13.07.2023

Briefly Explained: Software Bill of Materials (SBOM)

What are the legal requirements for cybersecurity in the IT supply chain? A Software Bill of Materials (SBOM) plays an essential role here – it is one of the focus topics in 2023 for the work of the Security Competence Group in the eco Association.

A Software Bill of Materials (SBOM) is a systematic and structured record that describes the components of a software product and their relationships within the software supply chain. An SBOM indicates which packages and libraries are included in an application, where they come from, what versions they have, and whether they have known security vulnerabilities [1]. The purpose of an SBOM is to help inventory the software code to eliminate the risk of vulnerabilities in the supply chain.

It can be compared to a bill of materials for physical products, which describes in detail each component in a product (be it a machine, a part or an assembled product). An SBOM helps both suppliers and buyers to keep track of components and improve the security of the (software) supply chain.

This is especially important for software products based on reused code or open-source components since they often originate from different contractors or projects and may lack transparency or security. Many software projects are increasingly being divided into smaller self-contained functional units, known as containers, which are managed via orchestration platforms like Kubernetes and run either locally or in the cloud. An SBOM enables tracking of the components, tracing their origin, dependencies, and vulnerabilities, thereby enhancing the security of the software supply chain.

Since May 2021, companies supplying products or services to government agencies in the USA must include a Software Bill of Materials (SBOM) to fulfill their responsibility for their software supply chain. The US National Telecommunications and Information Administration (NTIA) has developed a set of minimum requirements for a valid SBOM. Currently, there are no uniform standards or tools for creating an SBOM, but there are several initiatives and projects addressing this issue. [2]

The BSI also pays attention to the Software Bill of Materials. You will find clear requirements in this regard under CON.10 Development of web applications (bund.de) on page 5 and under APP.6: General software (bund.de) on page 4. (German-language)


Tools to create and maintain a software Bill of Materials:

CycloneDX:
Open-source project that defines a standard for SBOMs and provides various tools and libraries for creating and processing SBOMs in CycloneDX format.

Salus:
An open-source tool from Microsoft that generates SBOMs in SPDX format and supports various package managers and repositories.

SPDX SBOM Generator
The Linux Foundation’s open-source project defines a standard for SBOMs and provides various tools and libraries to create and process SBOMs in SPDX format. The tool generates reports about components, licenses, copyrights, and security references of your code. This data is exported in the SPDX v2.2 specification.

Syft:
Open-source tool from Anchore that generates SBOMs in SPDX, CycloneDX or JSON format and analyses Linux packages, container images and application dependencies.

Tern Project:
This open-source SBOM project combines well with SPDX SBOM Generator. Instead of working with package managers or build systems, this SCA tool and Python library generates an SBOM for container images and Docker files. In addition, SBOMs can also be generated in SPDX format.

The eco Security Competence Group also convened to discuss SBOM in May 2023.


[1] SOFTWARE BILL OF MATERIALS | National Telecommunications and Information Administration (ntia.gov).
[2] Software Bill of Materials (SBOM) | CISA

Briefly Explained: Software Bill of Materials (SBOM)