IBM has contributed two open supply provide chain instruments — SBOM Utility and License Scanner — to the Open Worldwide Utility Safety Challenge (OWASP) Basis’s CycloneDX Software program Invoice of Supplies (SBOM) customary. These two instruments will fill two essential gaps in CycloneDX, which the OWASP describes as a “full-stack” BOM customary that gives superior provide chain danger discount.
The software program invoice of supplies, or SBOM, is a list itemizing all particular person elements utilized in software program. The invention of the vulnerability within the Log4j library two years in the past highlighted simply how few organizations actually understood what was contained in the software program they have been operating. It wasn’t sufficient to simply know which third-party elements, libraries, and frameworks have been getting used — organizations want to concentrate on all of the dependencies these elements have been utilizing. In response to varied provide chain assaults and the Log4j chaos, the White Home issued an Govt Order mandating that builders enhance the safety of their provide chains. A method is to incorporate and keep an SBOM for each piece of software program they distribute.
“IBM has been advocating for all builders and organizations creating fashionable software program to start their journey to create SBOMs,” says Jamie Thomas, IBM’s basic supervisor of programs technique and improvement. “These instruments are foundational enhances to assist builders on this journey, to allow them to higher perceive the potential dangers of their software program provide chains.”
Standardizing SBOMs
Efforts to standardize the SBOM have accelerated with the sharp rise in software program provide chain assaults over the previous two years.
CycloneDX is considered one of two main SBOM requirements, the opposite being the Linux Basis’s Software program Package deal Information Alternate (SPDX). Proponents of CycloneDX, which is newer, describe it as a extra light-weight customary higher suited to these in search of a machine-readable solution to alternate data. The Linux Basis in 2021 declared SPDX an SBOM customary, although it was initially created for mental property and licensing use circumstances. Each organizations are increasing their respective SBOM requirements efforts.
IBM has actively participated in advancing CycloneDX’s requirements efforts, Steve Springett, director of product safety at ServiceNow and chair of the OWASP’s CycloneDX working group, tells Darkish Studying. “Software program provide chain safety is a subject of board-level discussions,” Springett says. “There are lots of ways in which organizations ought to enhance their software program provide chain assurance. And it begins with truly having all the info and extra instruments to drive extra intelligence.”
Licensing Scanner Instrument Brings Stability With SPDX
The CycloneDX working group has launched some license scanning capabilities through the years, together with base-level assist for SPDX license IDs. However CycloneDX’s licensing functionality has lagged the performance of SPDX. Springett says the addition of IBM’s License Scanner fills that void. “It is nice that now we have a license scanner as a part of the challenge,” Springett tells Darkish Studying. “Having a devoted license software truly will invite extra individuals to the Cyclone DX desk that we have constructed.”
Brian Fox, co-founder and CTO of AppSec software supplier Sonatype, agreed. “I feel this helps stability issues out with CycloneDX on the licensing aspect,” Fox stated. “It’ll present extra constructing blocks to allow instruments within the ecosystem to work higher. With the ability to extra simply add licensed knowledge to your CycloneDX SBOM, if you do not have current tooling to do this, is a helpful utility. Being able to validate each codecs can also be a helpful utility.”
In an OWASP weblog put up on Wednesday saying IBM’s contribution, Springett famous that IBM’s License Scanner scans information for licenses and authorized phrases. “It may be used to assist establish textual content matching licenses and license exceptions from the whole, printed SPDX License Checklist,” he wrote. “It can be configured to establish extra authorized phrases, key phrases, aliases, and non-SPDX licenses. As a library, License Scanner is designed to be built-in into current BOM technology software program or could also be utilized by itself as a command-line utility.”
SBOM Utility Provides APIs to CycloneDX
Springett described IBM’s SBOM Utility as an API platform that may validate CycloneDX or SPDX-formatted BOMs with their printed schemas. It could validate and analyze a wide range of BOM varieties, together with {hardware} (HBOMs) and SaaS (SaaSBOMs). Sooner or later, Springett famous, SBOM Utility will assist OWASP’s Software program Part Verification Customary (SCVS), “which is defining a BOM Maturity Mannequin (BMM) to assist in figuring out and decreasing danger within the software program provide chain.”
Additionally, he famous that SBOM Utility may course of paperwork resembling Vulnerability Disclosure Stories (VDRs) and Vulnerability Exploitability eXchange (VEX) knowledge codecs, which CycloneDX has specified present danger evaluation.
“The SBOM Utility is nice as a result of it takes an API strategy and permits organizations to slice and cube the CycloneDX knowledge mannequin and all the info in it,” Springett says. “When you care about sure features of the invoice of fabric, you possibly can rapidly question it, which is implausible. And you may then enable organizations to start out creating coverage primarily based on the varieties of knowledge which will or could not exist in that invoice of fabric.”
Whereas IBM initially constructed SBOM Utility and License Scanner for its use, the corporate has not stated whether or not it plans to launch business variations.
:contrast(5):saturation(1.16)/https%3A%2F%2Fprod.static9.net.au%2Ffs%2Fa521a821-8701-47e1-a6c6-ab251c2e75ff "Razzie Awards 2025: Cate Blanchett scores rare nomination during awards season")
