How to Share SBOM (Without Software Installation)

Sharing Software Bill of Materials (SBOM) is crucial for ensuring provenance in software development and supply chain management. An SBOM provides a comprehensive list of all the components and dependencies used in a software application, including their versions and sources.

This information is vital for understanding the origins and security of the software, as well as for managing vulnerabilities and ensuring compliance.

Sharing SBOMs is essential because it enables transparency and accountability in the software supply chain. By making the SBOM available to all stakeholders, including developers, vendors, and customers, it becomes easier to track and verify the components used in a software application. This helps in identifying any potential security vulnerabilities, licensing issues, or outdated dependencies that may pose risks to the software.

One of the most widely adopted formats for sharing SBOMs is CycloneDX. CycloneDX is an open standard that provides a structured and machine-readable format for representing SBOMs. It allows for easy integration with various tools and platforms, making it convenient for sharing and analyzing SBOM data.

It’s natural to want to share the SBOM for your application, because - like - why would you otherwise create an SBOM, right? But sharing is surprisingly the most underserved functionality when it comes to SBOMs. So, how do you share an SBOM?

To share SBOMs in CycloneDX format, you can utilize our free sbom.sh service. It's an open-source service that simplifies the process of generating and sharing SBOMs. It provides a command-line interface (CLI) tool that can be used to create SBOMs in CycloneDX format from different types of software projects.

To share an SBOM using sbom.sh, follow these steps:

1. Have the CycloneDX format of your SBOM ready in a file
2. curl -d “@mySBOM.file” https://sbom.sh
3. You will receive a unique short URL back as the result of steps, something like this:

https://sbom.sh/78389675-0358-46e5-81c7-04186dbfb8a8

4. Share this unique URL with yourself or anything or anybody who needs access to your SBOM list. 
5. They can now view the SBOM simply by doing: 

curl https://sbom.sh/78389675-0358-46e5-81c7-04186dbfb8a8

Or open the URL with your browser

Voila’. You can accomplish all this in about 4 seconds. By sharing SBOMs in CycloneDX format with sbom.sh, you contribute to the overall security and trustworthiness of the software ecosystem. It helps in identifying and addressing potential risks, ensuring compliance with licensing requirements, and promoting transparency in the software supply chain.

Remember, sharing SBOMs is not only beneficial for your own organization but also for the broader software community. It fosters collaboration, encourages best practices, and ultimately leads to more secure and reliable software applications.

But wait, there’s more!

You don’t know how to generate an SBOM in CycloneDX format for your repo? Here’s how to do it:

To create a CycloneDX format Software Bill of Materials (SBOM) out of the repository "https://github.com/apache/pulsar.git", a popular Apache application you can follow these steps:

1. Install the necessary tools:

   - Ensure you have Java Development Kit (JDK) installed on your system.

2. Clone the repository:

   git clone https://github.com/apache/pulsar.git

3. Change into the cloned repository directory:

   cd pulsar   

4. Add CycloneDX to your pom.xml dependencies:

<plugins>

    <plugin>

        <groupId>org.cyclonedx</groupId>

        <artifactId>cyclonedx-maven-plugin</artifactId>

        <configuration>

            <projectType>library</projectType>

            <schemaVersion>1.4</schemaVersion>

            <includeBomSerialNumber>true</includeBomSerialNumber>

            <includeCompileScope>true</includeCompileScope>

            <includeProvidedScope>true</includeProvidedScope>

            <includeRuntimeScope>true</includeRuntimeScope>

            <includeSystemScope>true</includeSystemScope>

            <includeTestScope>false</includeTestScope>

            <includeLicenseText>false</includeLicenseText>

            <outputReactorProjects>true</outputReactorProjects>

            <outputFormat>all</outputFormat>

            <outputName>bom</outputName>

            <outputDirectory>${project.build.directory}</outputDirectory><!-- usually target, if not redefined in pom.xml -->

            <verbose>false</verbose><!-- = ${cyclonedx.verbose} -->

        </configuration>

    </plugin>

</plugins>

5. Build the SBOM file:

   mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom

6. Upload the generated SBOM to SBOM.sh:
   You can find the BOM.json file in the target directory.
   curl -d "@target/bom.json" https://sbom.sh

The output will be similar to this:

{

"documentid":"4dca2fad-0dc8-4eda-8aa3-dc012514c580",

"message":"SBOM stored successfully"

,"url":"https://sbom.sh/4dca2fad-0dc8-4eda-8aa3-dc012514c580"

}

Please be aware that different SBOM tools generate different quality of SBOM files. Next to missing direct or transitive dependencies, there are tools adding vulnerabilities to the SBOM file as well or even VEX information.

One of the most advanced platforms out there that supports SBOM generation of the highest quality and VEX is Codenotary Trustcenter/Enterprise. You can test it yourself during a free 30-day evaluation.

 And now share with curl sbom.xml https://sbom.sh