string, SbomEntry>();
+const advisories = new Map<string, { createdAt: string | null; vulns: Vulnerability[] }>();
+
+// Build entries and fetch advisories from GitHub
+await Promise.all(COMPONENTS.map(async (c) => {
+  const idKey = `${c.name}@${c.version}`;
+  sboms.set(idKey, { name: c.name, version: c.version, url: buildSbomUrl(c), status: c.status });
+  try {
+    const res = await fetch(buildAdvisoriesUrl(c));
+    if (res.ok) {
+      const json = (await res.json()) as AdvisoryFile;
+      const createdAt = json.CreatedAt || json.Metadata?.CreatedAt || null;
+      const vulns = (json.Results || []).flatMap((r: AdvisoryResult) => (r.Vulnerabilities || []));
+      advisories.set(idKey, { createdAt, vulns });
+    }
+  } catch {}
+}));
+
+// Build components array for table
+const components = Array.from(sboms.values()).map((c: SbomEntry) => {
+  const adv = advisories.get(`${c.name}@${c.version}`);
+  return {
+    name: c.name,
+    format: 'JSON',
+    version: c.version,
+    date: adv?.createdAt ? String(adv.createdAt).slice(0, 10) : '—',
+    url: c.url,
+    status: c.status,
+  };
+});
+
+// Build vulnerability reports aligned with components
+interface VulnReport { component: string; version: string; status: 'ok' | 'issues'; severity: string; cves: string[]; action: string }
+const vulnReports: VulnReport[] = components.map((c) => {
+  const adv = advisories.get(`${c.name}@${c.version}`);
+  const vulns = adv?.vulns || [];
+  if (vulns.length === 0) {
+    return { component: c.name, version: c.version, status: 'ok', severity: 'None', cves: [], action: '—' };
+  }
+  const highest = pickHighestSeverity(vulns.map((v: Vulnerability) => v.Severity || 'unknown'));
+  // Normalize label case
+  const severityLabel = highest.charAt(0).toUpperCase() + highest.slice(1);
+  const cves = vulns.map((v: Vulnerability) => v.VulnerabilityID).filter(Boolean).slice(0, 5) as string[];
+  return { component: c.name, version: c.version, status: 'issues', severity: severityLabel, cves, action: '—' };
+});
+
+// Note: table shows per-component status; page-level aggregate not used currently.
+const title = "defguard - Zero-Trust WireGuard® 2FA/MFA VPN";
+const featuredImage =
+  "github.com/DefGuard/defguard.github.io/raw/main/public/images/product/core/hero-image.png";
+const imageWidth = "1920";
+const imageHeight = "1080";
+const url = "https://defguard.net/sbom";
+const tags = [
+  "defguard",
+  "security",
+  "sbom",
+  "sca",
+  "vulnerability",
+  "supply chain",
+  "transparency",
+];
+---
+
+<ProductLayout
+  title={title}
+  featuredImage={featuredImage}
+  imageWidth={imageWidth}
+  imageHeight={imageHeight}
+  url={url}
+  tags={tags}
+>
+  <Navigation activeSlug="/security/" />
+
+  <main id="home-page">
+    <FlexibleSection leftRatio={1} title="What is SBOM?" theme="light">
+      <div slot="left" class="sbom-intro">
+        <p>
+          A <strong>Software Bill of Materials (SBOM)</strong> is a structured inventory of all components that make up
+          a piece of software — including third‑party libraries, packages, versions, and their relationships.
+          SBOMs help organizations understand what is inside their software, evaluate exposure to known
+          vulnerabilities, and meet supply‑chain security and compliance requirements.
+        </p>
+        <p>
+          We publish SBOMs because <strong>transparency and security</strong> are core to Defguard. Making our
+          dependency information public lets customers and auditors independently <strong>verify what we ship</strong>,
+          continuously <strong>assess risk</strong> against public CVE databases, and integrate our artifacts into their
+          own security tooling and compliance workflows.
+        </p>
+        <p>
+          SBOMs also help us <strong>respond faster</strong> to newly disclosed issues: we track and scan dependencies
+          after each release, prioritize remediation, and communicate status openly. This practice aligns with
+          ISO 27001 controls and demonstrates our commitment to a secure software supply chain.
+        </p>
+      </div>
+    </FlexibleSection>
+
+  
+    <FlexibleSection leftRatio={1} title="SBOM file list with vulnerability status" theme="light">
+      <div slot="left" class="sbom-filelist">
+        <p>
+          We publish separate SBOMs for <strong>mobile apps</strong> (Android, iOS), the <strong>desktop app</strong>
+          (Windows, macOS, Linux), and <strong>server components</strong> (Core, Proxy, Gateway). We provide them in the standard format
+          (SPDX), enabling integration with tools like Trivy, Syft, and Dependency‑Track.
+        </p>
+        <div class="content-measure">
+          <table class="sbom-table" role="table" aria-label="SBOM list with vulnerability status">
+          <thead>
+            <tr>
+                <th>Component</th>
+                <th>Version</th>
+                <th>Date checked</th>
+                <th>SBOM link</th>
+                <th>Vulnerability status</th>
+                <th>Status</th>
+            </tr>
+          </thead>
+          <tbody>
+            {components.map((c) => {
+              const report = vulnReports.find((r) => r.component === c.name && r.version === c.version);
+              const statusLabel = report
+                ? (report.status === 'ok' ? 'No vulnerabilities' : `${report.severity} vulnerabilities`)
+                : '—';
+              const severity = (report?.severity ?? '').toLowerCase();
+              const badgeClass = report
+                ? (report.status === 'ok' ? 'ok' : (severity || 'issues'))
+                : 'na';
+              return (
+                <tr>
+                  <td>{c.name}</td>
+                  <td class="nowrap">{c.version}</td>
+                  <td class="nowrap">{c.date}</td>
+                  <td><a href={c.url} rel="nofollow">Download</a></td>
+                  <td><span class={`badge ${badgeClass}`}>{statusLabel}</span></td>
+                  <td>{c.status || '—'}</td>
+                </tr>
+              );
+            })}
+          </tbody>
+        </table>
+        </div>
+      </div>
+    </FlexibleSection>
+    
+    </main>
+</ProductLayout>
+
+<style>
+  .content-measure {
+    max-width: 100%;
+  }
+  .content-measure table {
+    width: 100%;
+  }
+  /* spacing between paragraphs in the SBOM intro section */
+  .sbom-intro p + p {
+    margin-top: 1rem;
+  }
+  /* spacing between intro paragraph and table in SBOM file list */
+  .sbom-filelist p {
+    margin-bottom: 1rem;
+  }
+  /* SBOM table styles */
+  .sbom-table {
+    border-collapse: separate;
+    border-spacing: 0;
+    width: 100%;
+    background: #fff;
+    border: 1px solid rgba(0,0,0,0.08);
+    border-radius: 8px;
+    overflow: hidden;
+  }
+  .sbom-table thead th {
+    text-align: left;
+    font-weight: 600;
+    background: #fafafa;
+    color: #111;
+    padding: 12px 14px;
+    border-bottom: 1px solid rgba(0,0,0,0.06);
+    white-space: nowrap;
+  }
+  .sbom-table tbody td {
+    padding: 12px 14px;
+    border-bottom: 1px solid rgba(0,0,0,0.06);
+    vertical-align: middle;
+  }
+  .sbom-table tbody tr:hover {
+    background: rgba(0,0,0,0.02);
+  }
+  .sbom-table .nowrap {
+    white-space: nowrap;
+  }
+  .sbom-table a {
+    color: inherit;
+    text-decoration: underline;
+  }
+  .badge {
+    display: inline-block;
+    padding: 2px 8px;
+    border-radius: 999px;
+    font-size: 12px;
+    line-height: 1.6;
+    font-weight: 600;
+    border: 1px solid transparent;
+  }
+  .badge.ok {
+    background: #e8f7ef;
+    color: #18794e;
+    border-color: #b7ebcd;
+  }
+  .badge.issues {
+    background: #fff1f0;
+    color: #a8071a;
+    border-color: #ffccc7;
+  }
+  /* severity-specific badges */
+  .badge.low {
+    background: #f0faf4;
+    color: #0e7a3d;
+    border-color: #bfead1;
+  }
+  .badge.medium {
+    background: #fffbe6;
+    color: #ad8b00;
+    border-color: #ffe58f;
+  }
+  .badge.high {
+    background: #fff1f0;
+    color: #a8071a;
+    border-color: #ffccc7;
+  }
+  .badge.critical {
+    background: #fff1f0;
+    color: #a8071a;
+    border-color: #ffccc7;
+  }
+  .badge.na {
+    background: #f5f5f5;
+    color: #555;
+    border-color: #e5e5e5;
+  }
+</style>
