What are SBOM standards and formats?

March 08, 2024 By Aaron Linskens

6 minute read time

The growing importance of software bills of materials (SBOMs) marks a significant shift towards better transparency and security in software management.

By cataloging every component within software, SBOMs serve as a crucial framework for organizing information. This structure aids in making informed decisions to bolster security, ensure compliance, and enhance software management efficiency. Embarking on the path to fully unlock SBOM potential requires a deep dive into the various standards and formats that underpin them.

Building upon our series' exploration of SBOM essentials and elements, this installment covers the nuances of SBOM standards and formats, charting a course through the complexities that shape software transparency and security today.

A foundation for SBOMs: Standards

Executive Order 14028, issued on May 12, 2021, underscores the importance of SBOMs in bolstering cybersecurity across software supply chains. This directive mandates the development and adoption of standards that facilitate the creation, exchange, and utilization of SBOMs to ensure software integrity and security.

Standards are the backbone for SBOMs, ensuring they can be created, distributed, and consumed efficiently and consistently.

Standards promote the following:

  • Interoperability: Standards facilitate seamless exchange and interpretation of SBOM data across diverse software ecosystems.
  • Best practices: They outline methodologies for efficient SBOM creation, sharing, and utilization, promoting industry-wide best practices.

This executive order tasks the National Institute of Standards and Technology (NIST) with spearheading the development of these standards, focusing on the secure creation and usage of SBOMs. Such efforts are designed to elevate the integrity and security of software products by mandating a comprehensive inventory of software components.

Through these standards, SBOMs become a more potent tool in the cybersecurity arsenal, providing crucial insights into software composition that can inform risk management, compliance, and security strategies. As a result, the adoption of SBOM standards is not just a compliance requirement but a strategic advantage for organizations aiming to safeguard their digital assets against evolving threats.

A language for SBOMs: Formats

Formats are the specific schemas or structures used to document and convey the details of software components within an SBOM.

The National Telecommunications and Information Administration (NTIA) recognizes three main formats for SBOMs. Each format has its own unique focus and strengths.

CycloneDX

CycloneDX stands out as a premier, open-source standard born from the collaborative efforts within the OWASP community, designed specifically to bolster security across software supply chains. It’s celebrated for its lightweight nature, fostering an environment where adoption and integration into build pipelines are both seamless and efficient. This format supports an extensive array of materials — ranging from software and hardware to services — underscoring its versatility in accommodating diverse software ecosystems.

Notably, CycloneDX is engineered for cyber risk mitigation, gaining the trust of sectors as critical as government and defense. It boasts compatibility with over 200 tools and extends its reach across more than 20 programming languages. Its remarkable support for advanced licensing, inclusive of SPDX license IDs and expressions, significantly enhances compliance and software asset management processes.

Key attributes of CycloneDX include the following:

  • Emphasis on a comprehensive spectrum of software and hardware components, with a keen focus on vulnerability and license tracking.
  • Native support for multiple standards of component identity, including coordinates, Package URL (purl), and common platform enumeration (CPE), catering to both binary and source software artifacts.

An optimal use case might include the following:

  • Ideal for scenarios demanding stringent security and risk management measures, CycloneDX excels in environments prioritizing the automation and continuous enhancement of SBOMs throughout software development life cycles (SDLCs).

CycloneDX's commitment to automation, ease of adoption, and the progressive enhancement of SBOMs positions it as a cornerstone in the realm of software security and compliance.

SPDX

SPDX, under the stewardship of the Linux Foundation, represents a cornerstone in the Software Package Data Exchange standards. As an open-source blueprint for SBOMs, SPDX simplifies the conveyance of essential details such as software names, versions, components, licenses, copyrights, and security references.

This format excels in reducing redundancies and streamlining both distribution and compliance processes, backed by its ISO/IEC recognition as an international standard. It champions software supply chain transparency and facilitates collaborative efforts across diverse ecosystems.

Key attributes of SPDX include the following:

  • Precision in documenting software components, licenses, and other critical data, making it indispensable for compliance and legal frameworks.
  • Enables linking of artifacts to global reference systems like CPE, Package URL (purl), SWHID, enhancing security and management of software components.

An optimal use case might include the following:

  • SPDX's versatility shines across various software ecosystems, supporting both open source and proprietary code. It's designed for easy integration into developer workflows and corporate compliance structures, making it accessible for a wide array of software projects.

SPDX's open source nature and the complementary tooling ecosystem encourage widespread adoption, ensuring that even individual developers can contribute to the broader narrative of software transparency and security with minimal barriers.

SWID

Software identification (SWID) tags, as defined by ISO/IEC 19770-2, offer a sophisticated metadata framework for pinpointing software entities. These tags encapsulate critical details such as product versions, producers, and various descriptive metadata, serving as the backbone for effective software asset management (SAM), vulnerability analysis, and a myriad of security-related operations.

Key attributes of SWID tags include the following:

  • SWID tags are designed to facilitate comprehensive software inventory and entitlement management, capturing both commercial and open source software presence on devices.
  • The process for creating SWID tags is streamlined, enabling developers to integrate tag generation into their build pipelines automatically.

An optimal use case might include the following:

  • With a focus on deployed software, SWID tags adapt to changes in the binary artifact, enhancing their relevance for automated scanning, risk management, and tool integration.

SWID tags’ robust design and practical applications underscore their importance in managing the complex landscape of installed software, providing clear insights and controls for IT and security teams.

Building a comprehensive SBOM strategy

Implementing an SBOM strategy involves more than selecting the right format. It requires an understanding of the lifecycle of SBOMs, from generation and distribution to consumption and updating. Here are some strategies:

  • Automate SBOM generation: Leverage tools that support automatic generation of SBOMs during the software development process.
  • Embrace format flexibility: Utilize tools capable of producing and consuming multiple SBOM formats to ensure compatibility across the software supply chain.
  • Prioritize security and compliance: Choose formats that align with your security and compliance requirements, ensuring that your SBOM strategy effectively mitigates risks.

The future of SBOMs

As SBOMs increasingly embed themselves within the fabric of software development and software supply chain management, their evolution reflects a broader commitment to enhancing software transparency and security.

This progress underscores not merely a compliance checklist but a strategic embrace of standards and formats that bolster our collective cybersecurity posture.

Moving forward, organizations must stay agile, adapting to new developments in SBOM practices to safeguard their applications effectively. The trajectory of SBOMs points towards a future where software transparency is not just a regulatory expectation but a foundational aspect of software integrity and security.

Tags: software bill of materials, Software Supply Chain, News and Views, SBOM

Written by Aaron Linskens

Aaron is a technical writer on Sonatype's Marketing team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they can build the right software.

Learn more on: