SBOM

Overview This is the second part of our SBOM compliances series. In the previous post, we discussed NTIA Minimum Elements, their motivation, and how they define a baseline for SBOM transparency. In this post, we will discuss about Framing Software Component Transparency (FSCT), why it came into existence, the real-world gaps it addresses, and how it shifts the focus from minimum presence to meaningful transparency. Let’s go. Context In order to manage risk, cost or security, an organization first need to understand what software is made up of, what all components are being used, and how they depend on each other. In the modern software world, systems are complex because they rely on dynamic supply chains i.e. consuming open-source libraries, commercial software, and third parties dependencies maintained across the world. Without clear visibility into these dependencies(or supply chain), organizations are forced to rely on assumptions rather than facts. That’s why NTIA Minimum Elements came in and introduced required set of minimum SBOM fields to ensure the basic information about each consumed component is present or declared, and with this it laids the foundation of establishing a transparency across software supply chains. ...

In this blog, we’ll be discussing about NTIA minimum element SBOM Compliance. This blog is the first part of an SBOM compliance series. The series is about covering all different SBOM compliances framework one by one and understand why they exist and what they actually expect from an SBOM and lastly to check whether your SBOM is compliant or not. Before diving into NTIA minimum element compliance specifically, let’s understand the core of SBOM: ...

Introduction Today, I’m not here to talk about SBOM scoring, compliance, NTIA , or anything as usual. Instead, I want to highlight a completely different, but very real SBOM use case. This isn’t a theoritical problem, it straight came out from a Redit thread: https://www.reddit.com/r/sysadmin/comments/1p1xegu/how_to_verify_vulnerability_deltas_between/ Reddit issue (simplified) I compared hardened base images with their official upstream images. Theoretically, CVEs should drop…. but scanner results don’t always match reality. ...

Overview Hello Everyone 👋, We have released sbomqs:2.0 last week. This post is about major changes b/w sbomqs:1.x.x and sbomqs:2.0.x. Let’s understand, what exactly changed in sbomqs 2.0, and how it is different from the older 1.x scoring model? If you’ve been using sbomqs for a while, you know that 1.x scoring bundled everything together in a summarized way: $ sbomqs score samples/photon.spdx.json --legacy SBOM Quality by Interlynk Score:6.0 components:38 samples/photon.spdx.json +-----------------------+--------------------------------+-----------+--------------------------------+ | CATEGORY | FEATURE | SCORE | DESC | +-----------------------+--------------------------------+-----------+--------------------------------+ | NTIA-minimum-elements | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 10.0/10.0 | 38/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v1.1 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums_sha256 | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v2.0 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_associated_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_concluded_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_declared_license | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_hash | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_build_process | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_bomlinks | 0.0/10.0 | no bom links found | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_vuln | 10.0/10.0 | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_signature | 0.0/10.0 | No signature or public key | | | | | provided! | +-----------------------+--------------------------------+-----------+--------------------------------+ | Semantic | sbom_required_fields | 10.0/10.0 | Doc Fields:true Pkg | | | | | Fields:true | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums | 0.3/10.0 | 1/38 have checksums | +-----------------------+--------------------------------+-----------+--------------------------------+ | Quality | comp_valid_licenses | 2.9/10.0 | 11/38 components with valid | | | | | license | + +--------------------------------+-----------+--------------------------------+ | | comp_with_primary_purpose | 0.0/10.0 | 0/38 components have primary | | | | | purpose specified | + +--------------------------------+-----------+--------------------------------+ | | comp_with_deprecated_licenses | 10.0/10.0 | 0/38 components have | | | | | deprecated licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_restrictive_licenses | 10.0/10.0 | 0/38 components have | | | | | restricted licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_any_vuln_lookup_id | 0.0/10.0 | 0/38 components have any | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | comp_with_multi_vuln_lookup_id | 0.0/10.0 | 0/38 components have multiple | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_creator_and_version | 10.0/10.0 | 1/1 tools have creator and | | | | | version | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_primary_component | 10.0/10.0 | primary component found | +-----------------------+--------------------------------+-----------+--------------------------------+ | Sharing | sbom_sharable | 0.0/10.0 | doc has a sharable license | | | | | free 0 :: of 1 | +-----------------------+--------------------------------+-----------+--------------------------------+ | Structural | sbom_spec | 10.0/10.0 | provided sbom is in a | | | | | supported sbom format of | | | | | spdx,cyclonedx | + +--------------------------------+-----------+--------------------------------+ | | sbom_spec_version | 10.0/10.0 | provided sbom should be in | | | | | supported spec version for | | | | | spec:SPDX-2.3 and versions: | | | | | SPDX-2.1,SPDX-2.2,SPDX-2.3 | + +--------------------------------+-----------+--------------------------------+ | | sbom_file_format | 10.0/10.0 | provided sbom should be in | | | | | supported file format for | | | | | spec: json and version: | | | | | json,yaml,rdf,tag-value | + +--------------------------------+-----------+--------------------------------+ | | sbom_parsable | 10.0/10.0 | provided sbom is parsable | +-----------------------+--------------------------------+-----------+--------------------------------+ The o/p contains: ...

This is part one of a two-part series. Here, we look at why SBOMs matter for software quality assurance. In the next post, we’ll walk through how to put them into practice. If you work in QA and want to explore this further, feel free to reach out. In regulated sectors like banking, fintech, healthcare, insurance, and automotive, software quality isn’t just about functionality — it’s about risk, compliance, stability, and auditability. ...

This guide helps software engineers, DevSecOps teams, and open-source maintainers choose and implement the right SBOM (Software Bill of Materials) generator for their projects — based on technology stack, ecosystem, and workflow maturity. General Guidelines When selecting and using SBOM generators, follow these best practices: Choose actively maintained tools: Select SBOM generators that are actively maintained, whether they are ecosystem-built generators or external tools. Prefer Open Source Software (OSS): OSS SBOM generators are improving rapidly and benefit from community contributions and transparency. ...