Software Bill of Materials (SBOM) Attestations are artefacts that document and communicate your compliance with standards and regulations for managing software dependencies. They may be requested by your customers or auditors as part of their vendor compliance assessments.
There are two alternative SBOM artefacts that are used by the industry:
Both of these standards are designed to be machine readable so that attestations can be easily integrated into governance, risk and compliance management systems.
CycloneDX is a standard published under ECMA-424, and a set of tools developed by the OWASP community.
CycloneDX is typically better supported across all programming languages, so we recommend that our users use CycloneDX whenever possible. Dependency-Track requires a CycloneDX file, and that can be generated using a CycloneDX generation tool or from a SPDX file using the cyclonedx-cli.
The specification covers the following features, and more:
Includes dependencies and their relationships, licenses, version numbers, etc. See our example CycloneDX SBOM that we generated for our Rust support tests.
An inventory of services, endpoints, data flows and classifications for a SaaS application.
Describes cryptographic assets and their dependencies.
Vulnerability data about systems and software, their source, references, severity, risk ratings, versions, details, and recommendations.
These can be ingested by vulnerability management tools as part of a SOC's toolchain.
VEX is a subset of VDR that allows software vendors to communicate the exploitability status of vulnerabilities.
CycloneDX Attestations provide machine-readable attestations of security and compliance claims with evidence.
Provides a standardized machine-readable release notes format.
CycloneDX SBOM attestation is done by cryptographically signing the SBOM. The JSON SBOM format does not have a signature field, so it is done by generating a separate signature file that the recipient can validate. It requires a RSA public/private keypair.
# Generate private key $ openssl genrsa -out [RSA_PEM_private_key] 2048 # Generate public key $ openssl rsa -in [RSA_PEM_private_key] \ -outform PEM \ -pubout -out [RSA_PEM_public_key]
$ cyclonedx sign file [bom.json] --key-file [RSA_PEM_private_key] # OR $ openssl dgst -sha256 -sign [RSA_PEM_private_key] \ -out [bom.json.sig] [bom.json]
You then provide the bom.json, bom.json.sig and RSA_PEM_public_key files to the parties that need to consume the SBOM.
System Package Data Exchange (SPDX) is a standard developed by the Linux Foundation, and is published as ISO/IEC 5962:2021
SPDX provides a specification for the SBOM, including a list of standard software licenses.
SPDX is not as widely supported by all programming languages. Because of this, we recommend using CycloneDX for SBOMs.