Software Bill of Materials

Bill of Materials (BOM)1 is widely used in the industry. Most of the industry products, including mobile phones, cars, food and medicine, are composed of many parts or components. But I never realised its existence in software industry before. It can’t be imagine a mobile phone, or a car can be built without accurate BOM management. But in sofware practice, it is common to introduce the dependened packages in will - simply add several lines of code can quickly create a new dependency. Fork or copy part of the source code can make it even harder to track the dependency.

After some research, I found Software Bill of Materials have its own name - SBOM 2, 3. The offical definition is like - A “Software Bill of Materials” (SBOM) is a nested inventory for software, a list of ingredients that make up software components. As for the software designed using mordern languages like Java, Golang, Python, JavaScript, the standard package manager can help us track SBOM. But for languages like C, and C+++, it is much harder - the dependencies are scattered in different kinds of makefiles, scripts and even in the source code itself. I have tried a recent tool on postgres’ source code, it can only detect libraries like zlib, without knowing system libraries like libc, and tools like bison and flex. Also, there are many misreports.

From the viewpoint of software vulnerability analysis, software version upgrade, and copyright management etc., without a powerful and accurate SBOM system, how can we reduce the risk of software lifecycle management? There are some products in this area, including FOSSA4 etc. Also I found some research paper on this topic 5. It looks like the problem of SBOM, esp. those in C/C++ world are still not solved 6.

There are several standard formats of SBOM, which are SPDX, CycloneDX, and SWID etc. Just as foods should provide their ingedients to the customers, software should also give its SBOM to them, too. We will see the regulations and compliance in SBOM in the coming years 7.

The above is the handwritten version, and the following is the ChatGPT rewritten version.

Unveiling the Importance of Software Bill of Materials (SBOM) in the Tech Realm

The concept of a Bill of Materials (BOM) is a familiar one in various industries, from the assembly of mobile phones and cars to the production of food and medicine. A BOM essentially serves as a comprehensive list of parts or components that make up a product 1. While it’s commonplace to meticulously manage BOM in traditional manufacturing, the software industry often operates in a different realm, where dependencies can be introduced swiftly and sometimes haphazardly.

Unlike the tangible nature of assembling a physical product, software development frequently involves the integration of dependent packages with just a few lines of code. Copying or forking source code further complicates dependency tracking. In contrast to the meticulous management of BOM in industries like automotive or electronics, software development can lack the structured oversight that ensures precise dependency tracking.

Upon delving into this realm, I discovered the Software Bill of Materials (SBOM), a term specifically coined for the software industry 2, 3. An SBOM serves as a nested inventory for software, essentially a detailed list of ingredients that constitute software components. While modern programming languages like Java, Golang, Python, and JavaScript benefit from standard package managers facilitating SBOM tracking, languages such as C and C++ present a more challenging landscape. Dependencies in these languages are dispersed across various makefiles, scripts, and even within the source code itself.

In my exploration, I experimented with a tool on PostgreSQL’s source code, revealing limitations in detecting certain libraries and system dependencies. The need for a more sophisticated and accurate SBOM system becomes apparent when considering aspects like software vulnerability analysis, version upgrades, and copyright management. Existing solutions, including FOSSA, attempt to address these challenges, but the nuances, especially in the C/C++ domain, remain unresolved 4, 5, 6.

Various standard formats for SBOM, such as SPDX, CycloneDX, and SWID, have emerged 7. Analogous to how food products disclose their ingredients to consumers, software should also provide its SBOM. The landscape of regulations and compliance in SBOM is anticipated to evolve in the coming years, given the growing significance of software lifecycle management in mitigating risks 7.

In conclusion, as we navigate the intricate world of software development, recognizing the importance of a robust SBOM system becomes pivotal. It is not merely a technical necessity but a cornerstone for addressing vulnerabilities, ensuring legal compliance, and ultimately enhancing the overall software lifecycle management process.

Footnotes

1 https://en.wikipedia.org/wiki/Bill_of_materials

2 https://www.cisa.gov/sbom

3 https://www.ntia.gov/page/software-bill-materials

4 https://fossa.com

5 https://www.cs.wm.edu/~denys/pubs/dissertations/TrevorMSSBOM.pdf

6 https://yhcrown.github.io/files/ISSTA2023.pdf

7 https://www.youtube.com/watch?v=5a3-bMFW-xg

[ SBOM ]
Written on January 20, 2024