SBOM(软件供应链)已经受到越来多多的安全团队和开发者注意，它不仅对安全至关重要，对应用的审计、监控等也是启动基础性新的作用。 不少软件现在在发布版本时，都会带上SBOM信息，以便用户更好的了解软件的组成和安全性。

• CycloneDX: https://cyclonedx.org/
• SPDX: https://spdx.dev/
• Buildpacks SBOM: https://paketo.io/docs/howto/sbom/
• Microsoft SBOM tool: https://github.com/microsoft/sbom-tool
• KBOM - Kubernetes Bill of Materials: https://github.com/ksoclabs/kbom

对开发人员来说，目前已经三方面的SBOM的支持：

• 代码仓库的SBOM: 可以参考 SBOMs now include copyright attribution data
• 容器级别的SBOM: 如Paketo Buildpacks的SBOM支持 https://paketo.io/docs/concepts/sbom/
• 应用级别的SBOM：如Spring Boot 3.3就内置了SBOM只支持 https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3

此外SBOM对AI也至关重要，尤其是Context支持方面，所以说SBOM基本是开发人员的必备知识。

我个人的Spring Boot SBOM demo: https://github.com/linux-china/sbom-demo

SBOM & Friends

• CycloneDX: https://cyclonedx.org/
• SPDX: https://spdx.dev/
• Syft: https://github.com/anchore/syft
• Docker Scout SBOMs: https://docs.docker.com/scout/how-tos/view-create-sboms/
• cyclonedx-maven-plugin: https://github.com/CycloneDX/cyclonedx-maven-plugin
• cyclonedx-npm: https://github.com/CycloneDX/cyclonedx-node-npm
• cargo-cyclonedx: https://github.com/CycloneDX/cyclonedx-rust-cargo
• cyclonedx-gomod: https://github.com/CycloneDX/cyclonedx-gomod

References

• Software Bill of Materials (SBOM): https://www.cisa.gov/sbom
• SBOM support in Spring Boot 3.3: https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3
• SBOM support in Rust: https://ferrous-systems.com/blog/stackable-client/