The right way to Generate an SBOM With Microsoft’s Open-Supply Software


An SBOM (Software program Invoice of Supplies) helps you perceive your software program provide chain by itemizing the packages and distributors that your code depends upon. SBOMs are quickly gaining momentum as a method to assist enhance safety within the wake of distinguished real-world provide chain assaults.

One main proponent of SBOMs is Microsoft which printed its method to their technology again in October 2021. Earlier this yr the corporate open-sourced its instrument for producing SBOMs on Home windows, macOS, and Linux.

On this article, you’ll discover ways to begin utilizing the challenge to index your code’s dependencies. It produces SPDX-compatible paperwork that listing the recordsdata, packages, and relationships inside your challenge. SPDX (Software program Bundle Knowledge Alternate) is the ISO-accepted normal for SBOMs so you possibly can cross generated stories straight into different ecosystem instruments.

Microsoft initially introduced the challenge underneath the identify Salus. It’s since retreated from this time period as a result of it conflicts with the prevailing Salus code safety challenge which originated at Coinbase. The SBOM generator is now referred to easily as sbom-tool.

Getting Began

You’ll be able to obtain SBOM Software from Microsoft’s GitHub repository. Precompiled binaries can be found on the releases web page. Choose the proper obtain in your system, then make the binary executable and transfer it to a location in your path.

Right here’s an instance for Linux:

$ wget<VERSION>/sbom-tool-linux-x64
$ chmod +x sbom-tool-linux-x64
$ mv sbom-tool-linux-x64 /usr/native/bin/sbom-tool

You must have the ability to run sbom-tool to show the assistance info in your terminal window:

$ sbom-tool
No motion was specified

The Sbom instrument generates a SBOM for any construct artifact.

Utilization - Microsoft.Sbom.Software <motion> -options

Producing an SBOM

New SBOMs are created by working the instrument’s generate sub-command. Just a few arguments should be equipped:

  • -b (BuildDropPath) – The folder to save lots of the generated SPDX SBOM manifests to.
  • -bc (BuildComponentPath) – The folder that will likely be scanned to search out the dependencies in your challenge.
  • -nsb (NamespaceUriBase) – The bottom path that will likely be used because the SBOM manifest’s namespace. This needs to be a URL that’s owned by your group, corresponding to

SBOM Software additionally must know your challenge’s identify and model. It may well typically infer this from recordsdata already in your repository, such because the package deal.json identify and model fields, however you would possibly want to offer the knowledge manually or override the defaults in some circumstances. Add the pn and pv flags to do that:

  • -pn (PackageName) – The identify of your challenge or package deal.
  • -pv (PackageVersion) – The challenge model that you simply’re scanning. This could match the discharge model that your SBOM accompanies so customers can correlate dependency lists with particular builds.

Right here’s an instance of producing an SBOM for the recordsdata in your working listing. The SBOM will likely be positioned into the sbom-output subdirectory. This must exist earlier than you run the instrument.

$ mkdir sbom-output
$ sbom-tool generate -b sbom-output -bc . -pn instance -pv 1.0 -nsb

An outline of the scan outcomes will likely be proven in your terminal:

[INFO] Enumerated 3728 recordsdata and 607 directories in 00:00:00.5938034 

[INFO] |Part Detector Id         |Detection Time                |# Elements Discovered            |# Explicitly Referenced                 | 
[INFO] |Npm                           |0.63 seconds                  |241                           |0                                       | 
[INFO] |Complete                         |0.64 seconds                  |241                           |0                                       | 

[INFO] Detection time: 0.6374678 seconds.

This challenge makes use of npm to handle its dependencies. The instrument detected 241 packages contained in the working listing’s package deal.json file.

SBOM Software at present helps 19 completely different programming languages and package deal codecs. The listing consists of npm, NuGet, PyPi, Maven, Rust Crates, and Ruby gems, in addition to Linux packages current in Docker photographs. References to distant GitHub repositories are additionally supported.

SBOM Contents

The generated SBOM will likely be written to _manifest/spdx_2.2/manifest.spdx.json contained in the construct output listing that you simply specified. The SBOM is a reasonably verbose JSON file that’s supposed to be consumed by different software program.

  "recordsdata": [],
  "packages": [
      "name": "color-convert",
      "SPDXID": "SPDXRef-Package-A72B0922E46D9828746F346D7FD11B7F81EDEB15B92BEEDAE087F5F7407FECDC",

There are four main types of information within the report:

  • The files section – This lists all the files containing source code you’ve written in your project. SBOM Tool will only populate this section when certain project types are scanned, such as C# solutions.
  • The packages section – A complete catalog of all the third-party dependencies present in your project, with references to their source package manager, the version used, and the type of license that applies.
  • The relationships section – This details all the relationships between the components listed in the SBOM. The most common relationship you’ll see is DEPENDS_ON, which declares an item in the packages section as one of your project’s dependencies. Several other kinds of relationship also exist, such as CREATED_BY, DEPENDENCY_OF, and PATCH_FOR.
  • Report metadata details – Fields such as name, documentNamespace, spdxVersion, and creationInfo identify the SBOM, the tool used to create it, and the SPDX manifest revision that applies.

Now you’ve got an SBOM you can start using it with other tools to conduct vulnerability scans and manage license compliance. You can consider distributing the SBOM with your software releases so consumers are able to inspect the contents of each new version. SBOMs are best generated as part of your build pipeline so they stay up to date.

Having access to an SBOM is invaluable when major new supply chain problems appear. Organizations using SBOMs were better placed to respond to Log4j, for example. They could inspect their reports to quickly find projects depending on the vulnerable library, instead of auditing package lists by hand.

Scanning Docker Images

SBOM Tool is capable of scanning existing Docker images as part of a report generation. To use this capability, you need to add the -di flag and specify the image tag or digest that you want to scan. The rest of the arguments stay the same.

$ sbom-tool generate -di ubuntu:latest -b sbom-output -bc . -pn demo -pv 1.0 -nsb

The Docker image will be analyzed to identify the packages it includes. They’ll be added to the SBOM report alongside the dependencies found in your source folder. You can scan multiple Docker images in a single operation by separating their tags or digest hashes with commas.


SBOM Tool is a young open-source SBOM generation utility developed at Microsoft. It supports several leading package formats and produces SPDX-compatible output. This means you can feed generated SBOMs straight into other tools like Grype to automatically find security vulnerabilities and outdated dependencies.

SBOMs are an effective way to increase awareness of software supply chains and uncover lurking issues. Producing and distributing an SBOM helps users understand what’s being silently included in their project. SBOM Tool is one way to generate industry-standard reports with a single command, making it easier to offer an SBOM with each of your releases.

Supply hyperlink