Microsoft has recently released an open-source toolkit for generating a Software Bill of Materials (SBOMs) in order to let the organizations be more transparent about supply chain relationships between components used for building a software product. Microsoft named the tool Salus which works on various platforms such as Windows, Linux, and Mac and will be used to generate SBOMs based on the Software Package Data Exchange (SPDX) specifications.
Software Bill of Materials or SBMs is a complete inventory of a codebase including the open source components, the license to version information for those open source components, and details of vulnerabilities (if any).
Reportedly, the U.S. government has made it mandatory for SBOMs to provide software transparency amid frequent supply chain attacks. Microsoft has also made this decision to open-source the Salus tool to secure supply chain networks.
Microsoft has also added that they will be using this tool for general purposes and to generate enterprise-proven SBOM generators that can be easily integrated to build workflows. According to the giant tech company, “Microsoft wants to work with the open source community to help everyone be compliant with the Executive Order. Open sourcing Salus is an important step towards fostering collaboration and innovation within our community, and we believe this will enable more organizations to generate SBOMs as well as contribute to its development.”
Microsoft said the Salus tool will be able to auto-detect public repositories accessible on the internet such as NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, and GitHub.
The U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) has been advocating for SBOMs with new documentation with detailed FAQ checks and explainer videos.
Similarly, Linux Foundation has also released new industry research, training, and tools to enhance the use of SBOMs.
