Software Bill of Materials

Software bill of materials (SBOM) is the list of components that conforms a given software.

SBOM management should be part of the software development lifecycle (SDLC).

SBOM may be compound by:

• Custom code
• Third-party commercial software
• Third-party free and open source (FOSS) software

There was an infamous security incident related to SolarWinds where the SBoM was involved.

Uses of SBOM

We can use SBOM in the following scenarios:

• If you are a software supplier or vendor, you should have an SBOM to identify possible vulnerabilities and report them to customers and regulators
• If you are a software customer, you should require SBOMs to your software suppliers to ensure there are no vulnerabilities

SBOM Standards

SBOM standardes

• SPDX
• CycloneDX

SPDX

Software Package Data Exchange (SPDX) is an open standard that provides a common format for companies and communities to share important SBOM data.

SPDX official website

CycloneDX

CycloneDX is part of OWASP.

CycloneDX official website

Legal Requirements for SBOM

European Union Cyber Resilience Act (CRA) requires a SBOM.

You can read more about CRA on this post.

USA has the CISA’s Executive Order 14028 defines the National Cybersecurity Strategy. You can read about it on this external link.

SBOM tools

SBOM tools include:

• Generation
• Gen-to-analysis
• Analysis

Generation

SBOM tools:

• Syft
• CycloneDX CLI
• SPDX tools

Syft

Syft is developed by Anchore. It works with both the SPDX and CycloneDX formats.

Cyclone CLI

Cyclone CLI is…

SPDX tools

SPDX tools are SPDX-based tools for SBOM generation.

Gen-to-analysis

bomctl

bomctl is format-agnostic SBOM tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools.

bomctl official website

SBOM Courses

The Linux Foundation offers some courses about SBOM:

• Generating a Software Bill of Materials (LFC192)

SBOM Compliance

The executive order on improving USA cybersecurity of May 2021 requires that software provides a SBOM. You can read more about this on this external link.

Software Composition Analysis

You can read this post about software composition analysis (SCA).

You might also be interested in…

• Software Development Security

External References

• Matthew Brady, Karel Kohout, Martin Schleicher; “Demystifying SBOMs: Navigating Legislation and Processes“; Synopsis, 2024-01-30