By Ian Dunbar-Hall
Software security is a top priority, and understanding the components that make up your software is crucial. Software Bill of Materials (SBOMs) play a vital role in achieving this by providing a detailed list of these components and their relationships.
Today we’re announcing bomctl as a sandbox project in the OpenSSF under the Security Tooling Working Group to help users work more easily with SBOM documents.
Purpose of Bomctl
Bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to help users retrieve, manipulate, and push multiple SBOMs documents that represent a system. This project builds on the protobom project to create a Command Line Interface (CLI) to effortlessly fetch and store all SBOM documents in a cache database. This database will allow component dependencies to be managed across multiple SBOM documents. Bomctl can then export SBOMs for integration with other tools. Bomctl’s roadmap includes the ability to manipulate the component dependency tree across multiple SBOM documents with commands like merge, redact, split, trim, and enrich using GUAC and Transparency Exchange API. Additionally, bomctl will support OpenSSF’s SBOMit specification for verifying SBOMs contents.
Origin of Bomctl
Bomctl was developed by the Security Tooling Working Group to address challenges discussed during the Secure Open Source Software Summit 2023. This summit brought together US Government officials and members of the OpenSSF to discuss the security challenges for the consumption of OSS in critical infrastructure sectors. Two challenges discussed were working across multiple SBOM formats and how to best represent complex systems. Both leading SBOM formats can represent complex systems by linking multiple SBOM documents together, but open source tooling has not caught up. For example a helm chart deployment may have a chart and multiple container images. What does an SBOM for a helm chart look like? Bomctl seeks to create command line tooling to help build these relationships between SBOM documents, move these sets of documents between systems, and easily integrate with existing SBOM tooling ecosystems.
Bomctl focuses on supporting more complex SBOM system operations by being focused on only supporting the NTIA minimum fields or other fields that can be mapped between SBOM formats. It is not intended to fully support CycloneDX and SPDX, which can include additional metadata and represent multiple types of Bill of Materials. There is a need and a place for these additional capabilities and we want to empower users to choose an SBOM format that works best for them, while also supporting users who need to work with both CycloneDX and SPDX for software supply chain security.
The protobom library provides the data model representing and manipulating SBOM information and bomctl wraps this library to provide a command-line utility for managing and operating on multiple documents. One objective of the bomctl project is to contribute most of the data model manipulation implemented to the protobom project, ensuring all users of the protobom library can incorporate more complex operations into other projects.
Contributions From the Community
Bomctl would not exist without support from the Security Tooling Working Group. Initial contributions were made by Lockheed Martin with additional capabilities from Scribe Security and Defense Unicorns.
We want to thank the following individuals:
- Maintainers
- Jonathan Howard @ Lockheed Martin
- Allen Shearin @ Lockheed Martin
- Eddie Zaneski @ Defense Unicorns
- Ian Dunbar-Hall @ Lockheed Martin
- Guidance and Protobom Support
- Adolfo García Veytia @ Stacklok
- Contribution of Export Capabilities
- Mikey Strauss @ scribe Security
- SBOM Aliasing
- Philippe Aviles @ Lockheed Martin
- Community Support
- Ryan Ware @ Security Tooling Working Group Chair
- Michal Frystacky @ Lockheed Martin
- TAC Guidance
- Marcela Melara @ Intel Labs
- Michael Lieberman @ Kusari
A rising tide lifts all boats and we want to acknowledge other projects that are improving SBOM capabilities.
Get Involved
Additionally visit the OpenSSF Booth at SBOM-a-rama to talk with project maintainers, or attend “The Current State of SBOMs for End Users” talk at SOSS Fusion.
About the Author
Ian Dunbar-Hall leads Lockheed Martin’s Open Source Program Office and is a OpenSSF Governing Board General Member Representative. He is a contributor to several OpenSSF projects and focuses on securing software supply chains.