Software Bill of Materials (SBOM) | Página 1

______________________________________________________________________

Software Bill of Materials (SBOM)

Joel E. Abreu Cohen - 1100774

_____________________________________________________________________
IDS309 – Arquitectura de Software
Instituto Tecnológico de Santo Domingo (INTEC)
Prof. Lorenzo Solano
14 de Noviembre del 2022
Software Bill of Materials (SBOM) | Página 2
______________________________________________________________________

1. What Is a Bill of Materials (BOM)?

is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and

components, as well as the quantities of each needed to manufacture a product.

2. What is a software bill of materials SBOM)?

A “software bill of materials” (SBOM) has emerged as a key building block in software

security and software supply chain risk management. A SBOM is a nested inventory, a

list of ingredients that make up software components. Is composed of the components,

libraries, tools, and processes used to develop, build, and publish a software artifact.

3. What are the benefits of an SBOM?

Software bill of materials is a term taken from the manufacturing industry; it is used to

keep track of components in the software supply chain. Bill of materials is vital for

security because it helps identify which parts of the system in the supply chain contain

known vulnerabilities.

4. Looking at the Supply Chain Management practices an theory, what will be a

Software Service Bill Of Materials (SSBOM)?

It is a nested inventory, a list of parts, dependencies, and anything that makes up software

components.

5. If an attacker gets your SBOM, is this a risk?

I think can be, because this document contains almost all the software specifications and

how it’s built. Also, this document has been made to mainly standardize and structure all
Software Bill of Materials (SBOM) | Página 3
______________________________________________________________________

the software components, dependencies, security characteristics, and possible

vulnerabilities. So, in theory, yes, it’s rather a risk if it'll going into the wrong hands.

6. The following elements should be included in a SBOM? (true | false)

- Open Source Library true

- Commercial Library false

- Internal Library false

- Modified Open Source Library true

- Custom libraries developed by contractors or software company true

7. Design a data format for SBOM (MUST be both Human and Machine readable)

- Take into consideration hieranchical structures (sub-SBOMs)

CycloneDX

<metadata> <timestamp>2020-08-02T21:27:04Z</timestamp> <tools>

<tool> <vendor>CycloneDX</vendor> <name>CycloneDX Maven

plugin</name> <version>2.0.2</version> <hashes> <hash

alg="MD5">9a7ed39bba6c03f85a88fe114e24e4ad</hash> <hash alg="SHA-

1">04b39fce560f8a9609e5b5db6e605fc2ba2c5a42</hash> <hash

alg="SHA-

256">78522e385d01fc74cb6410abb22b2b0ed9b47c1124635d95517940292882

0b43</hash> <hash alg="SHA-

384">aff816bf691e4490d4e977386c21abaceb97b7ce502d88c35c52cfdb7a7e

50310ecc70019582d8247a99626bc98ad16b</hash> <hash alg="SHA-

512">500bd8dd0b821ef84c57643324e1d0eea1111aa9c7913bc35cb812f57712

8867c74c698b59fb603b358cc5545a708feb8dfca223023f81597658053e5317d
Software Bill of Materials (SBOM) | Página 4
______________________________________________________________________

d1a</hash> <hash alg="SHA3-

256">9e45261eff969396b6a3e97a1ad65dced304f77765655c9a72a2904caa13

7a1e</hash> <hash alg="SHA3-

384">fea472f4c2bdee7df208ad3d6a76125ce282a250eb960bc2171297a3ae2e

4232b61540132b71b399e8ac6b9d0228113f</hash> <hash alg="SHA3-

512">6ed81f58d9039e56d393165bd26c998584e364f7975e33f5c3008ac10d67

ed190edcd196c5ce1554e23c4e1271f8aed631e07c3ea0de59a3457891d188e71

b67</hash> </hashes> </tool> </tools> <component bom-

ref="pkg:maven/io.dropwizard/dropwizard-parent@1.3.15"

type="library"> <group>io.dropwizard</group> <name>dropwizard-

parent</name> <version>1.3.15</version> <scope>required</scope>

<licenses> <license> <id>Apache-2.0</id>

<url>http://www.apache.org/licenses/LICENSE-2.0</url> </license>

</licenses> <purl>pkg:maven/io.dropwizard/dropwizard-

parent@1.3.15</purl> </component> </metadata>

8. What format is defined already?

Licenses, components, sources/docs of the libraries these components use.

9. Impact (possitive or negative) of SBOM in procurement proccesses.

The impact of getting an SBOM before an acquisition is positive because the client has a

lot of information about the product that they almost acquired, so with technical resources

(employees) they can analyze the viability of getting it or not.

Software Bill of Materials (SBOM) | Página 5
______________________________________________________________________

10. What is the The National Telecommunications and Information Administration

(NTIA) (USA?

NTIA is the Executive Branch agency that is principally responsible for advising the

President on telecommunications and information policy issues.