Securing the Software Supply Chain: Recommended Practices for SBOM Consumption 8
TLP: CLEAR
The SBOM may have embedded information describing how the hashing/signing method to be used
for validating the integrity and authenticity of the SBOM. The customer and supplier may also use a
pre-agreed upon method not embedded within the SBOM. If integrity and authenticity checks are
available for the SBOM Delivery method/infrastructure, it is recommended that the consumer verify
the integrity and origin of the SBOM as well. The Securing the Software Supply Chain (for the
Developer, Supplier, and Customer) guidance released by ESF recommends verifying SBOMs (e.g., for
veracity and accuracy) and resolving any mismatches prior to ingestion. This may also include
analyzing the SBOM data for completeness or “known unknowns” with intentional gaps in the
dependency tree (see section 4). Software Composition Analysis (SCA) and/or software scanning tools
may be used to determine the components of a software product or package to verify the accuracy and
veracity of an SBOM and may also be used to validate or verify VEX information in support of SCRM
risk decisions.
If the SBOM supplied to the customer is not complete, has minimal depth, or does not include
dependencies of proprietary components, adjustments to vendor contracts or other risk mitigation
steps may be warranted.
SBOM Ingestion and Management for Enterprise
Data from SBOMs feeds into many enterprise workflows, including procurement, asset management,
vulnerability management, and overarching supply chain risk management and compliance functions.
Therefore, the SBOM is often less useful as a file than as a collection of data that can be parsed,
extracted, and loaded into automated processes or systems of record. Enterprises may have multiple
options available for the consumption of SBOMs including internally developed tools/scripts, open-
sources tools, and commercial product offerings and services, as well as various combinations of these
options.
Organizations may require a data management layer to track SBOMs, map them to assets, and allow
other tools to link to and correlate with SBOM data. By enabling better and more flexible and
automatable data management, this layer can support multiple workflows and enterprise processes
including supply chain risk management, vulnerability management, future procurement analysis,
enterprise risk management and risk scoring (See Section 4 of this document for more on SBOM based
Risk Scoring). There are alternate approaches for leveraging SBOM content such as SBOM-specific
repositories, managed service models, and SBOM file-based storage and retrieval methods. As of 2023,
tools supporting SBOM data management are just beginning to emerge.
In some cases, the data can be stored adjacent to the software in question, for easier access by
scanning tools. Consumers may wish to consolidate this into SBOM repositories. For some consumers,
the software may reside on sensitive networks or on systems that do not allow for direct scanning,
such as industrial control systems.
3.1.2.1 Extraction, Transformation, and Loading of SBOMs
Extraction, Transformation, and Loading of SBOMs into enterprise processes and platforms requires a
mapping process to correlate specific components to one or more applications, systems, or endpoints.
Much of the value of these processes and platforms derives from the mapping and update functionality
that maintains the accuracy of software inventories and configurations across an enterprise. In certain
ways, SBOM data is similar to attribute data for any software asset. However, SBOM data does differ
significantly in its volume and granularity. There is more data and more detailed data per software
asset than for a conventional commercially procured software capability with no SBOM.