A software bill of materials (SBOM) is a list of all open-source and commercial software dependencies used in an application. An SBOM is very similar to a hardware bill of materials (HBOM) that manufacturers generate for a device. SBOMs can be very detailed and include patching, sourcing, and licensing information for every library used in developing the software. But at the very least, an SBOM should include a standard name and version of every library, package, and other piece of third-party software included in an implementation.

What Should an SBOM Contain?

A modern piece of software typically contains multiple libraries, packages, and even third-party APIs. To keep track of all those components, we need an SBOM to detail these various software types. SBOMs are becoming more commonplace, since the Executive Order on Improving the Nation’s Cybersecurity makes supplying an SBOM a requirement for software suppliers working with the US government. Some of the essential information an SBOM should contain includes:

Open Source Components

Software may contain one or more open-source components — these packages shorten the development time and help reduce the software’s development cost. As a result, the use of open-source software is highly prevalent across organizations. Thus, it’s vital for an SBOM to contain a list of all open-source components so that consumers understand their surface area.

Open Source Versions

But just listing the open-source components won’t help much. For example, an open-source component on version 1.0 might contain bug issues that have been fixed in version 2.0. Open-source projects often support various versions, so an SBOM should also reference this version information to ensure consumers understand the nuances of the open-source component they are utilizing.

Open Source Licenses

Many open-source licenses exist, such as MIT, Apache, GNU, and others. Each of these licenses has its own standards that software needs to meet. So just mentioning that a component is “open-source” doesn’t make it trustworthy — it needs to also meet specific criteria. Thus, the SBOM should contain the name of the license an open-source component uses.

Open Source Vulnerabilities

At the end of 2021, there was an infamous software supply chain vulnerability called Log4j. When it was discovered, many companies and developers started to panic. Soon it became a race between hackers attempting to exploit the vulnerability and developers pushing fixes to plug the hole. This event is a core reason why SBOMs have risen in importance. Thus, an SBOM should disclose common vulnerabilities and exploits in each software package.

How to Automatically Generate an SBOM?

This tutorial will cover how to generate an SBOM for your Node.js APIs. So, open your terminal and follow the below steps:

Step 1: Open the Project Directory in Terminal

To open the project folder in your terminal, use the below command:

cd PATH_OF_YOUR_PROJECT

Step 2: Installing the Dependencies

Once you have opened the folder, you must install some dependencies to automatically generate the SBOM. We’ll use the CycloneDX generator, which is one of the most popular SBOM generators available.

Use the below command to install the generator:

npm install -g cyclonedx/bom

npm install -g viewbom

Step 3: Generating the SBOM

To generate the SBOM, use the below command:

npx @cyclonedx/bom . -o bom.json

Code Explanation:

This command will generate a simple SBOM in JSON for your NodeJS API. It’ll list all the dependencies and their version with a short description.

In your project root, you should see a new file called bom.json. This is the SBOM of your project. If you open it in VS Code, you should see the below output:

The JSON should be about 3000-4000 lines depending on the size of the project and the number of packages used in your project.

Step 4: Generating a Web Page for Your SBOM

The SBOM that we have generated in the above step can be understood by a developer but not by any non-technical person. So, it might be a good idea to create a webpage for our SBOM. As you notice in step #2, we have installed one more package called viewbom. This package will help us to create an HTML version of our JSON SBOM.

Use the below command to convert the JSON to HTML:

npx viewbom bom.json bom.html

Now, there’s one more file generated in your project root called bom.html. If you open it in the browser, you should see the output like this:

Note: It won’t be the exact replica of the above screenshot because the package used will differ from what we used in the example project.

We’ve shown how to generate an SBOM automatically for a Node.js project. Now, let’s consider one method for automatically sharing and modifying SBOMs using APIs.

What is SBOM Hub?

SBOM Hub is a tool that allows developers, product owners, or normal users to easily discover, upload and publish different SBOMs on the internet. Once you have generated the JSON or XML formatted SBOM for your application, you can use RKVST SBOM Hub to publish and share your SBOM with partners. You can also use it to check the SBOMs available from other organizations. RKVST SBOM Hub also comes with different API endpoints to automate these processes.

Features of RKVST SBOM Hub:

• The tool is free to use.
• You can find many pre-existing SBOMs that you can use as templates.
• The API comes with authentication, so you don’t have to worry about security.
• You can create a private as well as a public repository.
• It also automatically validates your SBOM.

Example API Calls

Here are some example calls that showcase working with the RKVST SBOM Hub API.

Fetching Metadata for Public SBOMs

To fetch metadata for public SBOMs, you can make a GET request to this endpoint:

https://sbom.rkvst.io/archivist/v1/sboms/-/metadata?trusted=TRUSTEDSTATUS_UNSPECIFIED&lifecycle_status=LIFECYCLESTATUS_UNSPECIFIED&privacy=PRIVATESTATUS_UNSPECIFIED

You should get the below response:

Fetching the SBOM for a Specific uuid

If you make a GET request to the URL https://sbom.rkvst.io/archivist/v1/sboms/{uuid} you should get the below response:

Uploading SBOM to the RKVST Hub

You first need to create an account and then you need to get the API credentials by applying under your profile. Once you’re done, copy and paste your client_id and client_secret.

After that, make a POST request to the following endpoint with the authorization header and the file name.

https://sbom.rkvst.io/archivist/v1/sboms?privacy=PRIVATE&sbomType=cyclonedx-json

Here’s the sample CURL request:

curl -X POST -H "Authorization: Bearer $(cat .token)" -F "sbom=@file-bom.json" "https://sbom.rkvst.io/archivist/v1/sboms?privacy=PRIVATE&sbomType=cyclonedx-json"

You should see a response similar to the one below:

{
  "identity":"sboms/3e8f4700-6eeb-4aca-bff9-7c5d72cb3670",
  "authors":[],
  "supplier":"",
  "component":"test-api",
  "version":"1",
  "hashes":[],
  "unique_id":"urn:uuid:d6aa76fa-e488-480d-9ad0-f67765dfd015",
  "upload_date":"2022-23-08T16:28:08Z",
  "uploaded_by":"",
  "trusted":false,
  "lifecycle_status":"ACTIVE",
  "withdrawn_date":null,
  "published_date":null
}

If you face any issues or want to explore more, you can follow their documentation here.

Final Words

Creating an SBOM is not a very difficult task — you can use many online tools to generate one automatically. What matters is that your project should meet a certain standard and should also contain high-quality components. Having detailed SBOMs leaves a good impression with the user that your organization’s software has integrity and meets high standards.