SBOM Management
What is an SBOM?
A Software Bill of Materials (SBOM) is a detailed inventory of all components in a software application. It enables vulnerability tracking, license compliance, and supply chain risk management.
SBOM Generation
Generate SBOMs using SPDX or CycloneDX formats:
# Generate SBOM with Syft
syft packages myapp:latest -o cyclonedx-json > sbom.cyclonedx.json
syft packages myapp:latest -o spdx-json > sbom.spdx.json
syft dir:./src -o cyclonedx-json > src-sbom.json
# Generate SBOM for multiple languages
syft packages package-lock.json -o cyclonedx-json
syft packages requirements.txt -o cyclonedx-json
syft packages go.sum -o cyclonedx-json
# Programmatic SBOM generation
import json
def generate_sbom(packages, metadata):
sbom = {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"metadata": {
"timestamp": datetime.utcnow().isoformat() + "Z",
"tools": [{"name": "custom-bom-generator", "version": "1.0"}],
"component": {
"type": "application",
"name": metadata["name"],
"version": metadata["version"]
}
},
"components": []
}
for pkg in packages:
sbom["components"].append({
"type": "library",
"name": pkg["name"],
"version": pkg["version"],
"purl": pkg.get("purl"),
"licenses": pkg.get("licenses", []),
"supplier": pkg.get("supplier", {})
})
return sbom
SBOM Verification
Verify SBOM integrity and completeness:
# sbom-verification-pipeline.yaml
verification_steps:
- name: validate_format
tool: cyclonedx-cli
command: validate sbom.cyclonedx.json
- name: check_completeness
rules:
- all_packages_have_version: true
- all_packages_have_purl: true
- license_information_present: true
- dependency_graph_complete: true
- name: verify_signature
tool: cosign
command: cosign verify-blob --signature sbom.json.sig sbom.json
Vulnerability Correlation
Correlate SBOM components with known vulnerabilities:
import requests
class SBOMVulnerabilityCorrelator:
def __init__(self):
self.osv_api = "https://api.osv.dev/v1/query"
def correlate(self, sbom):
vulnerabilities = []
for component in sbom["components"]:
purl = component.get("purl")
if not purl:
continue
# Query OSV database
response = requests.post(self.osv_api, json={
"package": {
"purl": purl
},
"version": component["version"]
})
if response.status_code == 200:
results = response.json()
for vuln in results.get("vulns", []):
vulnerabilities.append({
"component": component["name"],
"version": component["version"],
"vuln_id": vuln["id"],
"severity": vuln.get("severity", [{}])[0].get("score", "unknown"),
"summary": vuln.get("summary", "")
})
return vulnerabilities
SBOM Storage and Management
# SBOM storage strategy
sbom_storage:
format: cyclonedx-json
storage: s3://sbom-bucket/
retention: 90_days
indexing:
database: opensearch
index_pattern: "sbom-*"
fields:
- component.name
- component.version
- component.purl
- metadata.timestamp
lifecycle:
- stage: generated
action: store_and_index
- stage: verified
action: mark_verified
- stage: expired
action: archive
SBOM as Attestation
# Sign SBOM with cosign
cosign attest-blob sbom.cyclonedx.json \
--signer "identity" \
--type cyclonedx \
--predicate sbom.cyclonedx.json
# Verify attestation
cosign verify-attestation --type cyclonedx sbom.cyclonedx.json
Conclusion
SBOMs are essential for supply chain security. Generate them automatically in your CI pipeline, verify their integrity, and correlate components with vulnerability databases. Store SBOMs alongside your artifacts and sign them for tamper evidence. Use SBOMs for compliance, vulnerability management, and incident response.