In our 8th Annual State of the Software Supply Chain Report, we detailed upcoming government regulation coming to protect national interests globally. Because software is frequently built from third-party open source components, one key effort is tracking and managing those components.
One way to manage those is via a “software bill of materials” or SBOM.
Through an Executive Order, the U.S. now requires SBOMs for government agencies, as well as those that contract with government purchasing for software. A goal they hope will improve the software industry as a whole:
“Though U.S. federal contractors will be the first required to create SBOMs, advocates have a global vision for including them in the software development process. As the existing standards become more popular, making an adjacent SBOM for each new software component will become best practice. The result will be a more robust ecosystem built on transparency.” (source)
One of our predictions for 2023 is that this is the year of the SBOM. Although there are many requirements, no specific SBOM format is recommended by a federal organization. The three items listed below are recognized in a variety of industries, and each is explicitly mentioned in the Software Bill of Materials Elements and Considerations by the US Federal Government. And because there are different available formats for detailing software components, we have compiled a list of possible reasons you may choose one format over another.
CycloneDX is a “standard that provides advanced supply chain capabilities for cyber risk reduction. CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. (source)”
The standard is backed by the OWASP Foundation with support from a global community. Features include:
Specifically built for SBOMs – with component identity.
Lightweight protocol – meaning it’s easy to build, maintain, and manage.
Multiple formats – JSON, XML, and broad support enables easy integration with other development tools.
Open source – released under an Apache 2.0 license.
Wide industry support – Intel, IBM, Sonatype, and more.
Security – with available digital signatures for the XML and JSON formats.
More on the OWASP – CycloneDX.
Software Package Data Exchange or SPDX is “an open standard for communicating software bill of materials information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.” (source)
SPDX is a Linux Foundation project and features:
Compliance – Robust intellectual property and license focus management. SPDX has its roots in license compliance and this is its strongest area.
Comprehensive – Provides a high amount of depth and analysis, including file-level details for license information.
Already familiar – Part of multiple industries, including some healthcare and automotive sectors for license compliance.
Open source – released under a Creative Commons Public License.
Supports comments and code snippets – details about decisions, reviewer notes, and more (also coming soon in CycloneDX).
More on SPDX from the Linux Foundation.
Other related standards
Software Identification (SWID)
“… defines a structured metadata format for describing a software product. A SWID tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, the organizations and individuals that had a role in the production and distribution of the product, information about the artifacts that comprise a software product, relationships between software products, and other descriptive metadata.” (source)
More on SWID (NIST.gov).
Package URL (purl)
“… is an attempt to standardize existing approaches to reliably identify and locate software packages.
A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.
Such a package URL is useful to reliably reference the same software package using a simple and expressive syntax and conventions based on familiar URLs.” (source)
Purl identifiers are supported by both CycloneDX and SPDX. They are rapidly becoming the standard to describe open source components across various ecosystems in a convention that embraces the existing naming conventions from those ecosystems.
More on purl.
Do I have to choose?
Although some companies we researched use multiple formats, this could mean additional complexity. Just like some countries have had to choose between Fahrenheit or Celsius, switching between them mid-stream can mean extra work, and potential loss of capabilities or fidelity.
Which is right for me?
Because the SBOM standard focuses on communication between projects, it can be worthwhile to speak with industry partners about their choices. For example, customers who work directly with Microsoft may be better served with SPDX, while IBM partners are likely to embrace CycloneDX.
Where does Sonatype stand?
Sonatype and its employees have been a part of supporting CycloneDX since early in its development. We use CycloneDX as the basis of our third-party API and support for import and export. We’ve also contributed code and the initial security extension for including vulnerability details.
However, we are not exclusively focused on CycloneDX to the exclusion of other standards. As members of the Linux Foundation and Open Source Security Foundation, we also participate in the SPDX Working Group and are anxiously awaiting the upcoming v3.0 specification.
What is the future of SBOMs?
SBOMs are moving in line with the future of computing to try and observe and understand changes in security and development. Some changes on the horizon:
Cryptographic bill of materials – crucial for security in a post-quantum computing world.
SBOMs that address machine learning tools.
SBOMs for “low code” platforms that help enable tools for less technical staff and faster automation for software engineers.
Here on the Sonatype blog, we’ll share more in the coming weeks on how to reduce legal risk with SBOMs.
Update: This article formerly stated that CycloneDX only supports XML digital signatures.