Dr. Neil's Notes
Software Bill of Materials
No innovation happens in isolation in the software world. Software builds upon what came before. Software also drags along historical artifacts, for example the floppy disk as a save icon. As the complexity of software grows, and the interconnectedness of software increases, so does the reliance on shared technology. Consider the entire world wide web, relies on a set of protocols for data transfer that are shared by every single software application that access the world wide web.
In order to reduce the need for every single software application to rebuild an implementation of the basic building blocks, many code libraries are shared across thousands (or millions) of software applications. Each software application that has any level of complexity relies on code libraries, platforms, and frameworks written by other people. The full list of dependencies for a software product is known as the Software Bill of Materials (SBOM).
Some of the libraries being used by software are commercial, and require a payment (monetary or otherwise) to use the library. Other libraries are free, and have no restrictions.
In order for a software product to be legally compliant, it is important to know that all required licenses are paid. Sometimes the cost will be a monetary fee, other times it might be an inclusion, or recognition of the authors of the component being used in the product. Some open source software components require that any software using the component is also open source.
With a full list of all dependencies, it is possible to know if the software is compliant with all the licenses required to ship that software product.
Most code libraries are being updated on a regular basis. Software is never finished, merely abandoned. Software updates typically improve functionality, performance, fix bugs, and remove security issues.
A software product should aim to keep the components, upon which it depends, updated to reduce the risk of security flaws, and get the benefits of the latest updates.
A full list of components, used to create the software, is critical to understanding what needs updating, and deciding when to update.
A software bill of materials (SBOM) is a document that describes all the components that are used to create a software product. As the libraries being used by a software product will often also use other libraries, the software bill of materials document describes all the dependencies down the supply chain.
Also included in the SBOM document is the license information, and the version of the component being used. The industry standard for an SBOM document is spdx, more details can be found here https://spdx.dev/
A number of tools now exist to help manage and maintain the SBOM document. Ideally this would be created as part of the build in the Continuous Integration (CI) step of software production.
Microsoft has an open source project here https://github.com/microsoft/sbom-tool
FOSSA has a set of tools that can found on their website https://fossa.com/
Software is eating the world, is a statement made by Marc Andreessen in 2011. In 2023 this can be extended to the world is eating software, that is eating other software, that is eating the world.
The SBOM is your ingredients list. Would you buy, and eat, food that does not have an ingredients list? Why then do you use software that does not have an ingredients list?
Created: August 11, 2023 23:47:57