[FEATURE][SECURITY]: SBOM generator - CycloneDX/SPDX for MCP servers

[crivetimihai]

🔌 Plugin: SBOM Generator - CycloneDX/SPDX for MCP Servers

Goal

Implement a gateway plugin that generates Software Bill of Materials (SBOM) for all MCP servers in CycloneDX or SPDX format. SBOMs enable dependency tracking, license compliance, and rapid vulnerability response when new CVEs are disclosed.

Why Now?

1. Executive Order 14028: US federal agencies require SBOMs for software supply chain security
2. CVE Response: When a new CVE is published, SBOMs enable instant identification of affected servers
3. License Compliance: Organizations need to track open-source licenses in deployed software
4. Dependency Visibility: MCP servers often have deep dependency trees; SBOMs make them visible
5. Compliance Frameworks: SOC2, FedRAMP, and HIPAA audits increasingly require SBOM documentation

---

📖 User Stories

US-1: Compliance Officer - Generate SBOM for MCP Server

As a Compliance Officer
I want SBOMs generated for all MCP servers
So that I can track dependencies and respond to new vulnerabilities

Acceptance Criteria:

Given an MCP server is being assessed:
When SBOM generation runs:
Then the system should:
  - Extract dependencies from:
    - Container image layers
    - requirements.txt / pyproject.toml
    - package.json / package-lock.json
    - go.mod / Cargo.toml
  - Generate SBOM in CycloneDX format with:
    - Component names and versions
    - Package URLs (purl)
    - License information
    - Dependency relationships
  - Store SBOM in database
  - Enable export for audits

US-2: Security Engineer - Query Affected Servers by CVE

As a Security Engineer
I want to find all servers affected by a new CVE
So that I can prioritize patching

Acceptance Criteria:

Given a new CVE is published for package "requests" version < 2.31.0
When I query: GET /sbom/affected?package=requests&version_lt=2.31.0
Then I receive a list of all MCP servers using vulnerable versions
And I can export the list for remediation tracking

---

🏗 Architecture

SBOM Generation Flow

sequenceDiagram
    participant Gateway as Gateway
    participant Plugin as SBOMGeneratorPlugin
    participant Syft as Syft
    participant DB as Database

    Gateway->>Plugin: assessment_hook(server)
    
    alt Container Image
        Plugin->>Syft: syft <image> -o cyclonedx-json
    else Source Repository
        Plugin->>Syft: syft dir:. -o cyclonedx-json
    end
    
    Syft-->>Plugin: SBOM JSON
    Plugin->>Plugin: Extract component list
    Plugin->>Plugin: Detect licenses
    Plugin->>DB: Store SBOM document
    Plugin-->>Gateway: SBOM metadata

Loading

SBOM Schema (CycloneDX subset)

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:...",
  "version": 1,
  "metadata": {
    "component": {
      "name": "mcp-server-example",
      "version": "1.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "requests",
      "version": "2.28.0",
      "purl": "pkg:pypi/requests@2.28.0",
      "licenses": [{"id": "Apache-2.0"}]
    }
  ]
}

---

📋 Implementation Tasks

• Create plugins/sbom_generator/ directory structure
• Implement SBOMGeneratorPlugin class
• Add Syft CLI wrapper
• Support CycloneDX output format
• Support SPDX output format (optional)
• Extract from container images
• Extract from source directories
• Parse and store SBOM in database
• Implement component search API
• Add CVE correlation endpoint
• Add license extraction and flagging
• Create SBOM export functionality (JSON, XML)
• Add Admin UI for SBOM viewing
• Write unit tests
• Write integration tests
• Create README.md
• Pass make verify checks

---

⚙️ Configuration Example

plugins:
  - name: "SBOMGeneratorPlugin"
    kind: "plugins.sbom_generator.sbom_generator.SBOMGeneratorPlugin"
    hooks:
      - assessment_post_scan
    mode: "enforce"
    priority: 20
    
    config:
      generator: "syft"
      format: "cyclonedx"  # cyclonedx | spdx
      spec_version: "1.5"
      
      # Extraction settings
      include_dev_deps: false
      include_files: false  # File-level components
      
      # License settings
      detect_licenses: true
      blocked_licenses:
        - "GPL-3.0"
        - "AGPL-3.0"
      
      # Storage
      store_full_sbom: true
      retention_days: 365

---

✅ Success Criteria

• Syft integration generates CycloneDX SBOMs
• SBOM extracted from containers and source
• Component list stored and queryable
• License detection and flagging
• CVE correlation API functional
• SBOM export for compliance audits
• Admin UI displays SBOM contents
• 80%+ test coverage
• Documentation complete

---

🔗 Related Issues

• [EPIC][SECURITY]: MCP server security posture assessment - Pre-deployment scanning and validation #2215 - Epic: MCP Server Security Posture Assessment
• [FEATURE][SECURITY]: Container vulnerability scanner - Trivy/Grype integration #2216 - Container Vulnerability Scanner
• [FEATURE][SECURITY]: MCP server source code scanner - Semgrep/Bandit integration #2217 - Source Code Scanner

---

📚 References

• CycloneDX Specification
• SPDX Specification
• Syft Documentation
• NTIA SBOM Minimum Elements