Open Source Summit Europe 2022

The potential of SBOMs to track vulnerabilities is widely recognized. Open source tools capable of creating SBOMs exist in abundance. However, many of these tools are inventorying software post-build, which relies on heuristics and can result in missing build and dependency metadata which limits the compliance and security benefits of an SBOM. Software is modular in nature - each component has its lifecycle and our SBOM creation and management should represent the modular nature of the whole. What if instead of relying on post-build tools we utilized a sum-of-parts approach to create component level Micro-SBOMs that could be stitched together to create one high-level SBOM? We refer to the process of taking one or more Micro-SBOMs describing some component of the same top level software and transforming them into a single SBOM as "composing". Instead of asking SBOM consumers to open hundreds of fragmented Micro-SBOMs, we’re working on a tool that can do the composing for us. In this talk we will share details on why post-build scanning isn’t sufficient for producing accurate SBOM, discuss operationalisation of SBOMs and motivate the need for more modular SBOM composition. We will demo our proof-of-concept SPDX SBOM composition tool and invite your feedback and collaboration.