Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

SoK: A Framework for and Analysis of Software Bill of Materials Tools

Technical Report ·
DOI:https://doi.org/10.2172/2204407· OSTI ID:2204407
 [1];  [1];  [1]
  1. Idaho National Laboratory (INL), Idaho Falls, ID (United States)
+ Show Author Affiliations
Modern software development has gradually become more complex, leveraging available open-source software and third party components. This practice has raised questions about the provenance, licensing, versioning and compliance of reused code and its dependencies. Furthermore, it is par ticularly important to review such code fragments and third party components for known-vulnerabilities before they are included in a software product. A Software Bill of Materials (SBoM) is a mechanism to achieve such an analysis, provid ing transparency and visibility into a software product to both the software developer and its respective consumer. An SBoM lists information and details about all the elements constituting a piece of software and can, therefore, be used to evaluate associated security risk. While the concept of SBoMs is growing in popularity, it is still fairly new to many organizations, causing them to potentially struggle with pro ducing and processing SBoMs and limiting their widespread adoption. In this work, we delve into the area of SBoMs and present the state-of-the-art SBoM tools, creating a framework for analysis and categorizing them based on a diverse set of features and functionalities. We are the first to provide a detailed analysis of 83 open-source SBoM tools along with a perspective on how a potential SBoM user can select a tool based on their specific requirements. Our work aims to help promote understanding of this domain, thereby encouraging and furthering its overall adoption. We additionally seek to pave a path for future work in this area by providing recommendations to tool developers and users, researchers, and standardizing organizations.
Research Organization:
Idaho National Laboratory (INL), Idaho Falls, ID (United States)
Sponsoring Organization:
USDOE
DOE Contract Number:
AC07-05ID14517
OSTI ID:
2204407
Report Number(s):
INL/JOU--22-68388-Rev000
Country of Publication:
United States
Language:
English

Similar Records

Software Bill of Materials (SBOM) Sharing Lifecycle Report
Technical Report · Sat Apr 01 00:00:00 EDT 2023 · OSTI ID:1969133
SCA Tools - SCRM Value Add or Lossy Noise Machines
Conference · Wed Oct 30 00:00:00 EDT 2024 · OSTI ID:2479528
Towards Software Bill of Materials in the Nuclear Industry
Technical Report · Thu Sep 01 00:00:00 EDT 2022 · OSTI ID:1901825

Related Subjects

99 GENERAL AND MISCELLANEOUS
SBoM Tools
SoK
Software Bill of Materials (SBoMs)
Software Supply Chain Security