Building a software Bill of Materials with Black Duck

In an effort to secure the software supply chain, Black Duck SBOM export capabilities now comply with the NIST standards in Executive Order 14028.

Black Duck SBOM | Synopsys

A necessary step in securing an application is evaluating the supply chain of each component used to create the application, no matter how many hands were involved in its development. If any links in the supply chain are obscured, it can be difficult to confidently assess the amount of risk that an application is susceptible to. By building a software Bill of Materials (SBOM), a development organization provides the necessary information that enables the consumers of its software to understand the risk associated with a particular application, and react accordingly to security breaches and policy violations. 

Meeting NIST standards with Black Duck SBOM export utility

Black Duck® is now making it easier for users to secure the software supply chain with an update to its SBOM export utility. The utility now exports Software Package Data Exchange (SPDX) 2.2, now ISO standard ISO/IEC 5962:2021, which populates the fields necessary to comply with NIST standards, as referenced in Executive Order 14028. This executive order is geared toward providing more transparency between the government and the private sector with respect to software security. One of the steps to achieving this transparency is requiring vendors to provide SBOMs to the purchasers of their products in a standard, machine-readable format. As defined by NIST, the SPDX format meets these needs. 

Exporting an SBOM in SPDX

Using the Black Duck utility to export an SBOM in the SPDX format is done in three easy steps:

  1. Install the SPDX export script using a simple pip3 command.
  2. Set two environment variables to reference your Black Duck instance and API token.
  3. Run the export script, with the addition of two positional arguments.

After running the script, you’ll be able to see the SPDX output file in your current working directory, which you can view using any JSON viewing tool. However, most users will automate this process as part of their pipeline and archive the SPDX output to be distributed later to comply with industry regulations, fulfill contractual obligations, or simply keep an internal inventory of software assets.  

This utility is available free of charge for all Black Duck users running version 2020.10.0 or later. 

Learn more

For more information on the Black Duck SBOM export utility, including a step-by-step tutorial, visit the related Synopsys community article. You can also visit our website to learn more about Black Duck composition analysis.  

 
Mike McGuire

Posted by

Mike McGuire

Mike McGuire

Mike McGuire is a product marketing manager at Synopsys where he is focused mainly on the Black Duck software composition analysis tools and audit services. After beginning his career as a software engineer, Mike transitioned into product management and marketing roles, as he enjoyed interfacing with the buyers and users of the products he worked on. Leveraging several years of development experience, Mike enjoys connecting the market’s complex AppSec problems with Synopsys’ comprehensive solutions.


More from Open source and software supply chain risks