In recent years, the increased complexity of software has made security more important than ever. It has become increasingly difficult to manage vulnerabilities and protect against cyber attacks.

Especially the log4j vulnerability kept a lot of security specialists busy, as identifying affected applications took time.

The Software Bill of Materials (SBOM) is a solution to this problem. It also has been gaining attention in the cloud security community recently. More and more vendors for cloud-native application protection platforms (CNAPP) are integrating SBOM. In this article, we will discuss the importance of the SBOM, its benefits, and how it can help organizations to improve their security posture.

Table of content

What is an SBOM?
Why is an SBOM important for cybersecurity?
Benefits of an SBOM
Different SBOM Formats
 SPDX Format
 CycloneDX Format
Challenges and limitations of an SBOM

What is an SBOM?

An SBOM is a document that lists all the components of a software application. This includes open-source and third-party components. It provides a detailed inventory of all software components in use. You will also get detailed information about dependencies, licenses, and other metadata.

Why is an SBOM important for cybersecurity?

Software vulnerabilities are a major concern for organizations as cyber attacks continue to increase in frequency and severity. Hackers can exploit vulnerabilities in software to gain access to sensitive data or take control of systems. One of the challenges for organizations is to manage all third-party dependencies software has. An SBOM can help organizations identify and address vulnerabilities by providing a complete and accurate inventory of software components in use. This information can be used to close security gaps more efficiently and evaluate risks.

Benefits of an SBOM

The benefits of an SBOM are numerous, including:

  • Providing a comprehensive inventory of software components in use.
  • Increase transparency of the software supply chain.
  • Speed up the identification of vulnerable components and take action to mitigate risks.
  • Comply with software licensing requirements and regulations.
  • Improved software supply chain management. Tracking changes and updates, evaluating risks, and improving quality control.

Different SBOM Formats

SBOM currently has two main standards defining the output format. Those are SPDX and CycloneDX. CycloneDX is a standard from the OWASP foundation. SPDX is a Linux Foundation project. The definition of the SBOM has been published by SPDX in ISO/IEC 5962:2021.

SPDX Format

Let's dive into the SPDX format first. The specification defines the different attributes, which the JSON document needs to include. The full specification is published on the SPDX website at https://spdx.github.io/spdx-spec/.

Attribute Required
SPDXID X
annotations
comment
creationInfo X
dataLicense X
externalDocumentRefs
hasExtractedLicensingInfos
name X
revieweds
spdxVersion X
documentNamespace
documentDescribes
packages
files
snippets
relationships

An example of an SPDX SBOM for a docker image is looking the following way:

{
   "SPDXID":"SPDXRef-DOCUMENT",
   "name":"alpine-latest",
   "spdxVersion":"SPDX-2.2",
   "creationInfo":{
      "created":"2023-02-19T15:02:25.01476257Z",
      "creators":[
         "Organization: Anchore, Inc",
         "Tool: syft-v0.46.3"
      ],
      "licenseListVersion":"3.17"
   },
   "dataLicense":"CC0-1.0",
   "documentNamespace":"https://anchore.com/syft/image/alpine-latest-e507acbe-0db0-4bb0-9d16-d0b50ebda2cc",
   "packages":[
      {
         "SPDXID":"SPDXRef-ab55097ffeb7363c",
         "name":"alpine-baselayout",
         "licenseConcluded":"GPL-2.0-only",
         "description":"Alpine base dir structure and init scripts",
         "downloadLocation":"https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
         "externalRefs":[
            {
               "referenceCategory":"SECURITY",
               "referenceLocator":"cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*",
               "referenceType":"cpe23Type"
            }
         ],
         "filesAnalyzed":false,
         "licenseDeclared":"GPL-2.0-only",
         "originator":"Person: Natanael Copa <[email protected]>",
         "sourceInfo":"acquired package info from APK DB: /lib/apk/db/installed",
         "versionInfo":"3.4.0-r0"
      },
      {
         [...]
      }
   ],
   "files":[
      {
         "SPDXID":"SPDXRef-564026926225072e",
         "comment":"layerID: sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39",
         "licenseConcluded":"NOASSERTION",
         "fileName":"/bin/busybox"
      },
      {
         "SPDXID":"SPDXRef-8d0f0e38c71439e1",
         "comment":"layerID: sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39",
         "licenseConcluded":"NOASSERTION",
         "fileName":"/etc/apk/keys/[email protected]"
      }
   ],
   "relationships": [
      {
         "spdxElementId":"SPDXRef-cede09890b9a4526",
         "relationshipType":"CONTAINS",
         "relatedSpdxElement":"SPDXRef-6b9abe7d80ee470b"
      },
      {
         "spdxElementId":"SPDXRef-cede09890b9a4526",
         "relationshipType":"CONTAINS",
         "relatedSpdxElement":"SPDXRef-fb8ddb3720060aa2"
      }
   ]
}

CycloneDX Format

The structure of the CycloneDX format is very similar but puts the security attribute at a more prominent level. The specification for the CycloneDX format can be found at https://cyclonedx.org/docs/latest/json/.

Attribute Required
bomFormat X
specVersion X
serialNumber
version X
metadata
components
services
externalReferences
dependencies
compositions
vulnerabilities
signature

I have also generated an example of a docker image SBOM for the CycloneDX format:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:72b8ed9f-19bd-4b50-88b3-650c70ef02bb",
  "version": 1,
  "metadata": {
    "timestamp": "2023-02-19T15:02:29Z",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "v0.46.3"
      }
    ],
    "component": {
      "bom-ref": "5339058ca5e06f8a",
      "type": "container",
      "name": "alpine:latest",
      "version": "sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:alpine/[email protected]?arch=x86_64\u0026upstream=alpine-baselayout\u0026distro=alpine-3.17.2\u0026package-id=ab55097ffeb7363c",
      "type": "library",
      "publisher": "Natanael Copa \[email protected]\u003e",
      "name": "alpine-baselayout",
      "version": "3.4.0-r0",
      "description": "Alpine base dir structure and init scripts",
      "licenses": [
        {
          "license": {
            "id": "GPL-2.0-only"
          }
        }
      ],
      "cpe": "cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*",
      "purl": "pkg:alpine/[email protected]?arch=x86_64\u0026upstream=alpine-baselayout\u0026distro=alpine-3.17.2",
      "externalReferences": [
        {
          "url": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
          "type": "distribution"
        }
      ],
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "apkdb-cataloger"
        },
        {
          "name": "syft:package:metadataType",
          "value": "ApkMetadata"
        },
        {
          [...]
        }
      ]
    }
  ]
}

Challenges and limitations of an SBOM

Although an SBOM has many benefits, there are also some challenges and limitations to its implementation. These include:

  • Limited adoption: Although the SBOM concept has gained traction in recent years, it is still not adopted in many industries. I have not seen it used in any organization yet.
  • Limited standardization: There is currently no standard format for an SBOM. The two most prominent ones are SPDX and CycloneDX.
  • Limited information: The information included in an SBOM can vary depending on the implementation by software developers and vendors.
Share this post