The Software Bill of Materials Analysis Tool: Peaty

Peaty: Usage, Configuration, and Requirements

Peaty is a powerful security tool designed to help you effortlessly review and audit the Software Bill of Materials (SBOM) for your applications. Whether you are fulfilling legal mandates, adhering to internal compliance processes, or conducting rigorous security reviews, Peaty accelerates the process of identifying vulnerabilities within your software supply chain.

What Peaty Does

Peaty consumes SBOMs and cross-references them with industry-trusted security databases to detect known vulnerabilities. When Peaty scans an SBOM, it highlights any discovered issues by providing the following critical information:

  • Issue: The specific vulnerability identifier (e.g., CVE ID).
  • Details: A rich description of the vulnerability and its potential impact.
  • Source: The trusted database or tool that reported the vulnerability.
  • Severity Level: The critical, high, medium, or low rating associated with the issue to help prioritize remediation.

By leveraging trusted vulnerability data sources such as Grype, OSV-Scanner, and the CISA KEV (Known Exploited Vulnerabilities) catalog, Peaty ensures you have the most up-to-date and accurate threat intelligence at your fingertips.

Requirements and Required Tools

To function correctly, Peaty relies on specific command-line tools to be installed on your system (macOS or Linux).

1. Homebrew (macOS Only)

Before installing the required scanners, you must have Homebrew installed, which is the package manager for macOS.

2. Grype

Grype is a vulnerability scanner for container images and filesystems developed by Anchore. It is one of the primary engines Peaty uses to inspect SBOMs.

3. OSV-Scanner

OSV-Scanner is a frontend to the Open Source Vulnerability (OSV) database provided by Google. Peaty uses this tool to check for vulnerabilities across various open-source ecosystems.

macOS Setup

We’ve provided a streamlined setup script to help you configure these dependencies instantly on macOS. Run the following command from the root of the Peaty repository:

./setup_tools.sh

This script will ensure Homebrew is present and proceed to automatically install both grype and osv-scanner.

Linux Setup

On Linux distributions, you can install these tools manually using their official installation methods.

Installing Grype:

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin

Installing OSV-Scanner:
You can download the pre-compiled binary from the official OSV-Scanner release page or install it using Go:

go install github.com/google/osv-scanner/cmd/osv-scanner@latest

Ensure that your ~/go/bin directory is in your system’s $PATH.

Installation, Configuration & Usage

  1. Install Peaty:
  • macOS: Download the latest DMG release file and install the application.
  • Linux: Download and install the application from the latest DEB release file.
  1. Verify Tool Installation: After setting up the required tools, ensure that they are available in your system’s PATH. You can verify this by running grype version and osv-scanner --version in your terminal.
  2. Generate your SBOMs: Ensure that your projects are emitting SBOMs correctly (e.g., using CycloneDX or SPDX formats), and place them in the designated Audit directories of your projects.
  3. Run Peaty: Launch the Peaty application. The app will automatically interface with Grype and OSV-Scanner to parse your SBOMs, check against the databases (including CISA KEV data), and present the highlighted risks interactively for your review.

Reports: Export to PDF

Peaty also includes the ability for analysts to Export the findings to PDF for sharing with others. Having an SBOM is a legal requirement for all software in the open source toolchain used in Government. Understanding what to do with that information should be at your fingertips.

Peaty is an analyst’s tool, designed to make it easy to comprehend the SBOM and what needs to be vetted, investigated, remediated, and resolved. If you’d like to see Peaty in action, see the video below.

—TBD—