Shane Coughlan, General Manager of OpenChain, elaborated on this question following the National Telecommunications and Information Administration (NTIA) request to define a minimum Software Bill of Materials (SBOM). From NTIA’s SBOM FAQ, a “Software Bill of Materials (SBOM) is a complete, formally structured list of components, libraries, and modules that are required to build a given piece of software and

Back in February Revenera posted a blog titled “2021 Will Be the Year of the Automated Software Bill of Materials”. That prediction got a lot closer to reality by an executive order signed by President Biden. The order—focused on cybersecurity—includes new security requirements for software vendors selling software to the U.S. government. Some of the specific requirements in the order

Some 80% or more of most application code in modern software comes from dependencies, code referenced and bundled to make a software package work. Dependencies can be direct or transitive, the latter being sort of dependencies of dependencies. Javascript repositories, for instance, have on average 10 direct dependencies and 683 transitive dependencies, GitHub’s 2020 State of the Octo-verse report found.

The more ubiquitous open source software becomes, the greater potential it has to bring hidden risk to organizations because of open source dependencies and their security vulnerabilities, as well as improper licensing. Those risks are the subject a new IDC report, “Addressing the Hidden Costs of Embedding Open Source Software.” The vulnerabilities presented by open source dependencies are real, but