{"id":495005,"date":"2022-09-22T03:48:07","date_gmt":"2022-09-22T00:48:07","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/"},"modified":"2022-09-22T03:48:07","modified_gmt":"2022-09-22T00:48:07","slug":"how-to-generate-an-sbom-with-microsofts-open-source-tool","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/","title":{"rendered":"#How to Generate an SBOM With Microsoft\u2019s Open-Source Tool"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a370b4de0132\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a370b4de0132\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/#%E2%80%9CHow_to_Generate_an_SBOM_With_Microsofts_Open-Source_Tool%E2%80%9D\" >&#8220;How to Generate an SBOM With Microsoft\u2019s Open-Source Tool&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/#Getting_Started\" >Getting Started<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/#Generating_an_SBOM\" >Generating an SBOM<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/#SBOM_Contents\" >SBOM Contents<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/#Scanning_Docker_Images\" >Scanning Docker Images<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/#Summary\" >Summary<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CHow_to_Generate_an_SBOM_With_Microsofts_Open-Source_Tool%E2%80%9D\"><\/span>&#8220;How to Generate an SBOM With Microsoft\u2019s Open-Source Tool&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<figure style=\"width: 1200px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-819317\" data-pagespeed-no-defer=\"\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/07\/shutterstock_1931714906.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1200\" height=\"675\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/document-management-concept-icons-on-virtual-1931714906\">Shutterstock.com\/Song_about_summer<\/a><\/span><\/figcaption><\/figure>\n<p>An SBOM (Software Bill of Materials) helps you understand your software supply chain by listing the packages and vendors that your code relies upon. SBOMs are rapidly gaining momentum as a way to help improve security in the wake of prominent real-world supply chain attacks.<\/p>\n<p>One major proponent of SBOMs is Microsoft which published its <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>roach to their generation <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/click.linksynergy.com\/deeplink?id=2QzUaswX1as&amp;mid=24542&amp;u1=htg\/819316|xid:{xid}&amp;murl=https%3A%2F%2Fdevblogs.microsoft.com%2Fengineering-at-microsoft%2Fgenerating-software-bills-of-materials-sboms-with-spdx-at-microsoft&amp;___trxnet=ls\">back in October 2021<\/a>. Earlier this year the company <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/click.linksynergy.com\/deeplink?id=2QzUaswX1as&amp;mid=24542&amp;u1=htg\/819316|xid:{xid}&amp;murl=https%3A%2F%2Fdevblogs.microsoft.com%2Fengineering-at-microsoft%2Fmicrosoft-open-sources-salus-software-bill-of-materials-sbom-generation-tool&amp;___trxnet=ls\">open-sourced its tool<\/a> for producing SBOMs on Windows, macOS, and Linux.<\/p>\n<p>In this article, you\u2019ll learn how to start using the project to index your code\u2019s dependencies. It produces SPDX-compatible documents that list the files, packages, and relationships within your project. SPDX (Software Package Data Exchange) is the ISO-accepted standard for SBOMs so you can pass generated reports directly into other ecosystem tools.<\/p>\n<p>Microsoft originally announced the project under the name Salus. It\u2019s since <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/microsoft\/sbom-tool\/issues\/59\">retreated from this term<\/a> because it conflicts with the existing <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/coinbase\/salus\">Salus code security project<\/a> which originated at Coinbase. The SBOM generator is now referred to simply as <code>sbom-tool<\/code>.<\/p>\n<h2 id=\"getting-started\"><span class=\"ez-toc-section\" id=\"Getting_Started\"><\/span>Getting Started<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can download SBOM Tool from Microsoft\u2019s <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/microsoft\/sbom-tool\">GitHub repository<\/a>. Precompiled binaries are available <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/microsoft\/sbom-tool\/releases\">on the releases page<\/a>. Select the right download for your system, then make the binary executable and move it to a location in your path.<\/p>\n<p>Here\u2019s an example for Linux:<\/p>\n<pre>$ wget https:\/\/github.com\/microsoft\/sbom-tool\/releases\/download\/v&lt;VERSION&gt;\/sbom-tool-linux-x64&#13;\n$ chmod +x sbom-tool-linux-x64&#13;\n$ mv sbom-tool-linux-x64 \/usr\/local\/bin\/sbom-tool<\/pre>\n<p>You should be able to run <code>sbom-tool<\/code> to display the help information in your terminal window:<\/p>\n<pre>$ sbom-tool&#13;\nNo action was specified&#13;\n&#13;\nThe Sbom tool generates a SBOM for any build artifact.&#13;\n&#13;\nUsage - Microsoft.Sbom.Tool &lt;action&gt; -options<\/pre>\n<h2 id=\"generating-an-sbom\"><span class=\"ez-toc-section\" id=\"Generating_an_SBOM\"><\/span>Generating an SBOM<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>New SBOMs are created by running the tool\u2019s <code>generate<\/code> sub-command. A few arguments need to be supplied:<\/p>\n<ul>\n<li><code>-b<\/code> (<code>BuildDropPath<\/code>) \u2013 The folder to save the generated SPDX SBOM manifests to.<\/li>\n<li><code>-bc<\/code> (<code>BuildComponentPath<\/code>) \u2013 The folder that will be scanned to find the dependencies in your project.<\/li>\n<li><code>-nsb<\/code> (<code>NamespaceUriBase<\/code>) \u2013 The base path that will be used as the SBOM manifest\u2019s namespace. This should be a URL that\u2019s owned by your organization, such as <code>https:\/\/example.com\/sbom<\/code>.<\/li>\n<\/ul>\n<p>SBOM Tool also needs to know your project\u2019s name and version. It can often infer this from files already in your repository, such as the <code>package.json<\/code> <code>name<\/code> and <code>version<\/code> fields, but you might need to provide the information manually or override the defaults in some cases. Add the <code>pn<\/code> and <code>pv<\/code> flags to do this:<\/p>\n<ul>\n<li><code>-pn<\/code> (<code>PackageName<\/code>) \u2013 The name of your project or package.<\/li>\n<li><code>-pv<\/code> (<code>PackageVersion<\/code>) \u2013 The project version that you\u2019re scanning. This should match the release version that your SBOM accompanies so users can correlate dependency lists with specific builds.<\/li>\n<\/ul>\n<p>Here\u2019s an example of generating an SBOM for the files in your working directory. The SBOM will be placed into the <code>sbom-output<\/code> subdirectory. This needs to exist before you run the tool.<\/p>\n<pre>$ mkdir sbom-output&#13;\n$ sbom-tool generate -b sbom-output -bc . -pn example -pv 1.0 -nsb https:\/\/example.com\/sbom<\/pre>\n<p>An overview of the scan results will be shown in your terminal:<\/p>\n<pre>[INFO] Enumerated 3728 files and 607 directories in 00:00:00.5938034 &#13;\n&#13;\n[INFO] |Component Detector Id         |Detection Time                |# Components Found            |# Explicitly Referenced                 | &#13;\n...&#13;\n[INFO] |Npm                           |0.63 seconds                  |241                           |0                                       | &#13;\n...&#13;\n[INFO] |Total                         |0.64 seconds                  |241                           |0                                       | &#13;\n&#13;\n[INFO] Detection time: 0.6374678 seconds.<\/pre>\n<p>This project uses npm to manage its dependencies. The tool detected 241 packages inside the working directory\u2019s <code>package.json<\/code> file.<\/p>\n<p>SBOM Tool currently supports 19 different programming languages and package formats. The <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/click.linksynergy.com\/deeplink?id=2QzUaswX1as&amp;mid=24542&amp;u1=htg\/819316|xid:{xid}&amp;murl=https%3A%2F%2Fdevblogs.microsoft.com%2Fengineering-at-microsoft%2Fmicrosoft-open-sources-salus-software-bill-of-materials-sbom-generation-tool&amp;___trxnet=ls\">list includes<\/a> npm, NuGet, PyPi, Maven, Rust Crates, and Ruby gems, as well as Linux packages present in Docker images. References to remote GitHub repositories are also supported.<\/p>\n<h2 id=\"sbom-contents\"><span class=\"ez-toc-section\" id=\"SBOM_Contents\"><\/span>SBOM Contents<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The generated SBOM will be written to <code>_manifest\/spdx_2.2\/manifest.spdx.json<\/code> inside the build output directory that you specified. The SBOM is a fairly verbose JSON file that\u2019s intended to be consumed by other software.<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"json\">\n<pre class=\"de1\">{&#13;\n  \"files\": [],&#13;\n  \"packages\": [&#13;\n    {&#13;\n      \"name\": \"color-convert\",&#13;\n      \"SPDXID\": \"SPDXRef-Package-A72B0922E46D9828746F346D7FD11B7F81EDEB15B92BEEDAE087F5F7407FECDC\",&#13;\n      ...&#13;\n    }<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>There are four main types of information within the report:<\/p>\n<ul>\n<li><strong>The <code>files<\/code> section<\/strong> \u2013 This lists all the files containing source code you\u2019ve written in your project. SBOM Tool will only populate this section when certain project types are scanned, such as C# solutions.<\/li>\n<li><strong>The <code>packages<\/code> section<\/strong> \u2013 A complete catalog of all the third-party dependencies present in your project, with references to their source package manager, the version used, and the type of license that applies.<\/li>\n<li><strong>The <code>relationships<\/code> section<\/strong> \u2013 This details all the relationships between the components listed in the SBOM. The most common relationship you\u2019ll see is <code>DEPENDS_ON<\/code>, which declares an item in the <code>packages<\/code> section as one of your project\u2019s dependencies. Several other <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/spdx.github.io\/spdx-spec\/v2-draft\/relationships-between-SPDX-elements\">kinds of relationship<\/a> also exist, such as <code>CREATED_BY<\/code>, <code>DEPENDENCY_OF<\/code>, and <code>PATCH_FOR<\/code>.<\/li>\n<li><strong>Report metadata details<\/strong> \u2013 Fields such as <code>name<\/code>, <code>documentNamespace<\/code>, <code>spdxVersion<\/code>, and <code>creationInfo<\/code> identify the SBOM, the tool used to create it, and the SPDX manifest revision that applies.<\/li>\n<\/ul>\n<p>Now you\u2019ve got an SBOM you can start using it with other tools to conduct vulnerability scans and manage license compliance. You can consider distributing the SBOM with your software releases so consumers are able to inspect the contents of each new version. SBOMs are best generated as part of your build pipeline so they stay up to date.<\/p>\n<p>Having access to an SBOM is invaluable when major new supply chain problems appear. Organizations using SBOMs were better placed to respond to Log4j, for example. They could inspect their reports to quickly find projects depending on the vulnerable library, instead of auditing package lists by hand.<\/p>\n<h2 id=\"scanning-docker-images\"><span class=\"ez-toc-section\" id=\"Scanning_Docker_Images\"><\/span>Scanning Docker Images<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>SBOM Tool is capable of scanning existing Docker images as part of a report generation. To use this capability, you need to add the <code>-di<\/code> flag and specify the image tag or digest that you want to scan. The rest of the arguments stay the same.<\/p>\n<pre>$ sbom-tool generate -di ubuntu:latest -b sbom-output -bc . -pn demo -pv 1.0 -nsb https:\/\/demo.com\/demo<\/pre>\n<p>The Docker image will be analyzed to identify the packages it includes. They\u2019ll be added to the SBOM report alongside the dependencies found in your source folder. You can scan multiple Docker images in a single operation by separating their tags or digest hashes with commas.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>SBOM Tool is a young open-source SBOM generation utility developed at Microsoft. It supports several leading package formats and produces SPDX-compatible output. This means you can feed generated SBOMs straight into other tools like Grype to automatically find security vulnerabilities and outdated dependencies.<\/p>\n<p>SBOMs are an effective way to increase awareness of software supply chains and uncover lurking issues. Producing and distributing an SBOM helps users understand what\u2019s being silently included in their project. SBOM Tool is one way to generate industry-standard reports with a single command, making it easier to offer an SBOM with each of your releases.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/devops\/how-to-generate-an-sbom-with-microsofts-open-source-tool\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;How to Generate an SBOM With Microsoft\u2019s Open-Source Tool&#8221; Shutterstock.com\/Song_about_summer An SBOM (Software Bill of Materials) helps you understand your software supply chain by listing the packages and vendors that your code relies upon. SBOMs are rapidly gaining momentum as a way to help improve security in the wake of prominent real-world supply chain attacks&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":495006,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/07\/shutterstock_1931714906.jpg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-495005","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/495005","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=495005"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/495005\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/495006"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=495005"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=495005"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=495005"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}