SBOM X-Ray Superpowers: Making Better SBOMs, Using SBOMs


Authors:   Brandon Lum, Chris Phillips


The presentation discusses the importance of generating software bill of materials (S-BOM) and the challenges in ensuring its security against malicious actors. The speakers suggest using metadata and attestation formats to address these challenges.
  • Generating S-BOM is important for software security and transparency
  • Scanning and pre-populating are two ways to generate S-BOM
  • Scanning has limitations in detecting malicious actors
  • Metadata and attestation formats can address security challenges
  • Composability is important in combining S-BOM from different ecosystems
The speakers explain that scanning has limitations in detecting malicious actors, as they can modify the APK database or metadata to represent a different version or package. They suggest using digests and fingerprinting to detect changes and compare them against previous versions. They also recommend comparing metadata to the actual files to ensure they match exactly. Additionally, they propose using attestation formats to tie in provincial and social side associations to identify bad actors and affected documents.


Creating SBOMs (Software Bill of Materials) for our software artifacts is very important in understanding our software and responding to security attacks/vulnerabilities. However, creating SBOMs is challenging. To be effective, SBOMs must be as accurate and complete as possible, but at the same time be usable. Today, Software Composition Analysis (SCA) based SBOM generation tools strike a great balance in this regard. There are several great SCA-based SBOM generator tools today, but all of them have blind spots, such as finding an executable file that has no metadata associated with it. What if there was a way for SBOM tools to reliably fill in these gaps in order to produce a more complete SBOM? Enter the SBOM X-ray vision! In this talk, we demonstrate a novel way to peek into these opaque files through SBOM discovery and look-up. Through the use of the Rekor transparency log and In-toto attestations, we’ll show how easy it is for existing projects to share SBOM information with other projects using native CI integrations. We will then show our new superpowers in action through the Syft tool to generate more complete SBOMs!