Generating Software Bills of Materials (SBOMs) with SPDX at Microsoft

Adrian Diglio

Software Bills of Materials (SBOMs) are useful to producers and consumers of software, providing software transparency, software integrity, and software identity benefits. In this post, In this post, Adrian Diglio walks us through how Microsoft is planning to generate SBOMs not just to meet the U.S. Presidential Executive Order on Improving the Nation's Cybersecurity, but for all software that Microsoft produces.

Microsoft

•

Adrian Diglio

•6 min read•intermediate•

--

•View Original

JSONRust

Overview

The article discusses Microsoft's approach to generating Software Bills of Materials (SBOMs) using the Software Package Data Exchange (SPDX) standard, in response to the U.S. Presidential Executive Order on cybersecurity. It outlines the benefits of SBOMs, the design of compliant SBOMs, and the implementation strategy for generating them at scale across Microsoft's engineering systems.

What You'll Learn

1

How to generate Software Bills of Materials (SBOMs) using SPDX

2

Why SBOMs are essential for software transparency and integrity

3

When to implement SBOM generation in CI/CD pipelines

Key Questions Answered

What are the benefits of using SBOMs in software development?

SBOMs provide software transparency by listing all components used in software, enhancing software integrity through checksums for validation, and improving software identity by accurately identifying software with unique IDs. This helps in managing license and vulnerability risks effectively.

How does Microsoft plan to implement SBOM generation at scale?

Microsoft plans to implement SBOM generation by designing tooling for automation at build time, producing SBOMs for all official builds, and leveraging existing CI/CD capabilities to integrate SBOM generation into build pipelines, aiming for it to be 'on by default'.

What fields are included in Microsoft's SBOMs to comply with the executive order?

Microsoft's SBOMs include mandatory fields such as Supplier Name, Component Name, Version of the Component, and others, mapped to the SPDX 2.2.1 standard. This ensures compliance with the NTIA's minimum field requirements for SBOMs.

How does Microsoft ensure the integrity of SBOMs during the release process?

Microsoft validates the hashes of all files listed in the SBOM against the build drop and checks the digital signature of the SBOM. If any discrepancies are found, the deployment is blocked, ensuring that no tampering occurs between build and release.

Key Statistics & Figures

Average daily builds at Microsoft

500,000

This statistic highlights the scale at which Microsoft operates and the importance of efficient SBOM generation.

Technologies & Tools

Standard

Spdx

Used for generating Software Bills of Materials (SBOMs) to ensure compliance with cybersecurity standards.

Key Actionable Insights

1
Incorporate SBOM generation into your CI/CD pipeline to enhance software security.
By automating SBOM generation during the build process, you can ensure that every release is accompanied by a comprehensive inventory of software components, which is critical for vulnerability management.

2
Mandate the inclusion of specific fields in SBOMs to improve compliance and transparency.
By requiring fields like Supplier Name and Package Version, you can enhance the traceability of software components, making it easier to manage licenses and vulnerabilities.

3
Utilize checksums in SBOMs to validate software integrity effectively.
Implementing checksums allows consumers to verify the authenticity of software components, providing an additional layer of security in software supply chains.

Common Pitfalls

1

Failing to include all mandatory fields in SBOMs can lead to compliance issues.

Without the required fields, SBOMs may not meet regulatory standards, which can result in legal and operational risks.