SBOM (Software Bill of Materials) is a comprehensive list of all the components that make up a piece of software, including open source libraries, frameworks, and dependencies. SBOM tools are software tools used to manage, maintain, and track these components, with the goal of ensuring software security and compliance.
SBOM tools help organizations identify potential security risks in the components they use, and track any updates or vulnerabilities in these components over time. This allows organizations to quickly assess the security and risk associated with the software they use and make informed decisions about whether to continue using it or to seek alternatives.
In addition, SBOM tools can also help organizations comply with regulations and standards. Increasingly, compliance standards require organizations to be aware of the components they use and their associated risks.
The following are popular SBOM standards, which are used by a variety of tools to generate SBOMs.
License: Apache-2.0 license
GitHub: https://github.com/CycloneDX
OWASP CycloneDX is a full-stack SBOM standard designed to reduce cyber risk. It provides a standardized format for expressing the components and dependencies of a software system, along with relevant information such as version numbers, licenses, and security vulnerabilities.
Features:
• Lightweight: The SBOM format used by CycloneDX is designed to be small and lightweight, making it easy to integrate into the build process of an application.
• Open-source: CycloneDX is open-source, meaning that it is free to use and can be freely modified to meet the needs of users.
• Human-readable: CycloneDX SBOMs are written in XML, which makes them easy for humans to read and understand.
• Machine-readable: CycloneDX SBOMs are also machine-readable, allowing for automated processing and analysis.
• Interoperable: CycloneDX SBOMs are designed to be compatible with a variety of tools and systems, including vulnerability scanners, package managers, and supply chain management tools.
Support:
• Community: CycloneDX has an active community of users who contribute to the development and maintenance of the product.
• Documentation: CycloneDX has comprehensive documentation available online, including user guides and API reference materials.
• Commercial support: For users who require additional support, there are commercial support options available from companies that specialize in application security and supply chain management.
License: Apache-2.0 license
GitHub: https://github.com/opensbom-generator/spdx-sbom-generator
Software Package Data Exchange (SPDX) is an open-source specification for documenting the components, licenses, and copyrights of software packages. Its main goal is to provide a standard way of exchanging information about the software packages and their contents, making it easier to manage the compliance and distribution of open-source software.
Features:
• Standard format for documenting software components and licenses.
• Includes fields for version, copyright, and license information.
• Supports multiple software package formats such as tar, jar, rpm, and deb.
• Supports machine-readable format to facilitate automation and analysis.
• Maintains a list of commonly used open-source licenses.
Support:
• Widely adopted by the open-source community and supported by leading companies such as Google, Microsoft, and Red Hat.
• An active community of contributors maintains and updates the specification.
• Tools and plugins are available for common package management systems and build tools to facilitate SPDX integration.
License: BSD-2-Clause license
GitHub: https://github.com/tern-tools/tern
Tern is a software composition analysis tool and Python library that generates an SBOM for container images and Dockerfiles. With Tern, you can identify and track the open source components used in your applications and infrastructure, helping you to understand the security and license risks associated with those components.
Features:
• Fast and accurate component identification.
• Support for multiple image formats, including Docker images, OCI images, and Tarballs.
• Ability to detect and analyze transitive dependencies.
• Integration with multiple vulnerability databases including NIST NVD, Alpine Linux, and Red Hat.
• Custom vulnerability database integration through Python APIs.
Tern is open source and actively maintained on Github, with support provided through the project's issue tracker and community.
License: MPL-2.0 license
GitHub: https://github.com/fossas/fossa-cli
FOSSA provides end-to-end SBOM management, including open source software licenses and vulnerabilities.
Features:
• License compliance: FOSSA automates the process of identifying and tracking open source licenses used in a project, ensuring that the organization stays compliant with the terms of each license.
• Vulnerability management: FOSSA scans the open source dependencies of a project for vulnerabilities and provides alerts when new vulnerabilities are discovered.
• Code management: FOSSA integrates with popular code management tools such as GitHub and GitLab, making it easy to track open source components throughout the development process.
• Customizable reporting: FOSSA provides customizable reports and export options, allowing organizations to easily share license and vulnerability information with their stakeholders.
Support:
• Documentation: FOSSA provides a comprehensive knowledge base and documentation to help users get started and make the most of the product.
• Community support: FOSSA has an active community of users who share tips, best practices, and help each other troubleshoot issues.
• Ticket-based support: FOSSA offers ticket-based support for customers who need assistance with more complex issues.
• Enterprise support: For customers who require higher levels of support and service, FOSSA offers an enterprise support package that provides dedicated support and custom implementation services.
License: MIT license
GitHub: https://github.com/microsoft/sbom-tool
Microsoft SBOM is an open source tool that generates a comprehensive SBOM, including open-source libraries, dependencies, and frameworks. Microsoft maintains this tool in collaboration with the Linux Foundation, using SPDX for all generated SBOMs.
SBOMs generated by this tool contain four main sections:
• Document creation information: Information about the generated SBOM document, such as SPDX license and version, software name, the document’s creatore, and the time it was created.
• Files section: A list of the files the checked software is composed of, including properties such as the content’s hashes (SHA-256, SHA-1).
• Packages section: A list of the packages used during the build phase, including additional properties such as version, name, supplier, a package URL (purl) software identifier, and hashes (SHA-256, SHA-1).
• Relationships section: A list of the relationships between various SBOM elements, such as packages and files.
Microsoft SBOM can generate SBOM documents that provide a full dependency tree going all the way to the origin of each package. It is supported on Linux, Windows, and macOS.
License: Apache-2.0 license
GitHub: https://github.com/anchore/syft
Syft is a command-line interfact (CLI) and Go library for generating an SBOM from container images, filesystems, and archives. This tool can identify packages and libraries, and supports various image formats including Docker, OCI, and Singularity. It works with the Grype scanner to provide information about vulnerabilities.
Features:
• Linux distribution identification.
• Uses the in-toto specification to create signed SBOM attestations.
• Supports various output format, including JSON, XML, text, and table summaries.
• Provides a template format that enables users to specify the output format.
• Can convert SBOM formats, including SPDX, CycloneDX, and the Syft format.
Syft supports various ecosystems, including Go (go.mod, Go binaries), C and C++ (conan), Java (jar, ear, war, par, sar, native-image), JavaScript (npm, yarn), PHP (composer), Jenkins Plugins (jpi, hpi), Ruby (gem), Red Hat (rpm), Python (wheel, egg, poetry, requirements.txt), and more.
License: Apache-2.0 license
GitHub: https://github.com/RetireJS/retire.js
Retire.js is a JavaScript library that helps to detect and report on the use of vulnerable JavaScript libraries in web applications. It provides features such as:
• Library detection: Retire.js can detect the use of over 1700 JavaScript libraries and their versions in a web application.
• Vulnerability scanning: Retire.js scans web applications for known vulnerabilities in the detected libraries, and provides a report of any vulnerabilities found.
• Integration options: Retire.js can be integrated into build processes, DevOps tools, and web application scanning tools.
• SBOM reports: Retire.js can generate SBOM reports in various formats, including JSON and CSV, to enable integration with other security tools and processes.
Support for Retire.js is provided through its GitHub repository, where users can submit issues and request features. The development and maintenance of Retire.js is community-driven, and contributions from the open source community are welcome.
When choosing an SBOM (Software Bill of Materials) Generation tool, there are several factors to consider, including:
• Accuracy: The tool should provide accurate and up-to-date information about the components used in a piece of software, including their versions, licenses, and any known vulnerabilities or security risks.
• Scalability: The tool should be able to handle large and complex software applications, and be scalable to meet the needs of an organization as it grows.
• Integration: The tool should be able to integrate with existing workflows and tools, such as continuous integration/continuous delivery (CI/CD) pipelines, security scanning tools, and software development lifecycle (SDLC) tools.
• User interface: The tool should have an intuitive and user-friendly interface that makes it easy for developers and security teams to access and use the information provided by the tool.
• Data privacy and security: The tool should have robust security and privacy controls in place to protect the sensitive information it collects and stores.
• Cost: The tool should be affordable and offer a good value for the features and capabilities it provides.
• Support: The tool should come with adequate support and documentation, and have a strong user community that can provide help and guidance as needed.
By considering these factors and evaluating a range of SBOM tools, organizations can select the right tool to meet their specific needs and help ensure the security and compliance of their software applications. Once an organization has chosen the right SBOM Generation Tool, it is important to pair it with a robust SBOM Management Platform to realize the full value of the SBOMs.
Cybeats' SBOM Studio is a comprehensive solution designed to manage and distribute software bill of materials (SBOMs) in a single platform. It provides organizations with a centralized view of cybersecurity vulnerabilities, enabling them to improve the visibility and security of their software supply chain. SBOM Studio is useful for organizations of all sizes and industries, as it helps them to improve their vulnerability management processes, reduce the cost of protection, and enhance compliance.
SBOM Studio is also agnostic to SBOM generation tools, meaning it can work with any tool to validate and correct imported SBOMs, improving the accuracy of SBOMs. In addition, it simplifies the implementation process, speeds up the fixing of vulnerabilities, and automates SBOM management, ultimately improving the return on investment of SBOM adoption in an organization.
After generating software bill of materials (SBOMs) using any SBOM generation tool, clients who upload their SBOMs to Cybeats' SBOM Studio can gain valuable insights into their software supply chain with the following features:
• During the import of SBOMs, SBOM Studio will validate the SBOM to ensure correct formatting according to the specification of the SBOM standards
• SBOMs that are not accurately formatted will either be auto-corrected for recoverable errors or rejected with meaningful information describing the root cause of the misalignment
• SBOM Studio enriches SBOMs as part of the import process, populating them with key information and details about the software supply chain intelligence data
Accelerated Vulnerability Management
• Continuous process of monitoring SBOMs, autonomous scanning for new vulnerabilities. SBOMs are living and breathing in SBOM Studio
• Categorizes and filters vulnerabilities by level of criticality to inform decision making
• Search for and identify specific SBOMs rapidly, and confidently and securely identify compromised components across the organization
• Prompts cyber teams with the recommended actions to optimally fix vulnerabilities and reduce cyber risk
• Display and categorizes vulnerabilities by level of criticality for prioritization of security workflow
• In leveraging a robust data lake, accurately determine how vulnerabilities affect your organization’s security posture
• Native plug-ins and other integrations that allow for seamless workflow
• User-intuitive interface is easy to learn and understand
• Securely share SBOMs with regulatory agencies, internal and external customers
• Share product SBOMs, while keeping your IP protected
• Ability to redact and hide specific parts of an SBOM before they are shared externally
• SBOM language agnostic with acceptance of all SBOMs, and easy conversion between SBOM languages
• Report generation and visually appealing dashboard, for use by leadership, to bridge gaps between vulnerability status and the budgeting, forecasting, risk-mitigation, prioritization strategies
• Offers‘ Governor View’ vantage that allows enhanced visibility into all the layers and subsidiaries of the core business, giving development, cyber teams and leadership more information to better prioritize and evaluate the risks and associated costs across the organization
• Satisfy Governance, Risk and Compliance (GRC) requirements by showing best practices and good cyber hygiene by having an SBOM for all of your own software, and for any 3rd-party products used by your enterprise
• License Infringement Notifications, when software that is used without permissions or licenses that can have associated legal risk and cost
• Industrial Controls and Critical Infrastructure
• Healthcare and Medical
• Enterprise
• Automotive and Aerospace
Learn more about SBOM Studio
March 19, 2024
Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.
Read More →March 4, 2024
As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain
Read More →December 15, 2023
Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.
Read More →