SBOM (Software Bills of Materials) provides software transparency, software integrity, and software identity benefits. It offers organizations with insight into their supply chain dependencies. Salus is Microsoft’s software bill of materials (SBOM) tool. Microsoft yesterday announced that it is open sourcing Salus SBOM tool. Salus works across platforms including Windows, Linux, and Mac, and uses the standard Software Package Data Exchange (SPDX) format. You can download the Salus tool here for free.
Salus SBOM tool offers the following:
- Software transparency: SBOMs provide a list of ingredients used in the creation of a piece of software, such as open source software, components, and potentially even build tools. This enables producers and consumers to better inventory and evaluate license and vulnerability risk.
- Software integrity: While code signing is still the industry standard for trusting software and its integrity, SBOMs contain package and file checksums to enable consumers to validate the hashes, which can be useful in scenarios when signatures aren’t present.
- Software identity: When vulnerabilities (CVEs) are created, they are assigned to a Common Platform Enumeration (CPE) identifier, which can have issues attributing a CPE to a specific piece of software. Software IDs within SBOMs provide a much more accurate way to identify software.
Open sourcing Salus is an important step towards fostering collaboration and innovation within our community, and we believe this will enable more organizations to generate SBOMs as well as contribute to its development. – Microsoft