This tutorial is a complete guide to SBOMs along with a review of the most popular SBOM solutions that are currently available:
At the risk of stating the obvious, software development is complicated. With so much to do, development teams struggle to effectively track all the code they use to develop, run, and publish their software. Thankfully, there is now a range of SBOM solutions offering Software Composition Analysis (SCA) to scan applications and determine the origin of every line of code.
With the rise of software supply chain attacks and the potential for licensing compliance issues, software vendors and consumers are increasingly relying on SBOMs to identify and describe the source of every component.
A new report by Gartner describes SBOMs, their benefits, the various standards in use, and recommendations for implementing SBOMs in organizations.
What You Will Learn:
- Software Bill of Materials (SBOM) Solutions
- Role of SBOMs in Modern Software Development
- Industry: Standard SBOM Formats
- List of the Best SBOM Solutions
Software Bill of Materials (SBOM) Solutions
As the U.S. government works to help the software ecosystem secure its supply chain, every player in the software industry needs to make sure they are prepared to comply with new and upcoming regulations.
For example, CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) recently published the third part of a series on securing software supply chains: Securing Software Supply Chain Series – Recommended Practices Guide for Customers.
The publication follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers. SBOMs take center stage in all three parts.
But what should you be looking for in an SBOM solution in 2023? What distinguishes one SBOM solution from the next?
Let us guide you through the world of SBOMs, explaining what you need to know and taking a look at the top most popular SBOM solutions currently available.
Software development has come a long way. Dev teams no longer need to build new applications from scratch, painstakingly writing every line of code.
Instead, they can build on what’s come before, incorporating commercial packages and open-source components into their codebase as well as taking advantage of a range of development tools to enhance and accelerate the process.
Everything that goes into making the final product, from components, tools, libraries, processes, and more, is referred to as the software supply chain. Given the scale and complexity of modern software, keeping track of every link in the chain is a significant yet critical undertaking.
This is precisely the purpose of the Software Bill of Materials or SBOM, a new take on common practice across many other sectors. For example, manufacturing companies utilize bills of material to identify everything that makes up their finished products. This helps supply chain management and allows companies to quickly trace components back to specific vendors.
SBOM is the software industry equivalent, offering a standardized approach for vendors to efficiently list the foundational code upon which their software packages are built. Think of SBOMs as an inventory, a list of all first and third-party components and the dependencies between them.
They typically include information regarding:
- Where a component was sourced
- The version number
- Licensing information
- How it is used in the software package
With an inventory of every component from development to delivery, organizations can:
- Guarantee license compliance.
- Accurately identify all software components and monitor any potential security vulnerabilities.
- Discover outdated components to source alternatives proactively.
- Increase the visibility of software products.
- The gain reputation of the repository is the basis for more advanced security aspects such as provenance, VEX, etc.
While creating an SBOM is not a new concept, they are finding wider use due to expanding software supply chains and the growing risk of cyberattacks targeting it.
Role of SBOMs in Modern Software Development
In May 2021, the Biden administration released an “Executive Order on Improving the Nation’s Cybersecurity” recommending that vendors providing software to the federal government incorporate SBOMs.
In early 2022, Gartner released their “Innovation Insights for SBOMs” report, in which they predicted the number of organizations, both developers and customers, mandating SBOMs will triple from 20% in 2022 to 60% by 2025.
With the need to discover vulnerabilities and comply with software licenses, organizations, particularly those running critical infrastructure and operations, must begin utilizing SBOMs.
Software Supply Chain Vulnerabilities
Bad actors targeting commonly used open-source or commercial software do so because a single vulnerability can result in infiltrating thousands of systems. Famous examples of far-reaching supply chain attacks include the Log4J software vulnerability in December 2021 and the SolarWinds hack in March 2020.
SBOMs create a list of each software component and its relevant security information (source, version number, etc.) so organizations can better identify potential vulnerabilities.
Once discovered, vulnerable components or libraries are typically patched. However, this also requires every user downstream to update their components. SBOMs increase awareness of vulnerabilities such that dev teams can switch to updated versions or sources for an alternative.
SBOM Solutions can be utilized in more advanced software supply chain systems to validate the integrity of software components to ensure they are as intended and no malicious activity has occurred.
Some SBOM solutions incorporate hash values and signatures to provide evidence on every update to the codebase, tracking the user who made changes and attesting to the integrity of the current version.
Improved visibility helps create trust among internal and external stakeholders. Security-conscious clients are now looking for greater assurance as to the quality of the software they are purchasing. Sharing SBOMs enhances visibility, detailing critical security information on every component in use.
Beyond software supply chain security, SBOMs also help organizations comply with open-source licensing. There are usage restrictions associated with specific open-source licenses. A comprehensive SBOM reveals the open-source component dependencies present and any license restrictions that may be in place.
Industry: Standard SBOM Formats
While developers can generate in-house SBOMs how they choose, several standardized formats have recently emerged. These allow for efficient comparisons across different organizations and sectors while also making it possible to implement specific SCA tools to gather and organize relevant information.
The three leading SBOM formats are:
CycloneDX is an SBOM standard endorsed by the Open Web Application Security Project (OWASP) for multi-industry use.
It handles four types of data:
- Material flow chart metadata (information on the product itself).
- Components (a comprehensive list of commercial and open-source components along with license information).
- Services the software can use.
- Dependencies between components (both direct and indirect).
#2) SPDX (Software Package Data Exchange)
Endorsed by the Linux Foundation in 2010, SPDX is an open-source standard for SBOMs. It contains information related to each component, including copyright, licenses, and security references.
#3) SWID (Software Identification)
SWID by the International Organization for Standards (ISO) evolved from efforts to mark software components with machine-readable IDs. SWID tags are embedded metadata within the software with information such as the software product, its version, the developers behind it, and more.
List of the Best SBOM Solutions
- Scribe Security (Recommended)
- Endor Labs
Comparison Table of Top Software Bill of Materials Solution
|Solution||Best suited for||Rating|
|Scribe Security||Comprehensive SBOM management, including generating, managing, and sharing SBOMS to continuously attest to the security and integrity of software||5/5 stars|
|Mend||Users wanting a range of SCA tools, including automated responses||4.2/5 stars|
|CodeNotary||Real-time SBOMs collected in a single dashboard||4.2/5 stars|
|Anchore||Highly visible in-depth SBOMs that track changes during the build process||4.5/5 stars|
|FOSSA||Easy to generate custom SBOMs (choose your own data fields) in multiple formats, including SPDX||4/5 stars|
|Cybeats||An SBOM solution per se||4/5 stars|
|Snyk||Developers wanting advanced SCA to create full dependency graphs||4.2/5 stars|
|JFrog||DevSecOps teams needing a simple way of identifying vulnerabilities and tracking license violations||4.2/5 stars|
|Endor Labs||Storing and managing SBOMs from a single platform||4/5 stars|
#1) Scribe Security (Recommended)
Best for comprehensive SBOM management, including generating, managing, and sharing SBOMS that continuously attest to the security and integrity of your software.
Scribe integrates into your software pipelines to automatically generate SBOM and register the evidence of the integrity and provenance of code components and artifacts. Using cryptographic techniques, Scribe provides attestations to verify software components and automatically generate digitally signed SBOMs.
This information can be shared between the development and security teams as with other external stakeholders such as software consumers and auditors for compliance. You can address any vulnerabilities present and create advisories or critical flags for each.
Scribe continuously tracks newly published intelligence, such as advisories and open-source scorecards about SBOM components. Thus, producers can address these findings and communicate de-facto risks associated with published vulnerabilities utilizing the Vulnerability Exploitability eXchange (VEX) standard.
The Scribe Security platform is a comprehensive, easy-to-implement solution for generating, managing and sharing SBOMs. An all-in-one solution, Scribe allows you to continuously validate the integrity of your codebase and identify vulnerabilities and other security aspects.
- Hosted SBOM management services with sharing capabilities.
- Automatically generate digitally-signed SBOMs to attest to every build directly in your pipeline.
- Actionable insights, including alerts for new vulnerabilities, context on existing vulnerabilities, and evidence-based provenance for code components and dependencies.
- Container validation that ensures no tampering has occurred.
- Enforce security policies for each product and demonstrate compliance with SLSA (Supply-chain Levels for Software Artifacts) and SSDF (Secure Software Development Framework).
Verdict: An end-to-end solution that automatically generates easy-to-share SBOMs – Our favorite SBOM solution for 2023.
Best for users who want a range of SCA tools, including automated responses.
Previously known as WhiteSource, Mend’s SCA tools offer a range of functionality, including generating SBOMs for the latest build before deployment.
MEND SCA allows users to generate SBOMs that:
- Track all open-source libraries.
- Document components and the direct and transitive dependencies between them.
- Automatically updated as components change.
- Find vulnerabilities.
- Ensure updates are backward compatible.
The platform also provides visibility for open-source license compliance, automated policy enforcement, prioritization, and remediation. Mend claims its patented technology can determine whether a vulnerability can be safely ignored using “reachability path analysis” to show whether the library is not in use or only accessed in a safe manner.
- Automated policy enforcement to spot and remediate vulnerabilities as soon as they are detected.
- License compliance for open-source libraries.
- Incorporate through various SDLC points such as browser, IDE, repository, etc.
- Covers open source vulnerabilities across more than 200 languages.
Verdict: Quickly generate SBOMs while incorporating a range of other SCA tools.
Best for real-time SBOMs collected on a single dashboard.
CodeNotary provides software to protect organizations from harmful components during software development. This includes their TrueSBOM platform that continuously scans for vulnerabilities in the background, offering real-time SBOMs for your projects. TrueSBOM also scans for open-source license compliance.
All SBOMs can be managed from a single dashboard or via the command line. TrueSBOM provides an updated diff to compare files from the at-rest vs. runtime SBOM, as well as actionable recommendations to improve protection and patent-pending tech, allowing apps to export their SBOM in real-time.
- Continuous vulnerability scanning produces real-time SBOMs.
- License compliance scanning.
- Integration with the most popular cloud CI/CD tools.
- Manage SBOMs from a single UI or via the command line.
- Collect SBOMs for serverless applications.
Verdict: TrueSBOM from Codenotary protects DevOps teams against harmful components by constantly scanning for vulnerabilities.
Best for highly visible in-depth SBOMs that track changes during the build process.
Anchore delivers software security (including SBOMs) through its all-in-one Software Supply Chain Management Platform. Built upon two open-source projects: Syft, a tool and library for generating SBOMs, and Grype, a vulnerability scanning tool for file systems and container images, Anchore can generate SBOMs at any point during development.
Anchore-generated SBOMs are stored in a centralized repository for visibility and ongoing monitoring.
- Visibility with in-depth SBOMs.
- Central repositories to respond quickly to vulnerabilities.
- Track SBOM changes throughout the build process to find unexpected dependencies, errors, or malicious activity.
- Tag artifacts associated with a particular project to gain an application-level view.
- Define policies and alerts when unsanctioned software is identified.
- Share SBOMs for individual artifacts or the entire application.
Verdict: Track, manage, and share SBOMs from a central repository.
Best for easy-to-generate custom SBOMs (choose your own data fields) in multiple formats, including SPDX.
FOSSA aims to maximize flexibility so users can generate the ideal SBOMs depending on their needs. From pre-IPO and M&A due diligence to fulfilling a customer request or complying with government regulations, FOSSA aims to put users in control.
This includes providing various formats (SPDX, etc.), picking and choosing your own data fields from FOSSA’s extensive list, and offering multiple delivery options (download, self-distribute, or host on FOSSA).
The company’s SBOM solution is built on an open-source license compliance manager and an open-source vulnerability management tool. The final platform can be deployed directly into your development pipeline with a simple command line interface or integrated with your chosen version control system, such as GitHub or BitBucket.
- Automated license and vulnerability management.
- Flexible and easy to make SBOMs that fit various needs.
- Extensive coverage, including over 20 languages and 100% native SPDX support.
- Integrate using a command line interface or combine with popular version control systems.
- Utilize root cause identification to reduce false positives by up to 85%.
Verdict: Offers flexible SBOM solutions with automated license and vulnerability management.
Best for organizations wanting supply chain screening and greater transparency.
SBOM Studio from Cybeats helps organizations manage software security across the entire development lifecycle. Track and understand third-party codes to document what you are using and where it came from. SBOM Studio offers continuous security risk assessments as well as software license analysis for compliance.
- Supply chain screening and transparency for software provenance.
- Continuous security risk assessment.
- Compliance through software license analysis.
- Determine how vulnerabilities (components reaching the end of life, breach of vendor technology, etc.) affects your software.
- Support for multiple formats, including SPDX and CycloneDX.
Verdict: Enterprise-class SBOM solutions provide continuous security risk assessments.
Best for developers wanting advanced SCAs to create full dependency graphs.
Snyk is a risk management tool for developers using advanced SCA to find vulnerabilities mostly in the development phase. A developer-first SCA solution, Snyk helps find and fix vulnerabilities and licensing issues in open-source dependencies.
Working with package manifests and lock files, developers can build a full dependency graph to pinpoint vulnerabilities or concerns. This output can be converted into SPDX formatting using “snyk2spdx,” an open-source project that generates SBOMs from Snyk technology.
- Automated vulnerability fixes with a one-click pull request.
- Continuous monitoring with updates on newly identified vulnerabilities.
- Control your dependencies by running scans for any language.
- Automatic open-source management and governance for regulatory or internal policies.
Verdict: Targeted at developers wanting to promote and contribute to an open-source SBOM project.
Best for DevSecOps teams needing a simple way of identifying vulnerabilities and tracking license violations.
JFrog Xray is an SCA solution that integrates with their Artifactory platform to offer DevSecOps teams a simple method of identifying open-source vulnerabilities and license violations. Newer versions of JFrog Xray (3.40.x and above) now allow users to generate SBOMs in both SPDX and CycloneDX formats.
- Decipher unidentified components and code dependencies.
- Increase visibility for vulnerabilities and open-source licensing compliance.
- Become aware of end-of-life components and others that need updating.
- Enforce organizational policies.
- Learn about the recently discovered vulnerabilities affecting your software.
Verdict: A simple method of generating and exporting SPDX and CycloneDX SBOMs.
#9) Endor Labs
Best for storing and managing SBOMs from a single platform.
Endor Labs platform allows users to create, manage, and analyze SBOMs from a central inventory. Their SBOM solutions go beyond metadata scanning to generate call graphs that map out software dependencies. With this context, users can better understand their software packages and whether vulnerable dependencies are reachable.
- Create SBOMs with VEX to improve customer trust.
- Store and manage SBOMs from a single platform.
- Generate SBOMs in SPDX and CyclineDX formats.
Verdict: Helpful tool for creating, managing, and analyzing SBOMs from a central inventory.
Website: Endor Labs
SBOMs are becoming a critical tool for understanding and mitigating software supply chain attacks. With a clear list of everything your software uses, you can remedy any potential vulnerabilities as well as ensure you’re complying with open-source licenses.
With many SBOM solutions now available, organizations should take the time to research their options and find a platform that covers their needs. With the growing appetite for mandated SBOMs, we believe organizations should emphasize tools that can seamlessly share SBOMs with both internal and external stakeholders.