In another attempt to secure the precious software supply chain, GitHub has released a new Export SBOM functionality which generates an NTIA-compliant software bills of materials (SBOMs) on demand.

The supply chain security aspect aside, this feature will also make it easier for software providers to comply with the US Executive Order 14028 on improving the nation’s cybersecurity, which introduced the requirements of providing SBOMs.

Now with a single click anyone with read-access to a GitHub cloud repository can generate an NTIA-compliant SBOM in SPDX format.

That is one part of the equation as generating SBOMs is not really that difficult any more; the other part is what do I do with it afterwards?

A SBOM in standardized formats can be used as input in a variety of tools, as we discovered in Track Open Source Vulnerabilities With Google's OSV Database, a service by the Google Security team.

Google Security used SBOMs against the OSV database to find vulnerabilities in open source software which were then mapped onto a list of known vulnerabilities to know which components could pose a threat.

The advantage of connecting these two sources of information was that consumers were able to know not just what’s in their software but also its risks and whether they need to remediate any issues.

Github too enables a similar functionality by letting you upload your SBOMs on to the Dependency Graph service, which will then scan your dependencies for known vulnerabilities and receive Dependabot alerts if any are present.

With that said, you can generate your SBOMs using the new Export SBOM button found on the repository’s Dependency graph menu. Or, if you don't like GUIs, you can also do the same from the command line by using the SBOM gh CLI extension.

But Github has not finished with just the exporting functionality. It has also introduced a GitHub Action which bakes the SBOM generating process into the repository's CI deliverables.

These functionalities are free in all of the GitHub cloud repositories as part of GitHub's contribution to the initiative of strengthening the software supply chain.

It is reassuring to watch the big players starting to take the issue more seriously, as the latest SLSA survey has revealed, and GitHub is certainly taking a step in the right direction.

More Information

Introducing self-service SBOMs

gh-sbom

Using the Dependency submission API

Related Articles

Track Open Source Vulnerabilities With Google's OSV Database

Sigstore Java - Sign And Verify Your Java Builds

Surveying Software Supply Chain Security

jbom - Dependency Analysis For Java Apps

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info