Software bill of materials, or SBOM for short, has been in the spotlight in recent months following a series of software supply chain attacks and new regulatory requirements.
SBOMs inventory the software components (name, author, version, supplier, and more) that comprise an application, providing much-needed visibility into potential compliance and security risks. Plus, the Biden Administration’s Executive Order on Improving America’s Cybersecurity requires organizations selling into the federal government to produce an SBOM to accompany each product.
Along with these security and regulatory compliance considerations, organizations have embraced SBOMs to support open source license compliance and technical due diligence, and to satisfy customer requests.
But, given the sheer volume of different software components in modern applications — a recent GitHub report noted that projects analyzed had close to 700 dependencies on average — it can be very hard to generate and maintain an accurate SBOM via manual or semi-automated processes.
That’s where solutions like FOSSA can be particularly valuable. FOSSA automates key parts of the SBOM generation process, saving engineering teams valuable time, ensuring accurate and up-to-date information, and strengthening software supply chain security. In this blog, we’ll explain how you can use FOSSA’s solution — which earned the highest score possible for SBOM support in the recent Forrester Wave — to simplify SBOM generation. But first, we’ll reflect briefly on traditional methods of SBOM creation and why they have become increasingly ineffective.
Traditional Ways of Creating SBOMs
In the earlier years of software development, when applications were built with mostly proprietary source components, generating a software bill of materials was relatively easy. But in modern software development, open source makes up about 85-90% of the average codebase, and components change drastically on a release-to-release basis.
Consequently, we’ve heard from many organizations that the traditional approach to creating SBOMs (which involves a lot of manual labor, often from members of the engineering organization) has become increasingly ineffective. In addition to consuming valuable staffing resources, the manual or semi-automated way of doing things often leads to data errors; by the time you have a software bill of materials generated, the results are outdated because of the new changes in your software.
With that as a backdrop, FOSSA built our SBOM tool to fully automate numerous key parts of the SBOM generation process. This enables users to maintain an accurate inventory of all software components that automatically updates with each new release.
Generating an SBOM with FOSSA
Organizations can use FOSSA to generate an accurate, up-to-date software bill of materials in a few easy steps. Here’s how:
Step 1: Integrate FOSSA
FOSSA provides two different installation options. The first is to integrate our tool with any version control system like GitHub, BitBucket, or GitLab. Alternatively, you can use our CLI, which is also open source. You can download the CLI and run it locally, or you integrate it as part of your CI/CD pipeline and scan your projects.
When you scan your projects, FOSSA will automatically identify all the dependencies for a particular codebase. Once we identify the dependencies, we’ll automatically identify all the licenses across those dependencies. Then we run our policy rules, where we’ll report any vulnerability or license compliance issues.
One key point is that when it comes to dependency identification, FOSSA not only reports the direct dependencies, but deep dependencies, too. Using manual or semi-automated methods may allow you to have good visibility into your direct dependencies, but identifying your deep dependencies — and the licenses and vulnerabilities they may pull in — often is a step that is missed.
Also, each open source license that your project pulls in comes with a set of obligations, such as including a copyright notice or disclosing source code. FOSSA has comprehensive intelligence of these obligations, and we automatically tell you what they are, simplifying compliance with licensing requirements.
Step 2: Select Your SBOM Reporting Format
After you integrate FOSSA and scan your projects, our platform surfaces all your dependencies, licenses, obligations based on those licenses, and vulnerabilities.
To generate a software bill of materials, go to the “Reports” tab. From there, you’ll choose from a list of six different SBOM export formats.
You might pick the HTML format if you want to embed the report into your website, Or, if you are a business selling into the federal government, you might select SPDX, which is among the Biden Executive Order’s three approved export formats.
Step 3: Configure the Details of Your Report
Once you choose a reporting format, you’ll be able to customize which elements are included in your software bill of materials. First, you’ll decide which components to include. Options include direct dependencies, deep dependencies, license summary, project declared license, and any commercial or first-party licenses you want to include.
Next, you’ll let us know which dependency metadata to include.
Additionally, you can configure the details of the dependencies that you want to include. This allows you to meet most of the obligations that FOSSA has identified based on the open source licenses involved in the project. So, if you want to fulfill the obligations of the full license text as part of the SBOM (or if you want to give acknowledgment to the author), simply check the box and FOSSA will generate the SBOM accordingly.
Step 4: Add the Final Touches
Now, all that’s left is dotting the i’s and crossing the t’s of your software bill of materials. At this stage, you’ll decide if you want to customize the header of your SBOM (with a company logo, perhaps), or if you want FOSSA to host the report for you. (This has the advantage of enabling auto-updates, where the SBOM is automatically updated after each new release.)
It’s also important to note that FOSSA supports a variety of reports in addition to SBOMs. These include:
- Audit-grade compliance attributions for M&A or IPO due diligence events
- Comprehensive vulnerability reports, which include information like the number of open source vulnerabilities, what they are, CWEs, CVEs, and more
Start Generating SBOMs with FOSSA
For more information on how FOSSA can help your organization generate an accurate, up-to-date software bill of materials, please visit our SBOM homepage. Or, if you’d like to set up a personalized demo of our SBOM solution, please contact our sales team.
If you are a current FOSSA user seeking more information about generating SBOMs, please contact your customer success representative.
About the Author
Deepak Mehta is the Head of Sales Engineering at FOSSA. He has a systems engineering background with strong expertise in networking, telecommunications, Tcl, C, C++, Java, Unix, and more.