SBOMs (software bill of materials) have been in the spotlight in recent years following a series of software supply chain attacks and new regulatory requirements. But, given the sheer volume of different software components in modern applications — a recent GitHub report noted that projects analyzed had close to 700 dependencies on average — it can be very hard to generate and maintain an accurate SBOM.

Especially for organizations that use a lot of software components, it's important to be mindful of considerations that play into effective SBOM generation. The more accurate, comprehensive, and up-to-date an SBOM is, the more effective it will be for use cases like security, regulatory compliance, open source license compliance, technical due diligence, and to satisfy customer requests.

That’s where SBOM tools like FOSSA can be particularly valuable. FOSSA automates SBOM generation, saving engineering teams valuable time, ensuring accurate and up-to-date information, and strengthening software supply chain security. In this blog, we’ll explain how you can use FOSSA’s solution — which earned the highest score possible for SBOM support in the recent Forrester Wave — to simplify SBOM generation. But first, we’ll reflect briefly on traditional methods of SBOM creation and why they have become increasingly ineffective.

Traditional Ways of Generating SBOMs

In modern software development, open source makes up about 85-90% of the average codebase, and components change drastically on a release-to-release basis.

Consequently, we’ve heard from many organizations that manual approaches to inventorying software components (which consumes a lot of bandwidth, especially from members of the engineering organization) has become increasingly ineffective. In addition to requiring valuable staffing resources, the manual or semi-automated way of doing things often leads to data errors; by the time you have an SBOM generated, the results are outdated because of the new changes in your software.

With that as a backdrop, FOSSA built our SBOM tool to fully automate numerous key parts of the SBOM generation process. This enables users to maintain an accurate inventory of all software components that automatically updates with each new release.

Generating an SBOM with FOSSA

Organizations can use FOSSA to generate an accurate, up-to-date software bill of materials in a few easy steps. Here’s how:

Step 1: Integrate FOSSA

When you sign up for a FOSSA account, you'll see two different installation options. The first is to integrate our tool with a version control system like GitHub, BitBucket, or GitLab. Alternatively, you can use our CLI, which is also open source. You can download the CLI and run it locally, or you integrate it as part of your CI/CD pipeline and scan your projects. (Users on business or enterprise plans can also start by importing a third-party SBOM; we'll discuss this option in more detail later in this blog post.)

When you scan your projects, FOSSA will automatically identify all the dependencies for a particular codebase. Once we identify the dependencies, we’ll automatically identify all the licenses across those dependencies. Then we run our policy rules, where we’ll report any vulnerability or license compliance issues.

One key point is that when it comes to dependency identification, FOSSA not only reports the direct dependencies, but deep dependencies, too. Using manual or semi-automated methods may allow you to have good visibility into your direct dependencies, but identifying your deep dependencies — and the licenses and vulnerabilities they may pull in — often is a step that is missed.

Also, each open source license that your project pulls in comes with a set of obligations, such as including a copyright notice or disclosing source code. FOSSA has comprehensive intelligence of these obligations, and we automatically tell you what they are, simplifying compliance with licensing requirements.

Step 2: Select Your SBOM Export Format

After you integrate FOSSA and scan your projects, our platform surfaces all your dependencies, licenses, obligations based on those licenses, and vulnerabilities.

To generate an SBOM, go to the “Projects” tab. Next, click on the project you want to create an SBOM for. Then, select "Generate a Compliance Report" in the "Actions" menu on the right side of your display.

From there, you'll start customizing your SBOM by picking your preferred export format. Options include the CycloneDX and SPDX specifications, HTML, Markdown, PDF, CSV, and Plain Text.

Step 3: Configure the Details of Your Report

Once you pick a format, you’ll choose which elements to include in your SBOM. First, you’ll decide which components to include. Options include direct dependencies, deep dependencies, license summary, project declared license, and any commercial or first-party licenses you want to include.

Next, you’ll let us know which dependency metadata to include.

SBOM data fields

Additionally, you can configure the details of the dependencies that you want to include. This allows you to meet most of the obligations that FOSSA has identified based on the open source licenses involved in the project. So, if you want to fulfill the obligations of the full license text as part of the SBOM (or if you want to give acknowledgment to the author), simply check the box and FOSSA will generate the SBOM accordingly.

Step 4: Add the Final Touches

Now, all that’s left is dotting the i’s and crossing the t’s of your SBOM. At this stage, you’ll decide if you want to customize the header of your SBOM (with a company logo, perhaps), or if you want FOSSA to host the report for you. (This has the advantage of enabling auto-updates, where the software bill of materials is automatically updated after each new release.)

It’s also important to note that FOSSA supports a variety of reports in addition to SBOMs. These include:

  • Audit-grade compliance attributions for M&A or IPO due diligence events
  • Comprehensive vulnerability reports, which include information like the number of open source vulnerabilities, what they are, CWEs, CVEs, and more

Importing SBOMs

As mentioned earlier in this post, users on FOSSA business or enterprise plans also have the ability to import third-party SBOMs. This allows organizations to understand potential third-party security and licensing risks.

FOSSA currently supports the import of CycloneDX SBOMs; you can import an SBOM by clicking the "Add Projects" button in your FOSSA app, then selecting the "Import SBOM" option.

Start Generating SBOMs with FOSSA

For more information on how FOSSA can help your organization generate an accurate, up-to-date software bill of materials, please visit our SBOM homepage. Or, if you’d like to set up a personalized demo of our SBOM solution, please contact our team.

If you are a current FOSSA user seeking more information about generating SBOMs, please contact your customer success representative.

About the Author

Deepak Mehta is the Head of Sales Engineering at FOSSA. He has a systems engineering background with strong expertise in networking, telecommunications, Tcl, C, C++, Java, Unix, and more.