When It Comes to SBOMs, Do You Know the Ingredients in Your Ingredients?

Transitive dependencies can complicate the process of developing software bills of materials.

Donald Fischer, CEO & Co-Founder, Tidelift

July 1, 2022

3 Min Read
Person pointing at check mark, indicating security.
Source: Anna Berkut via Alamy Stock Photo

If you're building software applications, you're familiar — or should be familiar — with SBOMs, or software bills of materials. Think of an SBOMs as a list of ingredients in your application. The urgency for organizations to create and maintain accurate SBOMs has increased in the wake of recent software supply chain vulnerabilities such as Log4Shell and Spring4Shell. What's more, if you do business with the US government, an accurate and up-to-date SBOM is now a requirement, based on the May 2021 Executive Order issued by the White House in response to the far-reaching repercussions of the SolarWinds attack.

According to Gartner, "by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, up from less than 20% in 2022." Gartner also acknowledges that "keeping software bills of materials (SBOMs) data in sync with corresponding software artifacts presents a key challenge."1

Are organizations keeping pace with such market dynamics? A recent Tidelift survey shows that only 37% of organizations are aware of new government software supply chain requirements around security and SBOMs. Of these organizations, only 20% are using SBOMs for most or all applications today.

However, change is coming quickly: The vast majority of organizations — 78% — are either already using SBOMs in at least some applications or have plans to do so in the next year, according to the survey.

Open Source Complicates SBOM Matters

Developing SBOMs can be challenging, but if you are using open source components in your applications — as most modern software development teams do — then the process for building an SBOM and keeping it up to date becomes even more complex because of the impact of transitive dependencies.

Open source components that other open source components rely on, transitive dependencies can be difficult to track down. For example, many organizations affected by Log4Shell weren't immediately aware of their exposure because it came through transitive dependencies. It is therefore critical that your SBOM identifies not only direct open source dependencies but also transitive dependencies.

In addition, because developers are constantly committing code to deliver enhanced functionality to applications, it is critical that SBOMs are dynamic, capturing changes to the open source components up and down the open source software supply chain.

Conclusion: Get a Handle on SBOMs

To ensure the integrity of software supply chains, the use of SBOMs will become more common — and will often be required. To ensure that your organization is delivering accurate and up-to-date SBOMs for the applications it develops and delivers, it's important to get a handle not just on your list of ingredients, but also the ingredients your ingredients are using.

1 Gartner, "Innovation Insight for SBOMs," Manjunath Bhat, Dale Gardner, Mark Horvath, 14 February 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

About the Author(s)

Donald Fischer

CEO & Co-Founder, Tidelift

Donald Fischer is co-founder and CEO of Tidelift. Previously, he was a product manager and executive at Red Hat, and an investor and board member at over a dozen open source software startups.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights