IBM has contributed two open source supply chain tools — SBOM Utility and License Scanner — to the Open Worldwide Application Security Project (OWASP) Foundation's CycloneDX Software Bill of Materials (SBOM) standard. The tools will fill two crucial gaps in CycloneDX, which OWASP describes as a "full-stack" BOM standard that provides advanced supply chain risk reduction.
The SBOM is an inventory listing all individual components used in software. The discovery of the vulnerability in the Log4j library two years ago highlighted how few organizations understood what was inside the software they were running. It isn't enough to just know which third-party components, libraries, and frameworks are being used — organizations need to be aware of all the dependencies those components are using. In response to various supply chain attacks and the Log4j chaos, the White House issued an executive order mandating that developers improve the security of their supply chains. One way is to include and maintain an SBOM for every piece of software they distribute.
"IBM has been advocating for all developers and organizations creating modern software to begin their journey to create SBOMs," says Jamie Thomas, IBM's general manager of systems strategy and development. "These tools are foundational complements to aid developers in this journey, so they can better understand the potential risks in their software supply chains."
Efforts to standardize the SBOM have accelerated with the sharp rise in software supply chain attacks over the past two years.
CycloneDX is one of two primary SBOM standards; the other is the Linux Foundation's Software Package Data Exchange (SPDX). Proponents of the newer CycloneDX describe it as a more lightweight standard better suited to those seeking a machine-readable way to exchange information. The Linux Foundation in 2021 declared SPDX an SBOM standard, though it was initially created for intellectual property and licensing use cases. Both organizations are expanding their respective SBOM standards efforts.
IBM has actively participated in advancing CycloneDX's standards efforts, says Steve Springett, director of product security at ServiceNow and chair of the OWASP's CycloneDX working group.
"Software supply chain security is a topic of board-level discussions," Springett tells Dark Reading. "There are many ways that organizations should improve their software supply chain assurance. And it starts with actually having all the data and more tools to drive more intelligence."
Licensing Scanner Tool Brings Balance With SPDX
The CycloneDX working group has introduced some license scanning capabilities over the years, including base-level support for SPDX license IDs. But CycloneDX's licensing capability has lagged the functionality of SPDX. The addition of IBM's License Scanner fills that void, Springett says.
"It's great that we have a license scanner as part of the project," he says. "Having a dedicated license tool actually will invite more people to the Cyclone DX table that we've built."
Brian Fox, co-founder and CTO of AppSec tool provider Sonatype, agrees.
"I think this helps balance things out with CycloneDX on the licensing side," Fox says. "It will provide more building blocks to enable tools in the ecosystem to work better. Being able to more easily add licensed data to your CycloneDX SBOM, if you don't have existing tooling to do that, is a useful utility. Having the ability to validate both formats is also a useful utility."
In an OWASP blog post on Wednesday announcing IBM's contribution, Springett noted that IBM's License Scanner scans files for licenses and legal terms.
"It can be used to help identify text matching licenses and license exceptions from the complete, published SPDX License List," he wrote. "It can also be configured to identify additional legal terms, keywords, aliases, and non-SPDX licenses. As a library, License Scanner is designed to be integrated into existing BOM generation software or may be used by itself as a command-line utility."
SBOM Utility Adds APIs to CycloneDX
Springett described IBM's SBOM Utility as an API platform that can validate CycloneDX or SPDX-formatted BOMs with their published schemas. It can validate and analyze a variety of BOM types, including hardware (HBOMs) and SaaS (SaaSBOMs). In the future, Springett noted, SBOM Utility will support OWASP's Software Component Verification Standard (SCVS), "which is defining a BOM Maturity Model (BMM) to help in identifying and reducing risk in the software supply chain."
Also, he noted that SBOM Utility could process documents such as Vulnerability Disclosure Reports (VDRs) and Vulnerability Exploitability eXchange (VEX) data formats, which CycloneDX has specified to provide risk assessment.
"The SBOM Utility is great because it takes an API approach and allows organizations to slice and dice the CycloneDX data model and all the data in it," Springett says. "If you care about certain aspects of the bill of material, you can quickly query it, which is fantastic. And you can then allow organizations to start creating policy based on the types of data that may or may not exist in that bill of material."
While IBM initially built SBOM Utility and License Scanner for its use, the company has not said whether it plans to release commercial versions.