IBM has contributed two open supply provide chain instruments — SBOM Utility and License Scanner — to the Open Worldwide Application Security Project (OWASP) Foundation’s CycloneDX Software Bill of Materials (SBOM) commonplace. These two instruments will fill two essential gaps in CycloneDX, which the OWASP describes as a “full-stack” BOM commonplace that gives superior provide chain threat discount.
The software program invoice of supplies, or SBOM, is a list itemizing all particular person elements utilized in software program. The discovery of the vulnerability within the Log4j library two years in the past highlighted simply how few organizations actually understood what was contained in the software program they had been working. It wasn’t sufficient to simply know which third-party elements, libraries, and frameworks had been getting used — organizations want to pay attention to all of the dependencies these elements had been utilizing. In response to numerous provide chain assaults and the Log4j chaos, the White House issued an Executive Order mandating that builders enhance the safety of their provide chains. One manner is to embrace and keep an SBOM for each piece of software program they distribute.
“IBM has been advocating for all builders and organizations creating trendy software program to start their journey to create SBOMs,” says Jamie Thomas, IBM’s common supervisor of techniques technique and improvement. “These instruments are foundational enhances to assist builders on this journey, to allow them to higher perceive the potential dangers of their software program provide chains.”
Standardizing SBOMs
Efforts to standardize the SBOM have accelerated with the sharp rise in software program provide chain assaults over the previous two years.
CycloneDX is one among two main SBOM requirements, the opposite being the Linux Foundation’s Software Package Data Exchange (SPDX). Proponents of CycloneDX, which is newer, describe it as a extra light-weight commonplace higher suited to these searching for a machine-readable approach to change info. The Linux Foundation in 2021 declared SPDX an SBOM commonplace, although it was initially created for mental property and licensing use circumstances. Both organizations are increasing their respective SBOM requirements efforts.
IBM has actively participated in advancing CycloneDX’s requirements efforts, Steve Springett, director of product safety at ServiceNow and chair of the OWASP’s CycloneDX working group, tells Dark Reading. “Software provide chain safety is a subject of board-level discussions,” Springett says. “There are many ways in which organizations ought to enhance their software program provide chain assurance. And it begins with truly having all the info and extra instruments to drive extra intelligence.”
Licensing Scanner Tool Brings Balance With SPDX
The CycloneDX working group has launched some license scanning capabilities through the years, together with base-level help for SPDX license IDs. But CycloneDX’s licensing functionality has lagged the performance of SPDX. Springett says the addition of IBM’s License Scanner fills that void. “It’s nice that we’ve a license scanner as a part of the challenge,” Springett tells Dark Reading. “Having a devoted license device truly will invite extra individuals to the Cyclone DX desk that we have constructed.”
Brian Fox, co-founder and CTO of AppSec device supplier Sonatype, agreed. “I feel this helps steadiness issues out with CycloneDX on the licensing facet,” Fox mentioned. “It will present extra constructing blocks to allow instruments within the ecosystem to work higher. Being in a position to extra simply add licensed knowledge to your CycloneDX SBOM, if you do not have current tooling to do this, is a helpful utility. Having the flexibility to validate each codecs can be a helpful utility.”
In an OWASP weblog submit on Wednesday asserting IBM’s contribution, Springett famous that IBM’s License Scanner scans information for licenses and authorized phrases. “It can be utilized to assist establish textual content matching licenses and license exceptions from the entire, revealed SPDX License List,” he wrote. “It will also be configured to establish extra authorized phrases, key phrases, aliases, and non-SPDX licenses. As a library, License Scanner is designed to be built-in into current BOM technology software program or could also be utilized by itself as a command-line utility.”
SBOM Utility Adds APIs to CycloneDX
Springett described IBM’s SBOM Utility as an API platform that may validate CycloneDX or SPDX-formatted BOMs with their revealed schemas. It can validate and analyze quite a lot of BOM varieties, together with {hardware} (HBOMs) and SaaS (SaaSBOMs). In the long run, Springett famous, SBOM Utility will help OWASP’s Software Component Verification Standard (SCVS), “which is defining a BOM Maturity Model (BMM) to assist in figuring out and decreasing threat within the software program provide chain.”
Also, he famous that SBOM Utility may course of paperwork resembling Vulnerability Disclosure Reports (VDRs) and Vulnerability Exploitability eXchange (VEX) knowledge codecs, which CycloneDX has specified present threat evaluation.
“The SBOM Utility is nice as a result of it takes an API method and permits organizations to slice and cube the CycloneDX knowledge mannequin and all the info in it,” Springett says. “If you care about sure facets of the invoice of fabric, you’ll be able to rapidly question it, which is implausible. And you’ll be able to then permit organizations to start out creating coverage primarily based on the sorts of knowledge which will or might not exist in that invoice of fabric.”
While IBM initially constructed SBOM Utility and License Scanner for its use, the corporate has not mentioned whether or not it plans to launch business variations.