SBOM:Software bill of materials explained
April 28, 2023
Software supply chain security is critical to the safety and reliability of modern software systems. In recent years, the use of open-source software has increased dramatically, creating the need for greater transparency and visibility into the software supply chain.
Software Bill of Materials (SBOM) is an effective tool for achieving this. This article explains what SBOM is, why it’s essential, and how to create one for your software project.
What is a Software Bill of Materials (SBOM)?
A Software Bill of Materials (SBOM) is a list of all the software components used to build a piece of software. It includes open-source software packages, commercial software libraries, and other dependencies. The SBOM provides detailed information about each component, including the version number, license, and origin.
Section 10(j) of EO 14028 defines an SBOM as a “formal record containing the details and supply chain relationships of various components used in building software,” similar to food ingredient labels on packaging. The SBOM work has advanced since 2018 as a collaborative community effort, driven by the National Telecommunications and Information Administration’s (NTIA) multistakeholder process.
How is it different from SCA?
While Software Composition Analysis (SCA) and Software Bill of Materials (SBOM) share some similarities in their focus on software component management, they serve different purposes and provide distinct benefits. Therefore, having SCA alone does not eliminate the need for SBOM.
SCA is focused on identifying open source software components used in an application, analyzing their licenses and potential vulnerabilities, and providing recommendations for remediation. It is primarily used for managing open source software components and ensuring compliance with open source licenses.
SBOM provides a comprehensive inventory of all the software components used in an application, including both open source and commercial components. It provides a detailed list of all the dependencies and their version information, which helps software developers to understand the software composition and track vulnerabilities and potential security issues. SBOM is typically used to provide transparency and accountability in the software development process, comply with licensing requirements, and manage the software’s complexity and maintenance.
Therefore, while SCA is an important tool for managing open source software components, it does not provide the comprehensive software component inventory and transparency that SBOM provides. To effectively manage software components in an application, both SCA and SBOM should be used together to provide a complete view of the software’s composition, vulnerabilities, and compliance requirements.
Why is an SBOM essential?
An SBOM is essential for several reasons.
Identify and avoid vulnerabilities
Manage software supply chain risk
Determine supply chain quality & qualify vendors
Improve software security, risk management, and mitigation
Verify license compliance
Level-set with a common understanding of software components
How to create an SBOM?
Step 1: Identify all software components used in your software project
Start by identifying all the software components used to build your software project. This includes open-source packages, commercial libraries, and any other dependencies.
Step 2: Collect information about each component
For each component, collect information such as the name, version number, license, and origin. You can obtain this information from the component’s documentation or by inspecting the code.
Step 3: Create an SBOM document
Create an SBOM document using a standard format such as CycloneDX or SPDX. These formats provide a structured way to present the information about each component. You can create the SBOM document manually, or you can use automated tools to generate it.
Step 4: Review and update the SBOM regularly
Review and update the SBOM regularly to ensure that it reflects the current state of your software supply chain. As new vulnerabilities are discovered, or new components are added, you must update the SBOM accordingly.
What it consists of?
Below are some minimal data that can be be tracked using SBOM.
- Product Name
- Product Version
- License Information
- Product URL
- Product hashes
- Relationship between components
SBOM Tools:
Below are some tools that can help to automate the inventory.
1. CycloneDX Maven Plugin
2. Kubernetes bom
3. Microsoft’s SBOM Tool
4. SPDX SBOM Generator
5. Syft
