Microsoft recently open-sourced its in-house SBOM (Software Bill of Materials) generation tool to help the technology industry and IT decision makers better understand the security of their tools and the dependencies of their software supply chain.
The core of SBOM is to establish a clear record of the supply chain relationship between the components used by the software. It is a machine-readable file that lists all the components in the product, including all open source projects. Kind of like the ingredient list on a food package. Through this "Ingredient List", we can clearly understand the relationship between the upstream and downstream of the product.
In recent years, network security problems have occurred frequently. The most recent vulnerability incident that has attracted much attention should be the remote code execution vulnerability in Log4j at the end of last year, so that global developers who rely on the project work overtime to fix this problem. However, even if the impact of this matter is extremely wide and there is a lot of uproar in the circle, there are still cases where companies do not know much about this matter. Therefore, the importance of SBOM to an enterprise is self-evident.
The tool developed by Microsoft, called Salus , is available on Windows, Linux and Mac platforms and can generate SBOMs according to the SPDX specification. Microsoft is positioning Salus as a "universal, enterprise-proven SBOM generator" that can be easily integrated into software-building workflows.
A document created by Salus consists of four main parts, including document creation information (which includes software name, SPDX license, SPDX version, document creator and creation time), a list of files that make up the software, a list of packages used to build the software, And a list of relationships between the different elements of the SBOM.
Functionally, Salus can automatically detect NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages in containers, Gradle, Ivy, and GitHub public repositories. In addition to that, Salus can refer to other SBOM files for a more complete set of dependencies.
Microsoft said :
Open-sourcing Salus is an important step in fostering collaboration and innovation within our community, and we believe this will enable more organizations to generate SBOM and contribute to its development.
The project has been hosted on the GitHub platform at the following address: https://github.com/microsoft/sbom-tool