License Scanner and SBOM Utility will boost the capabilities of OWASP's CycloneDX Software Bill of Materials standard.
IBM has contributed two open source supply chain tools — SBOM Utility and License Scanner — to the Open Worldwide Application Security Project (OWASP) Foundation's CycloneDX Software Bill of Materials (SBOM) standard. The tools will fill two crucial gaps in CycloneDX, which OWASP describes as a "full-stack" BOM standard that provides advanced supply chain risk reduction.
The SBOM is an inventory listing all individual components used in software. The discovery of the vulnerability in the Log4j library two years ago highlighted how few organizations understood what was inside the software they were running. It isn't enough to just know which third-party components, libraries, and frameworks are being used — organizations need to be aware of all the dependencies those components are using. In response to various supply chain attacks and the Log4j chaos, the White House issued an executive order mandating that developers improve the security of their supply chains. One way is to include and maintain an SBOM for every piece of software they distribute.
"IBM has been advocating for all developers and organizations creating modern software to begin their journey to create SBOMs," says Jamie Thomas, IBM's general manager of systems strategy and development. "These tools are foundational complements to aid developers in this journey, so they can better understand the potential risks in their software supply chains."