Introducing Dynamic SBOM Sharing in FOSSA

FOSSA has long been a trusted platform for organizations to produce, ingest, and manage SBOMs (software bill of materials). We recently took the next step toward our mission of offering customers the most comprehensive SBOM management platform possible with the release of our new Dynamic SBOM Sharing feature.

Dynamic SBOM Sharing facilitates the secure exchange of policy-conformant SBOMs on a continuous basis between the SBOM distributor and SBOM consumer. SBOM distributors can now ensure their SBOMs meet their consumer’s specific policy requirements before delivery — significantly reducing the back-and-forth communication formerly required.

The end result is that SBOM consumers are able to more efficiently assess supplier risk (since the SBOMs they consume will meet policy standards), and SBOM distributors spend less time modifying the SBOMs they produce. Plus, both parties can ensure the potentially sensitive IP contained with the SBOM is protected at all times.

In this blog, we'll explore in more detail how and why FOSSA customers are using Dynamic SBOM Sharing; we'll also walk you through how the feature works.

Dynamic SBOM Sharing Benefits

Due to a number of new regulatory requirements (such as the CRA, PCI DSS 4.0, DORA, and several others) — plus the heightened global emphasis on software supply chain transparency and security — SBOMs have become an increasingly important tool for many organizations.

And while some teams are solely producing SBOMs for internal use (or to deliver them to regulatory bodies), a growing number are now being asked to share them with customers.

However, traditional SBOM sharing methods (such as email or Google Drive sharing) have been plagued by several issues, including security and the probability that the SBOM doesn't meet the consumer's needs.

FOSSA built Dynamic SBOM Sharing with this context in mind. Our customers who require SBOMs needed a way to make the process of obtaining them as secure and low-friction as possible. Here's how Dynamic SBOM Sharing accomplishes those objectives.

Security

FOSSA's Dynamic SBOM Sharing feature meets the highest level of security requirements. SBOMs transmitted via FOSSA are encrypted end-to-end, at rest and in transit. FOSSA digitally signs the shared SBOM to confirm authenticity and eliminate tampering. Robust role-based access controls ensure only the intended, user- or team-scoped, recipient has access to the provided SBOM. FOSSA maintains a 1:1 mapping between modified distributed SBOMs and the SBOM consumer, ensuring an auditable history of package changes and updates.

Efficiency

Rather than engage in an extended conversation to correct any issues, the SBOM distributor will automatically be notified of any missing or incorrectly configured SBOM fields. This is based on the SBOM policies the consumer sets within the FOSSA app. In addition, SBOM distributors have access to the same open source license compliance and security policies as the SBOM consumer. Doing so enables SBOM distributors to proactively litigate or triage license conflicts and vulnerabilities to assert exploitability, all before an SBOM consumer has ever seen the provided SBOM. SBOM distributors and consumers can now avoid the extended back and forth that often previously accompanied SBOM delivery.

Usability

An SBOM is only as useful as it is complete, accurate, and, at least in part, tailored to the needs of the SBOM consumer. Dynamic SBOM Sharing is by definition based on the SBOM consumer’s specific needs — it allows for the automated implementation of policy requirements set by the consumer. In practice, this means the provided SBOM will include the data fields and be communicated in the format the SBOM consumer needs to most effectively utilize it in open source vulnerability management, license compliance, and other risk management initiatives.

How to Use Dynamic SBOM Sharing

Now that we've discussed the benefits of Dynamic SBOM Sharing, let's take a look at how the feature works.

As you might expect, your experience will vary depending on whether you are distributing or consuming the SBOM. We'll start from the distribution perspective (e.g. supplier) perspective, then cover the consumption view.

It's important to note that while only paying FOSSA enterprise customers can receive SBOMs via Dynamic SBOM Sharing, any type of FOSSA user (including free users) can distribute SBOMs via Dynamic SBOM Sharing.

Dynamic SBOM Sharing for SBOM Distributors

1. SBOM distributors can get started by visiting our website to create a free FOSSA account. (Or, if you already have a FOSSA account/if you’re already a FOSSA customer, start by logging into our web app.)


2. Once you're logged in, navigate to the “Projects” page, then click the green “Add Projects” button.


3. On the “Add Projects” page, click the “Upload” button on the “SBOM Import” option; once you've imported your SBOM, you'll see it listed on your “Projects” page dashboard.


4. Next, click on the SBOM from the Projects page. This will bring you to a screen that displays not only any licensing, security, or quality issues associated with the dependencies in the SBOM as compared to your consumer's policies, but also analysis of whether the SBOM meets your consumer's structural requirements.


5. Once your SBOM fully meets your consumer's requirements, you'll click on the “Share Project” button in the “Actions” menu on the top-right corner of the page. Simply click the “Share” button next to the consumer's name in the pop-up, and you'll successfully complete the Dynamic SBOM Sharing workflow.

Dynamic SBOM Sharing for SBOM Consumers

1. Get started by signing into the FOSSA web app and navigating to the “Policies” section of the header menu.


2. Select the “SBOM” tab on the “Policies” page, then click the green “Create Policy” button.


3. Next, you'll want to name your SBOM policy (so that you can easily distinguish between policies if you have multiple) and add a brief description.


4. Then, it's time to build the content of your policies — you'll have the option to require specific SBOM formats (e.g. CycloneDX or SPDX), metadata, and components.


5. Once you've customized your SBOM policies, click the green “Save” button on the top-right corner of the page.

You'll now be able to access any SBOMs that are shared with you in the “Shared Projects” tab of the “Projects” page. In addition to verifying whether the provided document meets your SBOM policies, FOSSA will conduct our standard analysis to surface any associated security, licensing, and/or quality issues missed by your SBOM distributor. You can then work with the SBOM distributor to make any necessary fixes.

Get Started with FOSSA Dynamic SBOM Sharing

More and more organizations are now requiring SBOMs from their customers to enable risk management and regulatory compliance, among several other use cases. We're excited about the early feedback we've gotten from FOSSA users who have found that our Dynamic SBOM Sharing tool has made the exchange of SBOMs much easier, more effective, and more secure.

If you're a current FOSSA customer and would like more information on using Dynamic SBOM Sharing, please contact your customer success representative. If you aren't currently a FOSSA customer, you can get in touch with our team for a demo and more information.