Open Source

Working with government and industry to put open source security tooling into practice

John Speed Meyers, Principal Research Scientist and Adolfo García Veytia, Staff Software Engineer
September 12, 2023

TL;DR: Chainguard, in cooperation with the Department of Homeland Security and other startups, has released two new open-source software bill of materials (SBOM) tools, one for SBOM format translation and the other for SBOM composition.

This week, the White House and OpenSSF are bringing together government and industry at the Securing Open Source Software Summit to discuss how private and public sector organizations can better maintain and secure open source software through initiatives that promote safer open source software consumption. To further the government’s response, DHS CISA also released a new Open Source Software Security Roadmap – which segments the problem into two main categories: vulnerabilities in critical software and supply chain integrity. 

That’s why we’re excited to announce that Chainguard, in cooperation with the U.S. Department of Homeland Security Silicon Valley Innovation Program and a number of other startups, has recently released an initial version of two new open source SBOM tools. These releases mark the halfway point in a forward-looking initiative by the Department of Homeland Security to fund the creation of open source tools that improve software supply chain security.

This effort, which focuses on software supply chain visibility, has funded seven companies, including Chainguard, to cooperate as a cohort in building new SBOM-related tools. One of these tools, protobom, is a library for SBOM format translation and was created jointly by the company cohort. Another tool, bomshell, was created by Chainguard and allows users to combine, remix, and compose SBOMs.

This post explains both tools and invites interested parties to experiment with, use and contribute back to these open source tools.

protobom: A tool to end the SBOM format wars

protobom is an open source tool for those readers who prefer to focus on software supply chain security rather than implementation details. Protobom offers a format-neutral representation of SBOM package and file data and the ability to translate this data between popular SBOM formats. The goal is for SBOM tool builders to stop sweating format-specific details and, in the long run, for SBOM users to stop worrying about which format is “better.”

For readers interested in technical details, the `protobom` GitHub repository is a protocol buffers representation of SBOM data. Consider this representation the “Switzerland” of SBOM data formats. The representation uses a node list data structure to abstract away the details of SPDX and CycloneDX. While the initial implementation is written in Go, protocol buffers support many languages and future versions of this library can potentially support other languages. There is also an initial application built using for protobom in a separate repository that is also hosted on the “bom-squad” GitHub organization created by the DHS-funded cohort of companies.

A more detailed overview of protobom and its origin story can be found here.

bomshell: Composing SBOMs has never been this much fun

Have you ever had to or wanted to combine one or more SBOMs? Unless you’re a true expert, you either wrote custom code to do this or abandoned the effort as a fool’s errand. Bomshell is intended to change that.

Bomshell is an SBOM programming interface and workbench that lets users query and remix data from SBOMs to extract and model software to generate new SBOMs that are structured and contain the data that SBOM ingestion tools expect. For instance, a user could want to combine one SBOM from a container base image and another SBOM from the application built on top of that image, combining these two related SBOMs into a single SBOM.

For readers interested in the technical details, bomshell exposes functions in CEL (Common Expresion Language) to work with SBOM documents and component data. CEL provides a familiar, C-like interface that developers can grasp quickly. The bomshell runtime can also preload SBOMs into an environment. In addition, the runtime defines system functions that programs can use to load, filter, and modify new documents.

Got SBOM tools? Now you do!

Interested readers should feel free to try out these tools, submit bug reports, make feature requests, or make contributions. Chainguard, along with other cohort companies, will be continuing to improve and expand upon these tools over the next several months.

And if you’re interested in seeing how Chainguard can aid your company’s software supply chain security journey, and particularly in how Chainguard can dramatically reduce the vulnerabilities and improve the security of your container images, please contact us.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.