Microsoft is open sourcing its software bill of materials (SBOM) tool Salus to help the technology industry and IT decisionmakers better understand the security of their tools and their dependencies on the software supply chain.
SBOMs have recently been given heightened importance after several high-profile cybersecurity flaws in popular software products have led to widespread exploitation and attacks. That includes Log4Shell, the critical zero-day vulnerability in Log4j that allows attackers to send a specially crafted request to a vulnerable system and execute arbitrary code and take control of the targeted system.
SBOMs, essentially a list of ingredients and software packages included in an end product, is a key requirement in President Joe Biden’s executive order on improving cybersecurity.
Microsoft calls the Salus SBOM tool a “general purpose, enterprise-proven, build-time SBOM generator” that works across Windows, Linux and Mac platforms and uses the standard Software Package Data Exchange (SPDX) format.
The company says Salus can be integrated into build workflows and auto-detect NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories, and more through Component Detection. Microsoft will be adding more detectors to the Component Detection tool.
Documents created by Salus contain four main sections, including document creation information that contains software name, SPDX license, SPDX version, who created the document and when it was created; a list of files that compose the piece of software; a list of packages used when building the software; and a list of relationships between the different elements of the SBOM.
The Salus SBOM tool can also reference other SBOM documents for a larger view of dependencies, according to a Microsoft blog penned by two product and program managers.
“Microsoft wants to work with the open-source community to help everyone be compliant with the Executive Order,” the pair wrote. “Open sourcing Salus is an important step towards fostering collaboration and innovation within our community, and we believe this will enable more organizations to generate SBOMs as well as contribute to its development.”