What Are SBOMs and How to Integrate Them into Your Software Packages
Everything’s moving so fast in tech right now—security and transparency really need to be top priorities. As part of implementing the National Cyber Strategy released by the White House in 2023, the U.S. government issued best practices instructing developers who sell apps to the public sector to include Software Bills of Materials (SBOMs) with their software packages.
While SBOMs are not something new – this concept has existed for more than a decade – current regulations mean software packages you find online may all soon include an SBOM.
A similar report is already included in the structure of all MSIX packages through the BlockMap file. This is not related to the SBOM standards but serves a similar role, allowing the OS and software inventory tools to identify the software components within an organization easily.
In this article, we’ll focus on:
- What an SBOM is
- Why SBOMs are important for security
- What standards exist
- Tools available for generating SBOMs
- How to automatically generate SBOMs using Advanced Installer.
What are SBOMs?
An SBOM is an inventory of the software components, including critical information about the libraries, tools, and processes used to develop, build, and deploy a certain application.
It typically includes:
- The version of each component
- Licensing information and
- Potential vulnerabilities that a software or library might have.
As mentioned, the concept isn’t new and has been around for some time, but due to regulatory changes, it is now gaining significant traction.
Companies like GitHub and Gitlab allow developers to integrate SBOM generation early in the DevSecOps workflow.
Why are SBOMs important?
At a high level, SBOMs are crucial for ensuring software security and compliance. They bring transparency to the software supply chain, enabling quick identification and mitigation of risks.
For example, if you develop a software that uses an outdated third-party component, an SBOM audit can help both you and your customers discover any potential vulnerabilities. This way, you can track and address issues more easily.
You might think that commercial applications are safer and more secure than open-source ones.
Unfortunately, that’s not always the case. In the race to meet deadlines, developers often implement open-source libraries without keeping them up to date.
This is backed by the Synopsys 2024 Open Source Security and Risk Analysis Report.
Here are some key findings from the report:
1. Open source is everywhere:
1.1 96% of codebases contain open-source components
1.2 77% of all code in the codebases originates from open source
2. High-risk vulnerabilities are on the rise:
1.3 84% of codebases have at least one open-source vulnerability
1.4 A 54% increase in high-risk vulnerabilities over the past year
With the whole debacle of the log4j massive vulnerability, which was discovered in December 2021 and allowed attackers to execute arbitrary code remotely, and other types of security incidents that happened during the last years, it is no wonder that regulatory and industry pressures are driving the adoption of SBOMs.
Today, the push for SBOMs is driven by both regulatory bodies and businesses:
- Governments and organizations are beginning to mandate the use of SBOMs to comply with security standards and ensure accountability in the software development world.
- IT Professionals and businesses view SBOMs as proactive measures to identify vulnerabilities, ensure license compliance, and streamline audits.
SBOM Standards
For SBOMs to be useful, the process of generating and interpreting them must be automated and standardized.
When we talk about SBOMs, two major SBOM standards are:
- SPDX (Software Package Data Exchange)
- CycloneDX
SPDX
Developed by the Linux Foundation, SPDX is an open-source format that has become an ISO standard. It is widely used for documenting software components, dependencies, and licenses, which makes it a great choice for SBOM generation.
CycloneDX
Created by the OWASP community, CycloneDX also follows another open-source model. However, it focuses more on identifying vulnerabilities in software supply chains.
At the moment, there is no universal standard that is mentioned by law, however, each company should choose one of the above when creating their software.
Available SBOM generation tools
A quick search for “how to automate SBOM creation” reveals many results. And indeed, there are lots of open-source tools, but in this article, I want us to focus on the primary ones that are constantly mentioned even by other developers out there.
1. Microsoft SBOM tool
As mentioned on their GitHub, “The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.”. This is an open-source tool and works with all OSs: Linux, Mac, and Windows. It also comes ready with a DockerFile if you want to maintain your image and a quick start guide for GitHub Actions and Azure DevOps Pipelines.
2. SDPX SBOM generator
According to their GitHub page, the “spdx-sbom-generator tool to help those in the community that want to generate SPDX Software Bill of Materials (SBOMs) with current package managers. It has a command line Interface (CLI) that lets you generate SBOM information, including components, licenses, copyrights, and security references of your software using the SPDX v2.2 specification and aligning with the current known minimum elements from NTIA.
It automatically determines which package managers or build systems are being used by the software.”
This is an open-source tool and works for a variety of languages. This can be done by pulling the source code and executing it directly, or you can run it with its Docker image.
3. Syft
Quoting the developers, “A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.”. This is, again, an open-source tool that can be found on their Github page, and it provides you with a choice of SDPX or CycloneDX formats and works with a wide variety of languages. They also offer a GitHub Action to help you streamline the process if GitHub is your preferred CI/CD platform of choice.
4. CycloneDX Maven plugin
If you need a CycloneDX SBOM only, then the CycloneDX Maven plugin might be a good choice. This is hosted on the GitHub repository and is a Java-only tool. With this tool, you can create SBOMs for packages, modules, or even from the root of your project.
Generate SBOM with Advanced Installer
Advanced Installer acknowledges the increasing importance of SBOMs and broader software security concerns. Starting with version 22.6, you can now automatically generate SBOMs for your software packages.
By default, Advanced Installer uses the Microsoft SBOM tool to generate your SBOM reports using the SPDX 2.2 format. However, it allows you to choose any external SBOM sources (.spdx or .json) to accommodate different standards in your organization. A future update will include the 3.0 format, scheduled for release soon.
Take control of your software supply chain. Try SBOM generation in Advanced Installer today.
Start your 30-day, full-featured trial.
How to Generate an SBOM in Advanced Installer
The process of generating SBOMs with Advanced Installer for your software packages is quite easy.
When you create a new Installer project, or you upgrade your old Advanced Installer projects to 22.6, once you have all the necessary information included in the package such as Files and Folders, Shortcuts, Registry, File Associations, Services and so on, all you need to do is navigate to the Product Details Page.
There, a new tab called SBOM has been added. When you click an SBOM, you should see this page:
If you check Generate SBOM, the feature will generate an SBOM report next to your package.
Additionally, if you specify a Build component folder path, the tool will look into this specified directory for various components and packages that are used in the build process and implement them in the generated report.
Once you select an SBOM to be generated, all you need to do is build your installer. If you check the output folder, you will find a separate folder containing the spdx (or alternative standard of your choice) SBOM report.Future versions of Advanced Installer will include the SBOM directly inside the setup package next to your application files. It is recommended that the SBOM report be part of the installation package to allow the operating system or software inventory tools to easily identify and audit it.
Conclusion
SBOMs, once a niche concept, are now a cornerstone of secure software development. While the concept has existed for over a decade, recent regulations like the National Cyber Strategy have made them a core part of cybersecurity best practices.
By offering a transparent view of software components and potential vulnerabilities, SBOMs enable teams to streamline compliance and enhance overall security. Tools like Advanced Installer simplify the generation of SBOMs, integrating them into software packages and making a seamless process, empowering businesses to meet regulatory requirements and proactively secure their applications.
As the adoption of SBOMs continues to grow, they are on track to become an essential part of every software package, fostering a safer, more transparent digital ecosystem that benefits developers, enterprises, and end-users alike.
Written by
Alex Marin
Application Packaging and SCCM Deployments specialist, solutions finder, Technical Writer at Advanced Installer.