VeriBOM User Guide
  • Getting Started
    • Introduction
    • Signup up for VeriBOM as an Organization
    • Login to VeriBOM as an Organization
  • SBOM Concepts
  • Product Management
    • Adding Product
    • Editing Product
    • Deletion of Product
    • Additional Notes
  • Connection Management
    • Adding Connection as Publisher
    • Adding Connection as Auditor
    • Editing Connection
    • Deletion of Connection
  • Project and SBOM Management
    • Adding Project
    • Scan Sources Integration
      • Source Code Upload
      • SCM Integration - GitHub
      • Container Image Scanning
      • CI/CD Integration - Jenkins
      • Container Orchestration Platforms
    • Initiating SBOM Scans
    • Publishing SBOMs
    • Editing Project
    • Deletion of Project
  • User Management
    • Adding User
    • Editing User
    • Deletion of User
  • Roles and Permissions Management
    • Predefined Roles and Permission
    • Custom Roles and Permission
      • Permissions Hierarchy
  • Organization Types
    • Sending Invitation Request to Organization From Partner Portal
    • Sending Invitation Request to Partner From Partner Portal
    • Free Publisher
    • Publisher
    • Auditor
  • Appendices
    • Contact Information
    • Glossary
    • Troubleshooting
    • Frequently Asked Questions (FAQ)
    • VeriBOM Video Guides
    • Best Practices
    • References
    • Supported Languages and Manifests
Powered by GitBook
On this page

SBOM Concepts

An SBOM is a structured document that provides a comprehensive list of software components used in a particular project or application. The components typically included in an SBOM are:

  1. Software Components: These are the building blocks of your application and include libraries, frameworks, modules, and other software entities.

  2. Version Information: Each software component's version is documented to track updates and potential vulnerabilities.

  3. Licensing Information: This section specifies the licenses associated with each software component, ensuring compliance with licensing agreements.

  4. Dependencies: Identifying the dependencies between software components is crucial for understanding how they interact within the application.

  5. Relationships: Understanding the relationships between components aids in managing dependencies and assessing the impact of changes.

Accurately identifying software components is fundamental to creating a reliable SBOM. Here are steps to help identify these components:

  1. Static Analysis: Employ static analysis tools to scan source code, binaries, and container images for software components. These tools can identify libraries, modules, and their versions.

  2. Metadata Examination: Explore metadata files within your project to find information about included software components. Common files to check include package.json, requirements.txt, and pom.xml.

  3. Container Inspection: When dealing with containerized applications, inspect the container image to extract details about the software components it contains.

  4. Code Repositories: If your project relies on code repositories, examine commit histories and package manifests to identify components and their versions.

Versioning and Licensing Information

Maintaining versioning and licensing information within your SBOM is crucial for both security and compliance. Here's how to handle this information effectively:

  1. Version Tracking: Keep a record of software component versions to monitor updates and address vulnerabilities promptly.

  2. License Documentation: Clearly document the licenses associated with each component. Ensure that your application complies with these licenses.

  3. License Analysis: Use automated tools or services to analyze licensing information and detect any conflicts or non-compliance issues.

Dependencies and Relationships

Understanding dependencies and relationships between software components is essential for managing your application effectively.

  1. Dependency Mapping: Create a map of dependencies to visualize how different components rely on each other. This aids in identifying potential points of failure.

  2. Impact Assessment: Assess the impact of changes to one component on the entire system. This helps in making informed decisions during updates or modifications.

  3. Relationship Documentation: Document relationships between components, such as parent-child relationships or interdependencies. This information enhances your understanding of the software architecture.

By comprehensively addressing these aspects of SBOM content, your organization can effectively manage software components, track version updates, ensure licensing compliance, and mitigate security and compliance risks. This knowledge is invaluable for making informed decisions about your software ecosystem.

Understanding SBOM Completeness and Dependencies

A critical aspect of SBOM generation is ensuring completeness and understanding software dependencies. An SBOM must accurately reflect all software components and their dependencies.

  1. Completeness: SBOM completeness involves capturing all the components, libraries, and dependencies used within a project. An incomplete SBOM can lead to security vulnerabilities and compliance issues.

  2. Dependencies: Software components often rely on other components. Understanding these dependencies is vital for managing potential risks and ensuring efficient software maintenance.

Fixing Exceptions and Bugs in SBOMs

During SBOM generation, it's common to encounter exceptions or bugs. These may include missing components, incorrect versions, or other issues.

  1. Exception Identification: VeriBOM identifies exceptions and bugs within the generated SBOM, highlighting areas that require attention.

  2. Resolution: Users with appropriate permissions can review exceptions and take corrective actions, such as updating component information, resolving version conflicts, or adding missing components.

Understanding SBOM completeness, dependencies, and how to address exceptions and bugs is crucial for maintaining the accuracy and reliability of your SBOMs. This knowledge empowers your organization to make informed decisions regarding software security, compliance, and risk management.

By comprehensively addressing these aspects of SBOM content, your organization can effectively manage software components, track version updates, ensure licensing compliance, and mitigate security and compliance risks. This knowledge is invaluable for making informed decisions about your software ecosystem.

PreviousLogin to VeriBOM as an OrganizationNextProduct Management

Last updated 1 year ago