Creating a software bill of materials (SBOM) for your products makes it easier for potential users to identify any threats posed by open-source and proprietary components in your software. As the number of software supply chain attacks grows, more governments, businesses, and other organizations will start requiring SBOMs before they will use software. That could cause a problem if you aren’t familiar with SBOMs.
The following common examples of SBOMs will help you become familiar with these documents and the information you need to meet the minimum requirements.
Features you’ll find in common examples of SBOMs
As you will see when you browse common examples of SBOMs, the documents contain specific types of information that help security teams identify components and where they come from. The list of components doesn’t automatically protect you from software supply chain attacks, but it does provide information you can use to limit risk.
Minimum SBOM requirements
The National Telecommunications and Information Administration (NTIA) sets minimum SBOM requirements for software used by federal agencies. All examples of SBOMs should include these components. Many will go beyond the minimum requirements to give users more information and reduce cybersecurity threats.
Required data fields will give you the:
- Supplier’s name
- Component name
- Version of the component
- Dependency relationships that show connections between components
- Other unique identifiers, such as look-up keys
- The SBOM data’s author
- Time and date the data was assembled
SBOM documents should align with at least one of three data formats:
- Software Package Data Exchange (SPDX)
- Software Identification (SWID) tags
In the example below, you will see common examples of SBOMs that conform to the CycloneDX format.
Start a free trial with Packagecloud so you can keep all of your software packages in a private, hosted repository.
Common examples of SBOMs on GitHub
You can find many examples of SBOMs by browsing GitHub. The following information comes from a page associated with a product from CycloneDX. It shows you the information you will find near the top of an SBOM document and what to expect from the first component in the list. The size of the file will depend on how many components a piece of software uses.
<metadata> <timestamp>2020-08-02T21:27:04Z</timestamp> <tools> <tool> <vendor>CycloneDX</vendor> <name>CycloneDX Maven plugin</name> <version>2.0.2</version> <hashes> <hash alg="MD5">9a7ed39bba6c03f85a88fe114e24e4ad</hash> <hash alg="SHA-1">04b39fce560f8a9609e5b5db6e605fc2ba2c5a42</hash> <hash alg="SHA-256">78522e385d01fc74cb6410abb22b2b0ed9b47c1124635d955179402928820b43</hash> <hash alg="SHA-384">aff816bf691e4490d4e977386c21abaceb97b7ce502d88c35c52cfdb7a7e50310ecc70019582d8247a99626bc98ad16b</hash> <hash alg="SHA-512">500bd8dd0b821ef84c57643324e1d0eea1111aa9c7913bc35cb812f577128867c74c698b59fb603b358cc5545a708feb8dfca223023f81597658053e5317dd1a</hash> <hash alg="SHA3-256">9e45261eff969396b6a3e97a1ad65dced304f77765655c9a72a2904caa137a1e</hash> <hash alg="SHA3-384">fea472f4c2bdee7df208ad3d6a76125ce282a250eb960bc2171297a3ae2e4232b61540132b71b399e8ac6b9d0228113f</hash> <hash alg="SHA3-512">6ed81f58d9039e56d393165bd26c998584e364f7975e33f5c3008ac10d67ed190edcd196c5ce1554e23c4e1271f8aed631e07c3ea0de59a3457891d188e71b67</hash> </hashes> </tool> </tools> <component bom-ref="pkg:firstname.lastname@example.org" type="library"> <group>io.dropwizard</group> <name>dropwizard-parent</name> <version>1.3.15</version> <scope>required</scope> <licenses> <license> <id>Apache-2.0</id> <url>http://www.apache.org/licenses/LICENSE-2.0</url> </license> </licenses> <purl>pkg:email@example.com</purl> </component> </metadata>
As you can see from the metadata, this SBOM document contains information about version 2.0.2 of a tool named “CycloneDX Maven plugin” from the vendor CycloneDX. The timestamp shows that the SBOM was created on August 2, 2020, at 9:27 p.m.
The document lists Apache as owning the tool’s license and directs viewers to the full text of the Apache License, Version 2.0.
<components> <component bom-ref="pkg:firstname.lastname@example.org?type=jar" type="library"> <publisher>FasterXML</publisher> <group>com.fasterxml.jackson.core</group> <name>jackson-annotations</name> <version>2.9.10</version> <description> <![CDATA[Core annotations used for value types, used by Jackson data binding package.]]> </description> <scope>required</scope> <hashes> <hash alg="MD5">26c2b6f7bc704ccadc64c83995e0ff7f</hash> <hash alg="SHA-1">53ab2f0f92e87ea4874c8c6997335c211d81e636</hash> <hash alg="SHA-256">c876f2e85d0f108a34cdd11ccc9d8d7875697367efc75bf10a89c2c26aee994c</hash> <hash alg="SHA-384">558025c95151985777def5221719a2f7db7257db584cef8bc72add4d37ab4b5147c3b529462db2327a885564e0222f3e</hash> <hash alg="SHA-512">6b1ae1d7036ce2fff81bf8fc2a3a55e4ea7eb081de806ad05301d2eb126bed1dda487027f3ccfa618c488e680e2f5ff22bc3f106e7c0af27b34d327d83083b46</hash> <hash alg="SHA3-256">6ebca301e4a201a89630bd7235d27e48a795c7e6fca7727ac08f3cc87e6a5049</hash> <hash alg="SHA3-384">db6b4116cb7bd4aa3aa641a4238c421320620a04a9472b5bb4685050a7f80292bcb3e15d6b263dc409e801a2228e6954</hash> <hash alg="SHA3-512">8d33540c9df56541a0dca99ca51432a8d0d9642813377c62f6df5602af1c8d04c3d62cf24a9cde5c79fcd63b287de19cfc84ea475f8dd0ca037a72baed3d50ee</hash> </hashes> <licenses> <license> <id>Apache-2.0</id> </license> </licenses> <purl>pkg:email@example.com?type=jar</purl> <externalReferences> <reference type="vcs"> <url>http://github.com/FasterXML/jackson-annotations</url> </reference> <reference type="website"> <url>http://fasterxml.com/</url> </reference> <reference type="distribution"> <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url> </reference> </externalReferences> </component>
This section of the dropwizard-1.3.15 SBOM provides more information about the first component listed in the document. In this case, you know that the component is version 2.9.10 of jackson-annotations. It’s an external component that you can find on GitHub’s Jackson. The rest of this SBOM document lists the remaining components the software uses. You can find the full XML document for dropwizard-1.3.15 on GitHub’s FasterXML/jackson-annotations page.
Other examples of SBOMs that you can view easily on GitHub include JSON and XML documents for:
When you look at these other examples of SBOMs, document layouts will become more obvious and you will learn where to look for specific pieces of information. Remember that you can often read SBOMs as XML or JSON documents. You might encounter slight differences depending on the format.
How Packagecloud can help
Common examples of SBOMs that you can find on GitHub and other public repositories make it obvious that these documents contain a lot of detailed information. You might wonder how you can possibly check all of these components to determine whether it’s safe to use a piece of software.
Packagecloud can make it easier for you to detect vulnerabilities in your code. When you add a package to your repository, Packagecloud scans it to find known vulnerabilities. If it locates an issue, you will have an opportunity to decide whether you want to correct the problems or take measures to prevent the vulnerability from damaging your network.
Since Packagecloud scans your packages before they get distributed to machines in your IT ecosystem, you don’t need to worry that known vulnerabilities will infect your computers, tablets, and other devices. Keep in mind, however, that Packagecloud can only find known threats. It’s always a good idea to use reliable DevSecOps tools and pay close attention to how your machines behave.
You can see how Packagecloud improves common examples of SBOMs within your organization. Start your free trial today to experience the benefits of hosted package distribution with built-in security features.