Creating a Standard Compliant SBOM from a Distributions Package Manager

SBOMs (i.e., Software Bill of Materials) have quickly become the conduit for CyberSecurity professionals to create a basis for the analysis of the components and their vulnerabilities. While dozens of tools exist to create SBOMs for software repositories, containers, and software packages (think JAR files), the question often arises: is a Linux distribution’s package manager a sort of SBOM?

In this blog post, we propose several answers to this question.

What is an SBOM?

An SBOM is essentially a detailed inventory of all software components and dependencies used within an application or system. It details versions, licenses, and other crucial information that can be used to monitor software components for vulnerabilities or licensing issues.

Importance of SBOMs

The importance of SBOMs in cybersecurity cannot be understated. They provide:

• Visibility: Knowing exactly what software components are in your systems.
• Security: Identifying potential security vulnerabilities within those components.
• Compliance: Ensuring all software complies with licensing and regulatory standards.

Generating an SBOM from Linux Package Managers

It is certainly possible to generate an SBOM from a Linux distribution package manager. Linux distributions such as Ubuntu, Debian, Fedora, and Arch Linux use package managers like APT, DNF, and Pacman, which can be leveraged to generate SBOMs. But how do you create an SBOM for these package managers? Below, we show an example of how to create a standards-compliant CycloneDX SBOM from the Debian and Ubuntu package manager, APT:

APT (Advanced Package Tool) is the package manager used by Debian and its derivatives like Ubuntu. To generate an SBOM, you can list all installed packages and their versions using APT commands:

dpkg -l > debian-sbom.txt

RPM-based distributions can use the following command:

rpm -qa | sort > rpm-sbom.txt

However, this is an extremely simple SBOM and certainly not compliant with the CycloneDX and SPDX standards.

Instead, here is our recipe to create a standard-compliant CycloneDX SBOM:

Install Necessary Tools First, you need to install a tool that can generate a CycloneDX SBOM from package data. There is a nice Python package that you can use, Distro2SBOM (https://pypi.org/project/distro2sbom/):

pip install distro2sbom

Generate Package List and the SBOM Use dpkg -l to generate a list of installed packages or rpm -qa | sort.

distro2sbom --distro deb --name <distro name> --release <distro release> --input-file <distrofile> --sbom cyclonedx --output-file <distrooutfile>

Example: distro2sbom --distro deb --name Debian --release 11 --input-file /tmp/debian11.list --sbom cyclonedx --output-file /tmp/debian11.json

Or you can use distro2sbom if you are on the system you want to generate the SBOM from:

distro2sbom --distro deb --system --format json --output-file /tmp/debian11.json

In case you are using AlmaLinux, there is also another project worth a try: https://github.com/AlmaLinux/alma-sbom

Running python alma_sbom.py --file-format cyclonedx-json --build-id 4372 will produce a CycloneDX SBOM as well.

Validate the SBOM Optionally, you can use the CycloneDX CLI (https://github.com/CycloneDX/cyclonedx-cli) or other tools to validate the generated SBOM file to ensure it meets the specification's standards.


cyclonedx-cli validate -i /tmp/debian11.json -o report.json

Once the validation comes out successful, you can now upload this standard-compliant SBOM to a vulnerability checking and risk factoring service, like the free service https://SBOM.sh to obtain a result like the one shown in the example below: