IBM Donates SBOM Code to OWASP
The Software Bill of Materials is now essential for program security, and IBM is helping by donating two open source projects to the Open Web Application Security Project.
IBM has contributed two open source projects, SBOM Utility and License Scanner to the Open Web Application Security Project (OWASP). There they’ll be integrated into CycloneDX, OWASP’s flagship Software Bill of Materials (SBOM) standard.
The SBOM Utility is an API platform designed to validate CycloneDX or Software Package Data Exchange (SPDX) format SBOMs against their published schemas. It can also help validate derivative, “custom” SBOM schemas that require stricter data requirements. It can evaluate and report on component software, service, and data license information to assist organizations in risk evaluation against configurable usage policies.
SBOM Utility and License Scanner
SBOM Utility can also be used to run queries against CycloneDX SBOM contents with regular expressions (regex) and generate custom reports. Additionally, it supports the work of the OWASP Software Component Verification Standard (SCVS), which is defining a BOM Maturity Model (BMM) to help identify and reduce risk in the software supply chain. Finally, it can be used to process Vulnerability Disclosure Report (VDR), and Vulnerability Exploitability eXchange (VEX) documents.
The License Scanner, on the other hand, scans files for licenses and legal terms. It can be used to identify text-matching licenses and license exceptions from the complete published SPDX License List. License Scanner is designed to be integrated into existing SBOM software, Continuous Integration/Continuous Delivery (CI/CD), or used by itself as a command-line utility. The tool scans the license text against the set of SPDX license templates and returns the CycloneDX LicenseChoice data incorporating three ways of expressing licenses: SPDX License ID, SPDX License Expression, and License name.
IBM had been using the License Scanner in its own CI/CD service, IBM Cloud’s Continuous Delivery, and DevOps toolchains. It’s also been used in IBM’s legal clearance process for open source and corporate software. In short, it’s battle-tested and ready for deployment.
Both tools are written in Go to take advantage of the language’s built-in typing enforcement and memory safe features and its ability to be compiled for a wide range of target platforms and architectures and be compatible with cloud native platforms.
Andrew van Der Stock, OWASP’s Executive Director, thanked IBM for these donations. Van Der Stock said, “validation against defined schemas is an important integrity control, and the ability to scan code to identify licenses is critical for some use cases. For many mergers and acquisitions, being able to rapidly and accurately identify licenses present in code make or break deals.
So, these donations will help not only developers looking to secure their code with SBOMs, but they’ll also help the top brass with their mergers and acquisitions. This is a pair of open source donations that will help everyone.