These Common Examples of SBOMs Will Help You Get Started

Introduction

Creating a software bill of materials (SBOM) for your products makes it easier for potential users to identify any threats posed by open-source and proprietary components in your software. As the number of software supply chain attacks grows, more governments, businesses, and other organizations will start requiring SBOMs before they will use software. That could cause a problem if you aren’t familiar with SBOMs.

   

The following common examples of SBOMs will help you become familiar with these documents and the information you need to meet the minimum requirements.

Did you know that Packagecloud is the industry’s first platform to implement the SBOM framework? You can see how it works by starting your free trial.

     

Features you’ll find in common examples of SBOMs

As you will see when you browse common examples of SBOMs, the documents contain specific types of information that help security teams identify components and where they come from. The list of components doesn’t automatically protect you from software supply chain attacks, but it does provide information you can use to limit risk.

    

Minimum SBOM requirements

The National Telecommunications and Information Administration (NTIA) sets minimum SBOM requirements for software used by federal agencies. All examples of SBOMs should include these components. Many will go beyond the minimum requirements to give users more information and reduce cybersecurity threats.

Required data fields will give you the:

• Supplier’s name
• Component name
• Version of the component
• Dependency relationships that show connections between components
• Other unique identifiers, such as look-up keys
• The SBOM data’s author
• Time and date the data was assembled

    

SBOM documents should align with at least one of three data formats:

• Software Package Data Exchange (SPDX)
• CycloneDX
• Software Identification (SWID) tags

    

In the example below, you will see common examples of SBOMs that conform to the CycloneDX format.

   

Start a free trial with Packagecloud so you can keep all of your software packages in a private, hosted repository.

     

Common examples of SBOMs on GitHub

You can find many examples of SBOMs by browsing GitHub. The following information comes from a page associated with a product from CycloneDX. It shows you the information you will find near the top of an SBOM document and what to expect from the first component in the list. The size of the file will depend on how many components a piece of software uses.

    <metadata>

        <timestamp>2020-08-02T21:27:04Z</timestamp>

        <tools>

            <tool>

                <vendor>CycloneDX</vendor>

                <name>CycloneDX Maven plugin</name>

                <version>2.0.2</version>

                <hashes>

                    <hash alg="MD5">9a7ed39bba6c03f85a88fe114e24e4ad</hash>

                    <hash alg="SHA-1">04b39fce560f8a9609e5b5db6e605fc2ba2c5a42</hash>

                    <hash alg="SHA-256">78522e385d01fc74cb6410abb22b2b0ed9b47c1124635d955179402928820b43</hash>

                    <hash alg="SHA-384">aff816bf691e4490d4e977386c21abaceb97b7ce502d88c35c52cfdb7a7e50310ecc70019582d8247a99626bc98ad16b</hash>

                    <hash alg="SHA-512">500bd8dd0b821ef84c57643324e1d0eea1111aa9c7913bc35cb812f577128867c74c698b59fb603b358cc5545a708feb8dfca223023f81597658053e5317dd1a</hash>

                    <hash alg="SHA3-256">9e45261eff969396b6a3e97a1ad65dced304f77765655c9a72a2904caa137a1e</hash>

                    <hash alg="SHA3-384">fea472f4c2bdee7df208ad3d6a76125ce282a250eb960bc2171297a3ae2e4232b61540132b71b399e8ac6b9d0228113f</hash>

                    <hash alg="SHA3-512">6ed81f58d9039e56d393165bd26c998584e364f7975e33f5c3008ac10d67ed190edcd196c5ce1554e23c4e1271f8aed631e07c3ea0de59a3457891d188e71b67</hash>

                </hashes>

            </tool>

        </tools>

        <component bom-ref="pkg:maven/io.dropwizard/dropwizard-parent@1.3.15" type="library">

            <group>io.dropwizard</group>

            <name>dropwizard-parent</name>

            <version>1.3.15</version>

            <scope>required</scope>

            <licenses>

                <license>

                    <id>Apache-2.0</id>

                    <url>http://www.apache.org/licenses/LICENSE-2.0</url>

                </license>

            </licenses>

            <purl>pkg:maven/io.dropwizard/dropwizard-parent@1.3.15</purl>

        </component>

    </metadata>

       

As you can see from the metadata, this SBOM document contains information about version 2.0.2 of a tool named “CycloneDX Maven plugin” from the vendor CycloneDX. The timestamp shows that the SBOM was created on August 2, 2020, at 9:27 p.m.

    

The document lists Apache as owning the tool’s license and directs viewers to the full text of the Apache License, Version 2.0.

<components>

        <component bom-ref="pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.10?type=jar" type="library">

            <publisher>FasterXML</publisher>

            <group>com.fasterxml.jackson.core</group>

            <name>jackson-annotations</name>

            <version>2.9.10</version>

            <description>

                <![CDATA[Core annotations used for value types, used by Jackson data binding package.]]>

            </description>

            <scope>required</scope>

            <hashes>

                <hash alg="MD5">26c2b6f7bc704ccadc64c83995e0ff7f</hash>

                <hash alg="SHA-1">53ab2f0f92e87ea4874c8c6997335c211d81e636</hash>

                <hash alg="SHA-256">c876f2e85d0f108a34cdd11ccc9d8d7875697367efc75bf10a89c2c26aee994c</hash>

                <hash alg="SHA-384">558025c95151985777def5221719a2f7db7257db584cef8bc72add4d37ab4b5147c3b529462db2327a885564e0222f3e</hash>

                <hash alg="SHA-512">6b1ae1d7036ce2fff81bf8fc2a3a55e4ea7eb081de806ad05301d2eb126bed1dda487027f3ccfa618c488e680e2f5ff22bc3f106e7c0af27b34d327d83083b46</hash>

                <hash alg="SHA3-256">6ebca301e4a201a89630bd7235d27e48a795c7e6fca7727ac08f3cc87e6a5049</hash>

                <hash alg="SHA3-384">db6b4116cb7bd4aa3aa641a4238c421320620a04a9472b5bb4685050a7f80292bcb3e15d6b263dc409e801a2228e6954</hash>

                <hash alg="SHA3-512">8d33540c9df56541a0dca99ca51432a8d0d9642813377c62f6df5602af1c8d04c3d62cf24a9cde5c79fcd63b287de19cfc84ea475f8dd0ca037a72baed3d50ee</hash>

            </hashes>

            <licenses>

                <license>

                    <id>Apache-2.0</id>

                </license>

            </licenses>

            <purl>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.10?type=jar</purl>

            <externalReferences>

                <reference type="vcs">

                    <url>http://github.com/FasterXML/jackson-annotations</url>

                </reference>

                <reference type="website">

                    <url>http://fasterxml.com/</url>

                </reference>

                <reference type="distribution">

                    <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>

                </reference>

            </externalReferences>

        </component>

     

This section of the dropwizard-1.3.15 SBOM provides more information about the first component listed in the document. In this case, you know that the component is version 2.9.10 of jackson-annotations. It’s an external component that you can find on GitHub’s Jackson. The rest of this SBOM document lists the remaining components the software uses. You can find the full XML document for dropwizard-1.3.15 on GitHub’s FasterXML/jackson-annotations page.

     

Other examples of SBOMs that you can view easily on GitHub include JSON and XML documents for:

• juice-shop-11.1.2
• keycloak-10.0.2
• laravel-7.12.0
• proton-bridge
• protonmail-webclient-vs-0912dff