Skip to main content
College of Engineering
Capstone

Software Bill of Materials (SBOM)

Here’s a step-by-step guide to help you create a complete SBOM for your project:

Step 1: Understand What an SBOM Is

  • Definition: An SBOM is a detailed inventory of all software components used in your project. It includes information about the components' origin, version, and licensing.
  • Purpose: The SBOM helps in managing risks, ensuring compliance with licensing requirements, and facilitating transparency and accountability.

Step 2: Identify All Components

  1. List Dependencies: Start by listing all the libraries, frameworks, and tools your project depends on. This can be done by examining your project’s configuration files, such as package.json for Node.js, requirements.txt for Python, or pom.xml for Java.

  2. Automated Tools: Use automated tools to scan your codebase and generate a list of dependencies. Some popular tools include:

    • For JavaScript/Node.js: npm’s npm ls command or tools like Synk.
    • For Python: pip freeze or tools like Pipenv.
    • For Java: Maven’s mvn dependency:tree or tools like JFrog Xray.
    • For general use: Dependency-check tools like OWASP Dependency-Check.

Step 3: Gather Detailed Information

For each component, gather the following details:

  • Component Name: The name of the library or tool.
  • Version: The specific version used in your project.
  • Source: Where the component was obtained from (e.g., npm registry, PyPI, Maven Central).
  • License: The type of license under which the component is distributed.
  • Author/Maintainer: Information about who maintains the component, if available.

Step 4: Organize the Information

Create a document or a structured file (like a CSV, JSON, or YAML file) to organize this information. Here’s a simple example in table format:

Component NameVersionSourceLicenseAuthor/Maintainer
Express4.17.1npm registryMITTJ Holowaychuk
NumPy1.21.0PyPIBSDNumPy Developers
Spring Boot2.5.4Maven CentralApache-2.0Pivotal Software

Step 5: Keep the SBOM Up to Date

As your project evolves, so will your dependencies. Make sure to:

  • Update Regularly: Update your SBOM regularly to reflect any changes in your dependencies.
  • Automate Updates: Use CI/CD tools to automate the scanning and updating of your SBOM. Tools like Jenkins, GitHub Actions, or GitLab CI can help integrate this process into your development workflow.

Step 6: Validate the SBOM

Before submitting the SBOM to your corporate sponsor:

  • Review for Completeness: Ensure all components are listed and all required details are included.
  • Check for Compliance: Verify that all components comply with licensing requirements and the corporate sponsor’s policies.

Step 7: Deliver the SBOM

Present the SBOM as part of your project documentation. Ensure it is clear, well-organized, and easy to understand.

By following these steps, you can create a comprehensive and accurate SBOM for your software project. This will not only meet your corporate sponsor’s requirements but also enhance the security and maintainability of your project.