Ciara details how and when to generate an SBOM with the help of open-source tooling. Learn how to host SBoMs, as well as other SBOM considerations.
Generating and Hosting SBOMs
The first step to securing your software is knowing what is in your software. Generating a Software Bill of Materials (SBOM) for your builds can limit the impact of critical vulnerabilities like Log4J by driving actions to update software or prevent the deployment of vulnerable artifacts.
SBOMs have been getting increased attention since the US President’s executive order mandated that organizations selling into the U.S. federal government are required to provide SBOMs. The National Telecommunications and Information Administration (NTIA) published the minimum elements for an SBOM for the US government and described use cases for greater transparency in the supply chain. The OpenSSF team released their 10-point Mobilization Plan, which included a plan to improve SBOM tooling and training to drive adoption.
Open source tooling, including Sigstore, CycloneDX, Syft, Grype, and Trivy, help to automate SBOM workflows and integrate them into software pipelines.
Cloudsmith’s artifact repository integrates with Sigstore’s Cosign tooling which allows you to host SBOMs in an OCI registry and will be staying closely aligned to all the package ecosystems as they evolve their tooling to support SBOMs.
Today, I’ll go through:
- An overview of SBOMs.
- How and when to generate an SBOM, including a list of open-source software (OSS) tooling to help you.
Hosting your SBOM.
- Other SBOM considerations.
- My next article will detail tools to analyze SBOMs for vulnerabilities, and how Cloudsmith can then quarantine your images if the vulnerability is above a certain vulnerability threshold.
The SBOM lists all components, including licenses and dependencies contained in a software product and other data, including version, supplier, identifiers e.g PURL and author. The software end-user can use the SBOM to perform vulnerability and license analysis of their software packages, which can help evaluate a software product’s risk. SBOMs are designed to be machine-readable, and available in either JSON or XML formats.
An SBOM in a known format can help drive automation and trigger security alerts. The two major formats of SBOMs are SPDX and CycloneDX.
To understand more about SBOMs and their use cases, check out this curated list of sbom tools and resources or discover some resources that the NTIA has published.