IBM and OWASP announce projects to help secure the software supply chain
The OWASP Foundation (Open Web Application Security Project) and IBM have today announced IBM’s contribution of two open source projects aimed at increasing trust across open hardware and software supply chains.
The two projects are SBOM Utility and License Scanner, which add to CycloneDX, a flagship OWASP project and a leading Bill of Materials (BOM) standard. These promote validation, content analysis and accuracy of software license information included within BOMs.
The IBM-developed SBOM Utility and License Scanner and will contribute open source technologies to OWASP to help developers enhance their quality of data on the front end and help validate SBOMs to assess risk.
SBOM Utility is designed to be an API platform used primarily to validate CycloneDX or SPDX format BOMs against their published schemas. It can also help validate derivatives created by organizations that want stricter BOM data requirements to be enforced.
License Scanner is designed to scan files for licenses and legal terms. It can be used to help identify text matching licenses and license exceptions from the complete, published SPDX License List. Out-of-the-box it matches against the 3.18 release of the SPDX licenses (a little less than 500) and license exceptions (40+) and comes with an option to import future versions of SPDX licenses.
License Scanner has been developed for integration into IBM Cloud's Continuous Delivery Service's DevOps toolchains and is also used as part of IBM’s legal clearance process for open-source and corporate software before approval for internal use.
"There is still a need for awareness, tooling and guidance to help create software with more security features," says Jamie Thomas, general manager, systems strategy and development at IBM. "IBM has a long history of contributing to a wide variety of open source communities such as the OWASP Foundation. We believe these contributions can help developers assess risk and create more secured applications that can build consumers trust."
Both SBOM Utility and License Scanner are on GitHub.
Image credit: Chan2545/depositphotos.com