CONTENT
Why I need a SBOM
Regarding the details required to pass STQC (Standardization Testing and Quality Certification)
What is SBOM
A Software Bill of Materials (SBOM) is a comprehensive inventory of all the components, libraries, and dependencies included in a software application. It details the relationships and versions of these components, providing transparency into the software’s construction. An SBOM helps in:
- Identifying Vulnerabilities: By knowing exactly what components are in a software application, organizations can quickly identify and address known vulnerabilities in those components.
- Compliance: Ensuring that all software components comply with licensing requirements and regulatory standards.
- Risk Management: Assessing the risks associated with third-party software components.
- Supply Chain Security: Understanding the origin and integrity of software components to protect against supply chain attacks.
SBOMs are becoming increasingly important in the software industry for improving security, managing risks, and maintaining compliance.
How to build SBOM ?
Building a Software Bill of Materials (SBOM) involves several steps to ensure comprehensive and accurate documentation of all components in your software. Here’s a general guide:
Identify Components:
- List all software components, including libraries, frameworks, modules, and dependencies.
- Include both open-source and proprietary components.
Gather Metadata:
For each component, collect metadata such as:
- Component name
- Version number
- Supplier or author
- License information
- Hash or checksum for verification
- Download location or repository URL
Automate Dependency Tracking:
Use automated tools to scan and track dependencies. Popular tools include:
Open Source Tools | Syft, OWASP Dependency-Check, CycloneDX |
Commercial Tools | Snyk, Black Duck, WhiteSource, FOSSA |
Document Relationships
Record the relationships between components, such as which components depend on others.
Update Regularly
Regularly update the SBOM to reflect changes in the software, including new components, updated versions, and removed components.
Validate and Verify
- Validate the SBOM for completeness and accuracy.
- Verify the integrity of the components using checksums or hashes.
Generate the SBOM
Use a standard format for your SBOM to ensure compatibility and ease of sharing. Common formats include:
- SPDX (Software Package Data Exchange)
- CycloneDX
- SWID (Software Identification Tags)
Integrate into Development Workflow
Incorporate SBOM generation and updates into your CI/CD pipeline to ensure it’s always current.
Distribute the SBOM
Share the SBOM with stakeholders, such as customers, partners, and regulatory bodies, as needed.
Monitor for Vulnerabilities
Continuously monitor the components in your SBOM for known vulnerabilities using vulnerability databases like the National Vulnerability Database (NVD) or tools like Dependabot.
Example of an Automated SBOM Generation Using Syft
Here’s a basic example of generating an SBOM using Syft:
Install
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
Generation
syft <path-to-your-project> -o cyclonedx-json > sbom.json
This will create an SBOM in CycloneDX JSON format for the specified project directory.
Example of SBOM Structure
Here’s a simple example of an SBOM in SPDX format:
{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.2",
"creationInfo": {
"created": "2023-01-01T00:00:00Z",
"creators": [
"Tool: Syft-0.24.0",
"Organization: ExampleCorp",
"Person: Jane Doe"
]
},
"name": "ExampleProject",
"documentNamespace": "http://spdx.org/spdxdocs/example-project-1.0",
"packages": [
{
"SPDXID": "SPDXRef-Package1",
"name": "example-library",
"versionInfo": "1.2.3",
"supplier": "Organization: ExampleSupplier",
"downloadLocation": "https://example.com/example-library-1.2.3.tar.gz",
"filesAnalyzed": false,
"licenseConcluded": "MIT",
"licenseDeclared": "MIT",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759b3e75b8926a44b8348aa0791"
}
]
}
]
}
Building an SBOM involves attention to detail and consistent updates, ensuring a clear understanding of all software components and their relationships within your project.