Software Bill of Materials (SBOM)

The Security Audit That Took Three Weeks (And Should Have Taken Three Minutes)

"We need a complete inventory of all software components in production by Friday."

The email from our compliance team landed on a Tuesday. We had three days to document every library, framework, OS package, and dependency across 150+ microservices. Oh, and they needed licenses, versions, and known vulnerabilities too.

I spent the first day in denial. The second day manually running npm ls, pip freeze, and mvn dependency:tree on dozens of repositories. By Wednesday night, I had Excel spreadsheets everywhere, merge conflicts in my brain, and still no clear picture of what was actually running in production.

Thursday morning, I discovered that Production wasn't running the code in Git. Containers had been patched manually. Services had emergency hotfixes never committed to source. My inventory was already obsolete before I finished it.

We missed the Friday deadline. The audit was delayed. And I learned a hard lesson: if you can't automatically generate an SBOM, you don't actually know what's in your software.

This article covers how I implemented automated SBOM generation, made it part of every build, and turned a three-week nightmare into a three-second API call.

What You'll Learn

Understanding Software Bill of Materials (SBOM) standards
SBOM formats: SPDX vs CycloneDX
Generating SBOMs with Syft, Trivy, and other tools
SBOM validation and enrichment
Integrating SBOM into CI/CD pipelines
SBOM for compliance (Executive Order 14028)
Supply chain transparency and attestation

What is an SBOM?

A Software Bill of Materials is a comprehensive inventory of all components in your software—like a nutrition label for your application.

An SBOM includes:

Component names and versions
Dependencies (direct and transitive)
Licenses
Source locations
Cryptographic hashes
Supplier information
Known vulnerabilities (when enriched)

SBOM Standards: SPDX vs CycloneDX

SPDX (Software Package Data Exchange)

Created by the Linux Foundation, SPDX is the ISO standard (ISO/IEC 5962:2021).

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "payment-service",
  "documentNamespace": "https://example.com/payment-service/v1.2.3",
  "creationInfo": {
    "created": "2024-01-06T10:30:00Z",
    "creators": ["Tool: syft-0.98.0", "Organization: Example Corp"]
  },
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-express",
      "name": "express",
      "versionInfo": "4.18.2",
      "downloadLocation": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
      "filesAnalyzed": false,
      "licenseConcluded": "MIT",
      "licenseDeclared": "MIT",
      "copyrightText": "Copyright (c) 2009-2014 TJ Holowaychuk",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:npm/[email protected]"
        }
      ]
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-DOCUMENT",
      "relationshipType": "DESCRIBES",
      "relatedSpdxElement": "SPDXRef-Package-payment-service"
    }
  ]
}

CycloneDX

Created by OWASP, CycloneDX is focused on security use cases and supply chain transparency.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "timestamp": "2024-01-06T10:30:00Z",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "0.98.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "payment-service",
      "version": "1.2.3"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:npm/[email protected]",
      "name": "express",
      "version": "4.18.2",
      "purl": "pkg:npm/[email protected]",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "7a..."
        }
      ],
      "externalReferences": [
        {
          "type": "distribution",
          "url": "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
        },
        {
          "type": "website",
          "url": "https://expressjs.com"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/[email protected]",
      "dependsOn": [
        "pkg:npm/[email protected]"
      ]
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "vuln-1",
      "id": "CVE-2023-12345",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-12345"
      },
      "ratings": [
        {
          "severity": "critical",
          "score": 9.8,
          "method": "CVSSv3"
        }
      ],
      "affects": [
        {
          "ref": "pkg:npm/[email protected]"
        }
      ]
    }
  ]
}

Comparison:

Feature

SPDX

CycloneDX

Standard

ISO/IEC 5962:2021

OWASP

Focus

License compliance

Security & supply chain

Vulnerability data

Extension

Built-in

Formats

JSON, YAML, RDF, TagValue

JSON, XML, Protocol Buffers

Services/APIs

Limited

Strong support

Attestation

Via extensions

Native VEX/VDR support

Generating SBOMs with Syft

Syft is my preferred SBOM generator—it's fast, accurate, and supports both SPDX and CycloneDX.

Basic Syft Usage

# Generate SBOM for a container image
syft packages docker:myapp:latest

# Generate SPDX JSON
syft packages docker:myapp:latest -o spdx-json > sbom-spdx.json

# Generate CycloneDX JSON
syft packages docker:myapp:latest -o cyclonedx-json > sbom-cdx.json

# Scan local directory
syft packages dir:. -o cyclonedx-json > sbom.json

# Scan with specific catalogers
syft packages docker:myapp:latest --select-catalogers python,javascript

# Include file hashes
syft packages docker:myapp:latest -o spdx-json --source-hash sha256

GitLab CI SBOM Generation

# .gitlab-ci.yml
stages:
  - build
  - sbom
  - publish

variables:
  IMAGE_NAME: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
  SYFT_VERSION: "v0.98.0"

build:
  stage: build
  image: docker:24-dind
  services:
    - docker:24-dind
  script:
    - docker build -t ${IMAGE_NAME} .
    - docker push ${IMAGE_NAME}

generate_sbom:
  stage: sbom
  image: anchore/syft:${SYFT_VERSION}
  script:
    # Generate CycloneDX SBOM
    - syft packages ${IMAGE_NAME} -o cyclonedx-json > sbom-cyclonedx.json
    
    # Generate SPDX SBOM
    - syft packages ${IMAGE_NAME} -o spdx-json > sbom-spdx.json
    
    # Generate human-readable table
    - syft packages ${IMAGE_NAME} -o table > sbom-table.txt
    
    # Add metadata
    - |
      cat > sbom-metadata.json <<EOF
      {
        "image": "${IMAGE_NAME}",
        "commit": "${CI_COMMIT_SHA}",
        "branch": "${CI_COMMIT_REF_NAME}",
        "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
        "pipeline": "${CI_PIPELINE_URL}"
      }
      EOF
  
  artifacts:
    reports:
      cyclonedx: sbom-cyclonedx.json
    paths:
      - sbom-cyclonedx.json
      - sbom-spdx.json
      - sbom-table.txt
      - sbom-metadata.json
    expire_in: 1 year
  
  dependencies:
    - build

# Publish SBOM to registry
publish_sbom:
  stage: publish
  image: alpine:latest
  before_script:
    - apk add --no-cache curl jq
  script:
    # Upload to artifact repository
    - |
      curl -X PUT \
        -H "Authorization: Bearer ${ARTIFACT_REPO_TOKEN}" \
        -H "Content-Type: application/json" \
        --data-binary @sbom-cyclonedx.json \
        "https://artifacts.example.com/sbom/${CI_PROJECT_NAME}/${CI_COMMIT_SHA}/cyclonedx.json"
    
    # Update latest SBOM pointer
    - |
      curl -X PUT \
        -H "Authorization: Bearer ${ARTIFACT_REPO_TOKEN}" \
        -H "Content-Type: application/json" \
        --data-binary @sbom-cyclonedx.json \
        "https://artifacts.example.com/sbom/${CI_PROJECT_NAME}/latest/cyclonedx.json"
  
  dependencies:
    - generate_sbom
  only:
    - main

SBOM Enrichment with Vulnerability Data

An SBOM becomes exponentially more valuable when enriched with vulnerability information.

Grype for Vulnerability Scanning

# Scan SBOM for vulnerabilities
grype sbom:sbom-cyclonedx.json -o json > vulnerabilities.json

# Scan with specific severity
grype sbom:sbom-cyclonedx.json --fail-on critical

# Scan and merge into SBOM
grype sbom:sbom-cyclonedx.json -o cyclonedx > enriched-sbom.json

GitLab Integration

# .gitlab-ci.yml
vulnerability_scan:
  stage: sbom
  image: anchore/grype:latest
  script:
    # Scan SBOM for vulnerabilities
    - grype sbom:sbom-cyclonedx.json -o json > vulnerability-report.json
    
    # Enrich SBOM with vulnerability data
    - grype sbom:sbom-cyclonedx.json -o cyclonedx > enriched-sbom.json
    
    # Check for critical vulnerabilities
    - |
      CRITICAL=$(cat vulnerability-report.json | jq '[.matches[] | select(.vulnerability.severity == "Critical")] | length')
      echo "Found $CRITICAL critical vulnerabilities"
      
      if [ "$CRITICAL" -gt 0 ]; then
        echo "❌ Critical vulnerabilities found!"
        cat vulnerability-report.json | jq '.matches[] | select(.vulnerability.severity == "Critical") | {package: .artifact.name, version: .artifact.version, cve: .vulnerability.id}'
        exit 1
      fi
  
  artifacts:
    paths:
      - vulnerability-report.json
      - enriched-sbom.json
  
  dependencies:
    - generate_sbom

SBOM Validation and Quality

Not all SBOMs are created equal. Validate yours to ensure quality.

SBOM Quality Checker

// scripts/validate-sbom.js
const fs = require('fs');
const Ajv = require('ajv');
const cyclonedxSchema = require('@cyclonedx/cyclonedx-core/schema/bom-1.5.schema.json');

class SBOMValidator {
  constructor() {
    this.ajv = new Ajv({ allErrors: true });
    this.validate = this.ajv.compile(cyclonedxSchema);
  }

  async validateSBOM(sbomPath) {
    const sbom = JSON.parse(fs.readFileSync(sbomPath, 'utf8'));
    
    console.log('🔍 Validating SBOM...\n');
    
    const results = {
      schemaValid: false,
      completeness: 0,
      issues: []
    };

    // Schema validation
    results.schemaValid = this.validate(sbom);
    if (!results.schemaValid) {
      results.issues.push({
        category: 'schema',
        message: 'SBOM does not conform to CycloneDX schema',
        details: this.validate.errors
      });
    }

    // Completeness checks
    results.completeness = this.checkCompleteness(sbom);
    
    // Component checks
    this.checkComponents(sbom, results);
    
    // License checks
    this.checkLicenses(sbom, results);
    
    // Vulnerability checks
    this.checkVulnerabilities(sbom, results);
    
    return results;
  }

  checkCompleteness(sbom) {
    let score = 0;
    const checks = {
      'Has metadata': !!sbom.metadata,
      'Has components': sbom.components && sbom.components.length > 0,
      'Has dependencies': sbom.dependencies && sbom.dependencies.length > 0,
      'Has licenses': sbom.components?.some(c => c.licenses),
      'Has hashes': sbom.components?.some(c => c.hashes),
      'Has purls': sbom.components?.every(c => c.purl),
      'Has vulnerabilities': !!sbom.vulnerabilities,
      'Has composition': !!sbom.compositions
    };

    for (const [check, passed] of Object.entries(checks)) {
      if (passed) score += 12.5;
      console.log(`${passed ? '✅' : '❌'} ${check}`);
    }

    return score;
  }

  checkComponents(sbom, results) {
    if (!sbom.components) return;

    sbom.components.forEach((component, idx) => {
      // Check for required fields
      if (!component.name) {
        results.issues.push({
          category: 'component',
          message: `Component ${idx} missing name`
        });
      }

      if (!component.version) {
        results.issues.push({
          category: 'component',
          message: `Component ${component.name} missing version`
        });
      }

      // Check for purl
      if (!component.purl) {
        results.issues.push({
          category: 'component',
          severity: 'warning',
          message: `Component ${component.name} missing purl`
        });
      }

      // Check for hashes
      if (!component.hashes || component.hashes.length === 0) {
        results.issues.push({
          category: 'component',
          severity: 'info',
          message: `Component ${component.name} missing cryptographic hashes`
        });
      }
    });
  }

  checkLicenses(sbom, results) {
    const unlicensed = sbom.components?.filter(c => !c.licenses) || [];
    
    if (unlicensed.length > 0) {
      results.issues.push({
        category: 'license',
        severity: 'warning',
        message: `${unlicensed.length} components without license information`,
        components: unlicensed.map(c => c.name)
      });
    }
  }

  checkVulnerabilities(sbom, results) {
    if (!sbom.vulnerabilities) {
      results.issues.push({
        category: 'vulnerability',
        severity: 'info',
        message: 'SBOM not enriched with vulnerability data'
      });
    }
  }

  printReport(results) {
    console.log('\n📊 SBOM Validation Report\n');
    console.log(`Schema Valid: ${results.schemaValid ? '✅' : '❌'}`);
    console.log(`Completeness Score: ${results.completeness.toFixed(1)}%\n`);

    if (results.issues.length > 0) {
      console.log('Issues Found:\n');
      results.issues.forEach(issue => {
        const icon = issue.severity === 'info' ? 'ℹ️' : 
                     issue.severity === 'warning' ? '⚠️' : '❌';
        console.log(`${icon} [${issue.category}] ${issue.message}`);
      });
    } else {
      console.log('✅ No issues found!');
    }

    // Exit code based on results
    const criticalIssues = results.issues.filter(i => !i.severity || i.severity === 'error');
    return criticalIssues.length === 0 ? 0 : 1;
  }
}

// Run validation
const validator = new SBOMValidator();
validator.validateSBOM(process.argv[2])
  .then(results => {
    const exitCode = validator.printReport(results);
    process.exit(exitCode);
  })
  .catch(err => {
    console.error('Validation failed:', err);
    process.exit(1);
  });

SBOM for Compliance: Executive Order 14028

The U.S. Executive Order 14028 requires SBOMs for software sold to the federal government.

Compliance Requirements

# sbom-compliance-policy.yml
requirements:
  format:
    - SPDX 2.2+ (JSON, YAML, or tag-value)
    - CycloneDX 1.4+ (JSON or XML)
  
  minimum_elements:
    - Supplier name
    - Component name
    - Version of the component
    - Other unique identifiers
    - Dependency relationships
    - Author of SBOM data
    - Timestamp
  
  recommended_elements:
    - Cryptographic hash (SHA-256)
    - License information
    - Known vulnerabilities
    - End of life/support dates
  
  delivery:
    - Machine-readable format
    - Provided with software
    - Updated on each release

Compliance Automation

# .gitlab-ci.yml
compliance_check:
  stage: sbom
  image: node:18-alpine
  before_script:
    - npm install -g @cyclonedx/cyclonedx-cli
  script:
    # Validate SBOM meets compliance requirements
    - cyclonedx validate --input-file sbom-cyclonedx.json
    
    # Check for required elements
    - |
      node -e "
      const sbom = require('./sbom-cyclonedx.json');
      const required = [
        'metadata.component.supplier',
        'metadata.component.name',
        'metadata.component.version',
        'metadata.timestamp'
      ];
      
      const missing = required.filter(path => {
        const parts = path.split('.');
        let obj = sbom;
        for (const part of parts) {
          if (!obj[part]) return true;
          obj = obj[part];
        }
        return false;
      });
      
      if (missing.length > 0) {
        console.error('❌ Missing required elements:', missing);
        process.exit(1);
      }
      console.log('✅ All required elements present');
      "
  
  dependencies:
    - generate_sbom

SBOM Distribution and Consumption

Publishing SBOMs

# .gitlab-ci.yml - SBOM distribution
publish_sbom_registry:
  stage: publish
  image: docker:24-cli
  services:
    - docker:24-dind
  script:
    # Attach SBOM to container image using OCI artifact
    - |
      SBOM_DIGEST=$(docker buildx imagetools inspect ${IMAGE_NAME} \
        --format '{{ json .Manifest }}' | jq -r '.digest')
      
      # Create SBOM artifact
      docker buildx imagetools create \
        --annotation "cyclonedx-sbom=$(cat sbom-cyclonedx.json | base64)" \
        ${IMAGE_NAME}
    
    # Push to dedicated SBOM registry
    - |
      curl -X PUT \
        -H "Authorization: Bearer ${REGISTRY_TOKEN}" \
        --data-binary @sbom-cyclonedx.json \
        "https://sbom-registry.example.com/${CI_PROJECT_NAME}:${CI_COMMIT_SHA}"

SBOM API Service

// sbom-api/server.js
const express = require('express');
const app = express();

// SBOM storage (use database in production)
const sbomStore = new Map();

// Publish SBOM
app.post('/sbom/:project/:version', (req, res) => {
  const { project, version } = req.params;
  const sbom = req.body;
  
  // Validate SBOM
  if (!sbom.bomFormat || sbom.bomFormat !== 'CycloneDX') {
    return res.status(400).json({ error: 'Invalid SBOM format' });
  }
  
  // Store SBOM
  sbomStore.set(`${project}:${version}`, {
    sbom,
    publishedAt: new Date(),
    publisher: req.user.email
  });
  
  res.json({ success: true });
});

// Retrieve SBOM
app.get('/sbom/:project/:version', (req, res) => {
  const { project, version } = req.params;
  const stored = sbomStore.get(`${project}:${version}`);
  
  if (!stored) {
    return res.status(404).json({ error: 'SBOM not found' });
  }
  
  res.json(stored.sbom);
});

// Query vulnerabilities
app.get('/sbom/:project/:version/vulnerabilities', async (req, res) => {
  const { project, version } = req.params;
  const stored = sbomStore.get(`${project}:${version}`);
  
  if (!stored) {
    return res.status(404).json({ error: 'SBOM not found' });
  }
  
  const vulns = stored.sbom.vulnerabilities || [];
  const severity = req.query.severity?.toUpperCase();
  
  const filtered = severity 
    ? vulns.filter(v => v.ratings?.[0]?.severity === severity)
    : vulns;
  
  res.json({
    total: filtered.length,
    vulnerabilities: filtered
  });
});

app.listen(3000);

Best Practices

1. Generate SBOMs at Build Time

# Always part of CI/CD
stages:
  - build
  - sbom  # ← Required stage
  - deploy

2. Version and Store SBOMs

# Store with each release
sbom-registry.example.com/myapp:1.2.3
sbom-registry.example.com/myapp:latest

3. Enrich with Vulnerability Data

# Don't just list components, include security context
grype sbom:sbom.json -o cyclonedx > enriched.json

4. Automate SBOM Comparison

// Compare SBOMs between releases
function compareSBOMs(oldSBOM, newSBOM) {
  const added = newSBOM.components.filter(c => 
    !oldSBOM.components.find(o => o.purl === c.purl)
  );
  
  const removed = oldSBOM.components.filter(c =>
    !newSBOM.components.find(n => n.purl === c.purl)
  );
  
  const updated = newSBOM.components.filter(c => {
    const old = oldSBOM.components.find(o => o.name === c.name);
    return old && old.version !== c.version;
  });
  
  return { added, removed, updated };
}

5. Make SBOMs Discoverable

# Well-known location
https://example.com/.well-known/sbom
https://example.com/sbom/latest

Key Takeaways

✅ Generate SBOMs automatically - Part of every build ✅ Choose the right format - CycloneDX for security, SPDX for compliance ✅ Enrich with vulnerabilities - SBOMs + security data = powerful ✅ Validate SBOM quality - Check completeness and accuracy ✅ Store and version SBOMs - Track changes over time ✅ Comply with regulations - EO 14028 and beyond ✅ Make SBOMs accessible - APIs, registries, well-known URLs

What's Next

SBOMs document what you're deploying. Next, we'll ensure your infrastructure configuration itself is secure—Infrastructure as Code security scanning, policy enforcement, and compliance automation.

Next Article: Infrastructure as Code Security →

Part of the DevSecOps 101 Series

PreviousContainer Security and Image Scanning NextInfrastructure as Code Security

Last updated 1 month ago

hashtagThe Security Audit That Took Three Weeks (And Should Have Taken Three Minutes)

hashtagWhat You'll Learn

hashtagWhat is an SBOM?

hashtagSBOM Standards: SPDX vs CycloneDX

hashtagSPDX (Software Package Data Exchange)

hashtagCycloneDX

hashtagGenerating SBOMs with Syft

hashtagBasic Syft Usage

hashtagGitLab CI SBOM Generation

hashtagSBOM Enrichment with Vulnerability Data

hashtagGrype for Vulnerability Scanning

hashtagGitLab Integration

hashtagSBOM Validation and Quality

hashtagSBOM Quality Checker

hashtagSBOM for Compliance: Executive Order 14028

hashtagCompliance Requirements

hashtagCompliance Automation

hashtagSBOM Distribution and Consumption

hashtagPublishing SBOMs

hashtagSBOM API Service

hashtagBest Practices

hashtag1. Generate SBOMs at Build Time

hashtag2. Version and Store SBOMs

hashtag3. Enrich with Vulnerability Data

hashtag4. Automate SBOM Comparison

hashtag5. Make SBOMs Discoverable

hashtagKey Takeaways

hashtagWhat's Next

The Security Audit That Took Three Weeks (And Should Have Taken Three Minutes)

What You'll Learn

What is an SBOM?

SBOM Standards: SPDX vs CycloneDX

SPDX (Software Package Data Exchange)

CycloneDX

Generating SBOMs with Syft

Basic Syft Usage

GitLab CI SBOM Generation

SBOM Enrichment with Vulnerability Data

Grype for Vulnerability Scanning

GitLab Integration

SBOM Validation and Quality

SBOM Quality Checker

SBOM for Compliance: Executive Order 14028

Compliance Requirements

Compliance Automation

SBOM Distribution and Consumption

Publishing SBOMs

SBOM API Service

Best Practices

1. Generate SBOMs at Build Time

2. Version and Store SBOMs

3. Enrich with Vulnerability Data

4. Automate SBOM Comparison

5. Make SBOMs Discoverable

Key Takeaways

What's Next