A software program invoice of supplies (SBOM) offers transparency into the weather of an built-in software program product. Such transparency is crucial to figuring out system vulnerabilities and thus mitigating potential safety dangers. There’s rising curiosity in utilizing SBOMs to assist software program provide chain threat administration. In September 2024 Military leaders signed a memorandum requiring SBOMs for vendor-supplied software program. Extra lately, the Division of Protection (DoD) Chief Data Officer, by means of its Software program Quick Observe Program, is requiring that software program distributors submit their SBOMs, in addition to these from third-party assessors, to allow detection of variances between SBOMs for a similar software program.
Totally different SBOM instruments ought to produce related data for a bit of software program at a given level in its lifecycle, however this isn’t at all times the case. The divergence of SBOMs for particular person items of software program can undermine confidence in these necessary paperwork for software program high quality and safety. This weblog put up outlines our staff’s current findings on why SBOMs diverge and recommends seven methods to enhance SBOM accuracy.
SBOM Harmonization Plugfest
The SEI’s 2024 SBOM Harmonization Plugfest mission, sponsored by the Cybersecurity and Infrastructure Safety Company (CISA), aimed to uncover the basis causes of SBOM divergence, akin to imprecise definitions or requirements, how uncertainty is addressed, or different implementation selections. The SEI introduced collectively SBOM device distributors, requirements producers, and others within the SBOM neighborhood to supply pattern SBOMs for evaluation. The lately launched Software program Invoice of Supplies (SBOM) Harmonization Plugfest 2024, on which this put up relies, outlines our staff’s findings, evaluation, and suggestions to assist SBOM producers generate extra constant and dependable SBOMs.
We requested Plugfest members to generate and submit SBOMs primarily based on 9 software program targets chosen as a consultant pattern of assorted programming languages as seen in Desk 1 beneath.
The SEI gained approval from most members to make their submissions public. These SBOMs that have been authorised for launch are now obtainable at SEI’s GitHub website.
Overview and Evaluation of Submitted SBOMs
We acquired 243 SBOMs from 21 Plugfest members. To make sure anonymity and to forestall any bias in our evaluate, we anonymized participant names by assigning alphanumeric codes to every. One participant, who was assigned the code Y2, submitted many extra SBOMs (102) than all of the others (Determine 1). Y2 generated and submitted SBOMs in each format their device supported (i.e., supply and binary evaluation in addition to enriched and non-enriched).
Determine 1: SBOMs Submitted per Goal
Evaluation
To make sure an goal evaluation, we first decided analysis standards for our evaluate of the SBOMs. We then decided automated approaches to extract data from the SBOMs to facilitate our improvement of software program instruments for evaluation in addition to our era of baseline SBOMs, which we used for comparability functions.
Analysis Standards
Assessing the consistency of the minimal components of the submitted SBOMs was a crucial part in figuring out their completeness and accuracy. An inventory of minimal components specifies the baseline SBOMs ought to meet and facilitates data sharing. The factors we used for minimal components are these required for documenting a software program product’s main part and its included elements as outlined in CISA’s Framing Software program Part Transparency: Establishing a Frequent Software program Invoice of Supplies (SBOM):
- SBOM Creator Identify
- SBOM Timestamp
- SBOM Kind
- SBOM Main Part
- Part Identify
- Part Model String
- Part Provider Identify
- Part Cryptographic Hash
- Part Distinctive Identifier
- Part Relationships
- Part License
- Part Copyright Holder
Evaluation Instruments
As a result of many submissions, we developed instruments to automate ingesting and processing SBOMs to gather, collate, and export information about them. Individuals submitted SBOMs in SPDX and CycloneDX codecs in a wide range of encodings together with JSON, XML, and YML.
We wrote code for processing SBOMs utilizing Python inside Jupyter computational notebooks hosted on an SEI inner Bitbucket repository, which additionally contained a replica of SBOM Plugfest submissions. We used two main notebooks for analyzing SBOM submissions: one for CycloneDX and one for SPDX. We sought to extract the next from every SBOM:
- data associated to the presence or absence of minimal components
- details about software program elements, together with their relationships to 1 one other and with the goal software program
In every pocket book, we collected data from every SBOM by doing the next:
- traversing the listing of SBOM submissions, importing JSON SBOM recordsdata, and decoding the JSON recordsdata in order that information might be extracted
- extracting minimal components from every SBOM the place the info existed and noting the place information was lacking
- developing a dependency tree primarily based on the dependencies listed in every SBOM (These dependency timber contained details about software program elements and the kinds of relationships amongst these elements as listed within the SBOM.)
- collating information from every SBOM into two widespread information buildings: one for data associated to minimal components and the opposite for part data
We analyzed the info buildings utilizing Python information science packages, or we exported them as comma separated worth (CSV) recordsdata for additional evaluation. We used details about the presence or absence of minimal components to generate abstract statistics for every software program goal and every SBOM kind (supply/construct). We used dependency graph data to investigate the presence/absence of elements and assess the depth of the SBOMs.
Baseline SBOMs
We chosen three outstanding open supply instruments, Syft, Trivy, and Microsoft’s SBOM Device, to create baseline SBOMs for every of the 9 software program targets. The baseline SBOMs served as preliminary examples of what we would anticipate to see submitted by Plugfest members. The baseline SBOMs additionally allowed us to develop evaluation instruments early within the mission so we may begin analyzing members’ SBOMs as quickly as they have been submitted.
Findings from SBOM Evaluation
The next are notable findings from our analysis on the SBOMs submitted for the Plugfest. These findings, ordered from the trivial to the extra advanced, clarify the kinds of variances within the SBOMs in addition to their causes.
- Part quantity, content material, and normalization. We discovered vital variance in each the variety of elements and the content material of the minimal required components in SBOMs from totally different members for a similar software program on the similar lifecycle section. Some variance in SBOM content material is because of the lack of normalization; the identical content material was merely being written in a different way (e.g., software program model detailed as v 2.0 or simply 2.0).
- Software program variations. One other trigger for variance in SBOM content material is that some software program specs permit for a variety of potential software program variations, however SBOMs permit solely a single model to be documented for every dependency. This ends in SBOMs having numerous variations listed throughout totally different members for every goal that allowed model ranges.
- Minimal components. Some variance in SBOM content material is because of variations in whether or not members included minimal components or not, which can be because of the considerably synthetic nature of producing SBOMs for a analysis mission.
- Use circumstances. SBOMs have various use circumstances, which result in various kinds of SBOMs. The wide range of potential use circumstances is a further trigger for the shortage of harmonization throughout SBOMs for a similar goal. If we had specified a use case, members could have taken a extra harmonized strategy to how they generated, enriched, or augmented their SBOMs for that use case.
- Construct and supply SBOMs. Individuals used totally different approaches to generate their construct and supply SBOMs, which led to variations within the found elements. Some members used a container construct course of to generate their construct SBOM, and others constructed a standalone executable for his or her chosen runtime surroundings utilizing the goal’s language or build-framework-specific course of. Construct SBOMs additionally diverse primarily based on the surroundings and gear configurations every participant used. Supply SBOMs seize dependencies declared or inferred from supply code. Some members used further data from exterior areas, such because the artifact repositories referenced by dependencies or the contents of platform toolchain libraries, to deduce further dependencies.
- Dependency interpretation. A evaluate of submitted explanatory readme recordsdata and discussions with members indicated some variations within the interpretation of dependency. Some submissions included dependencies of first-party elements that aren’t sometimes deployed, akin to goal documentation construct instruments, CI/CD pipeline elements, and optionally available language bindings.
7 Suggestions for Enhancing SBOM High quality
The next suggestions primarily based on our analysis and evaluation will enhance the standard of SBOMs and assist guarantee constant content material in SBOMs for a similar goal.
-
Emphasize inclusion of the next minimal components:-
SBOM Kind.
Embrace the SBOM Kind to doc the lifecycle section for which this SBOM was generated (e.g., Supply, Construct). We advocate that this attribute be required moderately than optionally available. -
Part Model String.
Emphasize the significance of reporting the model precisely as supplied by the provider. This reporting minimizes the necessity for normalization attributable to information being inconsistently reported (e.g., one SBOM experiences
v 2.0
and one other experiences
2.0
). -
Part Provider Identify.
Embrace the title of the entity that supplied the contents of the software program being described. This helps customers of the SBOM perceive which third events have been a part of the provision chain. A standard registry of part suppliers would assist normalize this entry. For open supply software program elements, which wouldn’t have a conventional provider, a direct reference or hyperlink to the mission repository must be supplied. -
Part Cryptographic Hash.
SBOM steerage ought to clearly state what elements are being hashed when a cryptographic hash is included. Make it extra simple for SBOM customers to know learn how to confirm the hash worth. Alternatively, when supplying cryptographic hashes, SBOM creators must be express about what was hashed. -
Part License.
Emphasize the necessity to present licensing data or to notice that the license data just isn’t identified or was not included.
-
-
Enhance normalization of SBOM components.
A lot divergence in SBOMs is because of lack of normalization (e.g., model numbering as talked about earlier or
date/time
which can be written as 2025-06-15 or just as August 2025). Standardize on utilizing the time period
provider
for a
main provider
and the time period
producer
for a
secondary provider
. -
Doc how the time period
dependencies
is interpreted within the SBOM era course of.
Develop steerage to differentiate dependencies by class (e.g., runtime, assessments, docs). -
SBOM mills ought to doc their strategy to producing SBOMs.
It will assist customers higher perceive potential variations in SBOMs for a similar software program. Additionally doc the use case for which the SBOM is being generated. Totally different use circumstances could require variations in SBOMs. -
Use the suitable device for the environmen
t
.
SBOM creators and customers ought to guarantee they’re utilizing an acceptable SBOM device for his or her particular surroundings. SBOM instruments sometimes deal with a subset of the programming languages and construct environments. -
Assist developer neighborhood SBOM efforts.
Some developer communities are working to incorporate SBOM mills in language instruments and construct frameworks to make it a lot simpler for initiatives utilizing these languages and frameworks to generate SBOMs as upstream suppliers. These efforts have an outsize affect as a result of they decrease the barrier for creating SBOMs and push the SBOM era additional upstream to mission maintainers who’ve detailed data of their very own supply code and construct processes. -
Develop and validate SBOM profiles.
To assist stakeholders talk extra successfully, they might develop and validate SBOM profiles, every profile being a well-defined restriction positioned on a number of SBOM requirements to make clear that means and allowable values for every discipline, its cardinality, and structural features. The
OWASP Software program Part Verifications Customary (SCVS) BOM Maturity Mannequin
profiles function is an instance. One other strategy can be to outline a JSON schema that extends the present schemas for CycloneDX and/or SPDX and provides the mandatory clarifications and restrictions for a profile.
Future Work on Making certain SBOM High quality
SBOMs are of rising significance to safeguarding the safety of all software program methods, together with DoD and demanding infrastructure methods. As extra organizations require use of SBOMs, there will likely be better want to make sure their high quality and completeness, together with offering transparency for undeclared dependencies. Choices to maintain SBOM components opaque could also be rethought if third get together SBOMs can present wanted transparency. This analysis mission is a part of a unbroken SEI effort to enhance the standard of SBOMs.
