Software Bill of Materials (SBOM) is becoming essential for most CI/CD pipelines.
SBOM captures an inventory of components that make up the specific project alongside its associated metadata.
However, most complex real-world applications are built as a collection or an assembly of applications — sometimes more than a few layers deep.
For example, A smartphone is a collection of independently built apps on top of an operating system — presumably built as an integration of projects. The third-party apps may invoke functionalities of the first-party apps, which in turn might depend on external services.
There are many choices when it comes to building an SBOM for a complex multi-layer system.
To set best practice guidance on the topic, CISA’s SBOM Tooling and Implementation Working Group just published — Guidance on Assembling a Group of Products”. The two-pager guidance — a must-read — separates REQUIRED and RECOMMENDED guidance and includes a sample of such an assembly.
Given the assembly of independent components is called a software product line, CISA has termed the SBOM Product Line Build SBOM or PLB-SBOM.
PLB-SBOM lists all its components and references individual SBOM for each component using the reference mechanism applicable to the specification ( SPDXRef-
for SPDX and bom-ref
for CycloneDX).
The guidance focuses on preserving SBOM for each component image and using them as a reference to build the final PLB-SBOM.
A PLB-SBOM must include:
In addition, the following information is recommended to be included in the final PLB-SBOM
Hash is recommended to enable cross-checking and may include a common hashing scheme across components.
CISA’s PLB-SBOM is a reasonable start to SBOM for assembled software.
First, retaining and referencing SBOM instead of embedding them directly allows the preservation of validating information such as embedded signatures.
Of course, retaining component SBOMs instead of embedding them is, by definition, lossless.
However, there are known challenges in retaining, referencing and distributing.
sbomasm — Interlynk’s open-source tooling for SBOM assembly focused on embedding SBOM content to avoid the challenges above. However, it will add the ability to build PLB-SBOM with references soon.
Interlynk’s commercial platform is built with both use cases in mind and can produce a PLB-SBOM using references and trigger an auto-generation of SBOM with any changes.
Managing a complex build pipeline without an eye on automation can be error-prone and might seem like a chore. However, with a thoughtful setup, even the most complex software build pipeline can be easily automated for SBOM and associated compliance needs.
Interlynk simplifies security disclosure, makes it straightforward, and automates the process. Feel free to contact us at hello@interlynk.io