A new platform named sbomify has been unveiled to tackle the difficulties encountered by businesses when handling and distributing Software Bills of Materials (SBOM). Its goal is to streamline and automate SBOM procedures as regulatory demands continue to rise in the industry.
A Software Bill of Materials (SBOM) consists of a list of software elements such as the libraries and tools utilized in a development process. They have become more important in light of recent cybersecurity efforts such as the Secure by Design framework from the U.S. government, and this is encouraging use of SBOMs in the private and public sectors.
The potential costs and reputational damage associated with software supply chain attacks show how importance SBOMs are. They provide insight into dependencies, helping identify vulnerabilities and potential license issues. While standalone SBOM generation tools exist, platform companies like GitLab are integrating this functionality into their DevSecOps workflows, integrating them into the software development lifecycle.
Writing for GitLab, Sandra Gittlen says that SBOMs are crucial in modern software development, where rapid delivery often involves using code from various sources. Gittlen explains how according to Synopsys's 2024 report, 96% of commercial codebases contain open-source elements, with 84% containing vulnerabilities. This practice increases the risk of security breaches, as demonstrated by the 2020 SolarWinds attack and the log4j vulnerability.
Viktor Petersson, the founder of Screenly and the developer of sbomify, observed that many companies, especially those in regulated industries, needed help keeping up with SBOM demands. Traditional methods of sharing SBOMs, such as email or internal file servers, proved inefficient and prone to errors. This observation aligns with CISA's Sharing Primer on SBOMs, emphasising the need for efficient and secure SBOM sharing practices.
Discussions with CTOs and CISOs across various industries revealed that most companies still rely on manual processes for SBOM management. These outdated methods are often incompatible with the dynamic nature of modern continuous integration and continuous deployment (CI/CD) environments. sbomify aims to address these issues by integrating directly with CI/CD pipelines. The platform automatically uploads the latest SBOM with each new software release, giving stakeholders real-time access to up-to-date information. This approach eliminates the need for manual updates and reduces the risk of working with outdated files.
Speaking to InfoQ, Petersson offered background on the need for a new tool:
"I found three distinct phases in the lifecycle of an SBOM: generation, distribution, and analysis."
"For both generation and analysis, there were a lot of tools available in the market. However, for the distribution phase, there wasn't really anything out there that allowed a company like Screenly to continuously share SBOMs with customers, which is what we wanted to do as part of our Secure by Design compliance. While there were tools for sharing individual SBOMs, none of them allowed you to create an SBOM portal for customers. This finding was echoed in CISA's SBOM sharing primer, which stated that most SBOM sharing is done ad-hoc over email and called for more automation. This is where sbomify was born."
"Think of it like statuspage.io, but for security artifacts"
- Viktor Petersson
"sbomify presents a platform that allows you to invite internal and external stakeholders to always download the latest SBOMs. Think of it like statuspage.io, but for security artifacts", added Petersson. "The SBOMs are built automatically in the CI/CD pipeline and are automatically made accessible to the invited parties for download or to be exported to one of the many analysis platforms."
SBOM functionality is also available in other tools. For example, GitLab's approach encompasses several key areas of SBOM handling. For SBOM generation and management, GitLab's Dependency List feature aggregates vulnerability and license data in a single view, while dependency graph information is included in scanning reports. SBOMs can be produced in CycloneDX format and exported via UI, pipeline, or API.
GitLab also supports SBOM ingestion and merging, allowing the platform to ingest third-party SBOMs for enhanced security transparency. GitLab can merge multiple SBOMs into a single file using CI/CD jobs. To build trust in SBOMs, it can generate attestation for all build artefacts produced by the GitLab Runner, with the process remaining secure by avoiding handoffs to external services.
In an article for cloud security company Wiz, Swaroop Sham discusses several open-source tools, most of which output SBOMs in standard formats such as SPDX and CycloneDX.
- Syft is a popular CLI tool that generates SBOMs from container images and filesystems. It supports standard container formats and automatically detects Linux distributions.
- Microsoft's SBOM tool is an open-source, enterprise-ready generator designed for scalability. It uses Microsoft's component detection library, supporting various package managers.
- Trivy is a security scanner that also has SBOM capabilities.
Petersson adds further insight on the evolving issue of moving companies away from manual paper-based SBOM systems: "For many companies, I think the push is going to come from legislation and compliance. US Executive Order 14028 has already had a huge impact on this, requiring any vendor selling software to the US government to provide SBOMs. NIST’s CSF 2.0, which was released earlier this year, stops just short of mandating SBOMs but calls for software transparency. The EU’s Cyber Resilience Act (CRA) is expected to mandate SBOMs for certain sectors. There are also other initiatives, like CISA’s Secure By Design that calls for radical software transparency. "
"I think the push is going to come from legislation and compliance."
- Viktor Petersson
Petersson also offered a glimpse of the next version of sbomify, citing three significant problems currently seen in the SBOM world.
Although many tools can generate SBOMs, Petersson explains how this doesn't make them complete: "You then need to augment this SBOM with a lot of vendor and licensing information (followed by an enrichment and aggregation phase). This is a tedious and error-prone process, and we’re exploring how we can streamline it for our customers in an automated way with sbomify."
Integrations are also planned. Petersson continues: "The real value of an SBOM comes from the output of the audit. Customers are generally interested in security or license audits - sometimes both. At sbomify, we really want to be the hub that integrates with all the relevant tools so that you ship the SBOM to us, and we federate it out not only to all your stakeholders but also to all your analysis tools."
Petersson also discussed evolving sbomify to address the challenge of managing multiple SBOMs in complex systems by introducing a hierarchical structure of components, projects, and products. This will allow aggregation of multiple SBOMs into a single, tree-structured SBOM while preserving context and usability. It will enable granular access control for stakeholders and maintains a logical organization of product elements. This solution is beneficial for companies which have numerous SBOMs across various aspects of their infrastructure.
Early access to sbomify can be requested through a Google form.