ENSIKLOPEDIA

Tekan Enter untuk memulai pencarian cepat.

Kembali ke Ensiklopedia Arsip Wikipedia Indonesia

Software bill of materials

Software supply chain

Tools used to make software

A software supply chain is the components, libraries, tools, and processes used to develop, build, and publish a software artifact.^[1]

A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and proprietary software components.^[2]^[3] It is the software analogue to the traditional manufacturing BOM, which is used as part of supply chain management.^[4]

Software supply chain attacks compromise an upstream component — such as a widely-used library, a build tool, or a distribution channel — in order to simultaneously affect all downstream users of that component. High-profile incidents such as the SolarWinds attack illustrated the scale and reach of such attacks. Researchers have catalogued the attack surface into a taxonomy covering all stages from source-code contribution to package distribution, linking attack vectors to real-world incidents and corresponding safeguards.^[5]

Another important concept in software supply chains is provenance: signed attestations can record where a software artifact came from, which source and dependencies were used, and which steps in the build pipeline produced it. Provenance frameworks such as in-toto help downstream users verify that a release was built by an expected process and help detect tampering between source retrieval, build, and distribution.^[6]

Usage

An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities.^[7] Buyers and other stakeholders can use an SBOM to perform vulnerability or license analysis, which can be used to evaluate and manage risk in a product.^[8]^[9]^[10]

While many companies use a spreadsheet for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet, such as the inability to automatically enrich it with vulnerability data or integrate it into security toolchains.^[11] It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.^[12]

Cybersecurity transparency studies, including TRACS 2025, identify the availability of SBOMs as one of the criteria used when purchasing information security solutions.^[13] However, not all enterprise security products provide publicly available SBOMs. Research on open-source ecosystems indicates that policy-driven SBOMs remain rare in practice: one large-scale study found that only about 0.56% of popular GitHub repositories contain SBOMs created in accordance with formal security or compliance policies.^[14] Also, according to other research, fewer than half of tested software projects include SBOMs in their releases, and many of those SBOMs are incomplete or do not fully conform to established standards.^[15] At the same time, corporate-level surveys report that approximately 60–76 % of enterprises require SBOMs from suppliers or have integrated SBOMs into procurement and supply-chain risk management processes.^[16]

Legislation

The Cyber Supply Chain Management and Transparency Act of 2014^[17] was a failed piece of US legislation (bill) that proposed to require government agencies to obtain SBOMs for any new products they purchase and to obtain SBOMs for "any software, firmware, or product in use by the United States Government". The act spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017."^[18]^[19]

US President Joe Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity of May 12, 2021 ordered NIST and NTIA to lay down guidelines for software supply chain management, including for SBOMs.^[20] The NTIA outlines three broad categories of minimum elements of SBOMs: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs).^[21] The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of Software Composition Analysis (SCA) solutions.^[22]

References

↑ "For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security" (PDF). USENIX ;login. Archived (PDF) from the original on 2022-12-17. Retrieved 2022-07-04.
↑ "[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2015-06-14. Retrieved 2015-06-12.
↑ "Software Bill of Materials". ntia.gov. Archived from the original on 2022-11-30. Retrieved 2021-01-25.
↑ "Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2014-12-30. Retrieved 2015-06-12.
↑ Ladisa, Piergiorgio; Plate, Henrik; Martinez, Matias; Barais, Olivier (2023). "Taxonomy of Attacks on Open-Source Software Supply Chains". 2023 IEEE Symposium on Security and Privacy (SP). pp. 1509–1526. doi:10.1109/SP46215.2023.00052. {{cite conference}}: Unknown parameter |booktitle= ignored (|book-title= suggested) (help)
↑ Torres-Arias, Santiago; Chase, Newlin; George, Bo; Cappos, Justin (2019). "in-toto: Providing farm-to-table guarantees for bits and bytes". 28th USENIX Security Symposium (USENIX Security 19). USENIX Association. pp. 1393–1410. Retrieved 2026-05-14. {{cite conference}}: Unknown parameter |booktitle= ignored (|book-title= suggested) (help)
↑ "Software Bill of Materials improves Intellectual Property management". Embedded Computing Design. Archived from the original on 2018-08-25. Retrieved 2015-06-12.
↑ "Appropriate Software Security Control Types for Third Party Service and Product Providers" (PDF). Docs.ismgcorp.com. Archived (PDF) from the original on 2023-01-19. Retrieved 2015-06-12.
↑ "Top 10 2013-A9-Using Components with Known Vulnerabilities". Archived from the original on 2019-10-06. Retrieved 2015-06-12.
↑ "Cyber-security risks in the supply chain" (PDF). Cert.gov.uk. Archived from the original on 2023-06-06. Retrieved 2020-07-28.
↑ Fucci, Davide; Di Penta, Massimiliano; Romano, Simone; Scanniello, Giuseppe (2025). "Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub". Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering. pp. 631–635. doi:10.1145/3696630.3728513. ISBN 979-8-4007-1276-0.
↑ "Re: McAfee's comments in response to NTIA's Request for Information (RFI) on "Software Bill of Materials Elements and Considerations", Docket No. 210527–0117" (PDF). ntia.gov. June 17, 2021.
↑ "TRANSPARENCY REVIEW AND ACCOUNTABILITY IN CYBER SECURITY 2025" (PDF). WKO.
↑ Novikov, Oleksii; Fucci, Davide; Adamov, Oleksandr; Mendez, Daniel (2025-09-01). "Policy-driven Software Bill of Materials on GitHub: An Empirical Study". arXiv:2509.01255 [cs.SE].
↑ Nocera, Sabato; Romano, Simone; Di Penta, Massimiliano; Francese, Rita; Scanniello, Giuseppe (2025-12-01). "On the adoption of software bill of materials in open-source software projects". Journal of Systems and Software. 230 112540. doi:10.1016/j.jss.2025.112540. ISSN 0164-1212.
↑ Ian Barker (2023-08-03). "Supply chain worries drive adoption of SBOMs". BetaNews. Retrieved 2026-01-17.
↑ "H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress". 4 December 2014. Archived from the original on 2022-12-16. Retrieved 2015-06-12.
↑ "Internet of Things Cybersecurity Improvement Act of 2017" (PDF). Archived (PDF) from the original on 2023-01-19. Retrieved 2020-02-26.
↑ "Cybersecurity Improvement Act of 2017: The Ghost of Congress Past". 17 August 2017. Archived from the original on 2022-12-16. Retrieved 2020-02-26.
↑ "Executive Order on Improving the Nation's Cybersecurity". The White House. 2021-05-12. Archived from the original on 2021-05-15. Retrieved 2021-06-12.
↑ "The Minimum Elements For a Software Bill of Materials (SBOM)". NTIA.gov. 2021-07-12. Archived from the original on 2023-06-05. Retrieved 2021-12-12.
↑ "NTIA Releases Minimum Elements for a Software Bill of Materials". NTIA.gov. 2021-07-12. Archived from the original on 2022-11-22. Retrieved 2022-03-22.

Sumber data: id.wikipedia.org via REST API v1

Usage

Legislation

See also

References