How to Generate an SBOM With Microsoft’s Open-Source Tool
An SBOM (Software Bill of Materials) helps you understand your software supply chain by listing the packages and vendors that your code relies upon. SBOMs are rapidly gaining momentum as a way to help improve security in the wake of prominent real-world supply chain attacks.
One major proponent of SBOMs is Microsoft which published its approach to their generation back in October 2021. Earlier this year the company open-sourced its tool for producing SBOMs on Windows, macOS, and Linux.
In this article, you’ll learn how to start using the project to index your code’s dependencies. It produces SPDX-compatible documents that list the files, packages, and relationships within your project. SPDX (Software Package Data Exchange) is the ISO-accepted standard for SBOMs so you can pass generated reports directly into other ecosystem tools.
Microsoft originally announced the project under the name Salus. It’s since retreated from this term because it conflicts with the existing Salus code security project which originated at Coinbase. The SBOM generator is now referred to simply as sbom-tool.
You can download SBOM Tool from Microsoft’s…
Read Full Article Source