Software Bill of Materials: what developers need to know

Contents

Software Bill of Materials

Open up your favorite IDE, jump into your most recent project, and open its respective lockfile (package-lock.json, go.mod, Pipfile.lock, and so on). You’ll likely find hundreds or thousands of open-source packages and libraries, illustrating exactly how widely your application's unseen and unknown parts spread.

A Software Bill of Materials (SBOM) is a similar inventory of all software components, libraries, and dependencies your application relies on, but goes deeper than package names and pinned versions. By aggregating data on open-source licenses and more, an SBOM gives you complete visibility, which you can use to prevent supply chain attacks or identify new vulnerabilities in a dependency two, three, or more layers deep.

Also known as

software inventory

software component list

$4.33 million

is the average cost of data breaches involving third-party dependencies as a primary attack vector.

Source

IBM

84% of all codebases

contain open-source tools and libraries with at least one active vulnerability.

Source

Synopsys

245,000+ malicious packages

discovered among popular open-source libraries, with 1 in 8 downloads containing known and avoidable risks.

Source

Sonatype

An example of a Software Bill of Materials and how it works

An SBOM comes in many different output formats and data structures, but is ultimately a database of artifacts, including their package names, versions, sources, licenses, URLs, and more. SBOMs also identify the relationship between two artifacts for transparency into the web of dependencies your application relies on.

While SBOMs aren’t particularly useful to scroll through, they are enormously helpful in the broader vulnerability management of your application. You can feed your apps’ SBOMs into other tools offering dependency scanning, malware detection, or end-of-life (EOL) data to ensure you’re surfacing every possible vulnerability in your application—not just the ones at the surface level.

How does having a Software Bill of Materials help developers?

Benefits

When troubleshooting outages on the fly, an up-to-date SBOM helps you identify exactly which package is responsible, even if it’s two or three layers deep.

With a full understanding of the components your application requires to operate effectively, you can perform more proactive risk mitigation by identifying possible weak points and prioritizing fixes or migrations to more secure dependencies.

With an SBOM, your development and operational teams have a single source of truth for collaborating on issues or prioritizing proactive solutions to current problems.

SBOMs help identify changes to an open-source dependency’s metadata, which could clue you into a supply chain attack, where new packages have been injected with malware (remember the XZ Utils backdoor?)

Certain industries and regulatory environments require a complete inventory of licensing terms and sourcing inventories—with a well-maintained and complete SBOM, you can ensure compliance and avoid legal issues.

Get your app secured in no time

Aikido gives you an instant overview of all your code & cloud security issues so you can quickly triage & fix high risk vulnerabilities.

Start Free

Implementing a Software Bill of Materials: an overview

Generating SBOMs is accessible to most developers in their local working environment—one option is an open-source tool, like Syft, to investigate any container image or local filesystem:

SBOM implementation

Install Syft locally using their one-liner, Homebrew, or a binary release.

Run the syft CLI command to generate a JSON or CycloneDX report, depending on your needs.

Connect Syft to your CI/CD pipeline, perhaps using GitHub Actions, to ensure a new SBOM is generated with every commit.

Find a way to aggregate your SBOMs in one place, ideally with visualization or change management capabilities, to identify shifts in your open-source supply chain that require further investigation.

Research vulnerabilities to identify their priority and read documentation for remediation advice.

Or with aikido

Aikido

Connect your GitHub, GitLab, Bitbucket, or Azure DevOps account.

Choose which repos/clouds/containers to scan.

Get prioritized results and remediation advice in a few minutes.

Best practices for managing your Software Bill of Materials effectively

Start early

Create your first SBOMs as early as possible within your project, even if you haven’t fully chosen your application security platforms. The more history you have, the easier to track changes that negatively affect your application.

Automate, automate, automate

While CLI tools are easy to install on your local workstation, they ultimately leave you with artifacts you must store and aggregate elsewhere to generate real insights. At the very least, loop SBOM generation into your CI/CD pipeline to ensure you never forget a manual run.

Standardize on an SBOM format

Using an industry-standard format like CycloneDX or SPDX will let you integrate with more security software and share SBOMs with partners or regulators.

Get started creating a Software Bill of Materials for free

Connect your Git platform to Aikido to start a Software Bill of Materials with instant triaging, smart prioritization, and pinpoint context for fast remediation.

Scan your repos and containers for free

First results in 60 seconds with read-only access.

SOC2 Type 2 and

ISO27001:2022 certified