https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-salus-software-bill-of-materials-sbom-generation-tool/ Skip to main content [RE1Mu3b] Microsoft Engineering@Microsoft Engineering@Microsoft Engineering@Microsoft * Home * DevBlogs * Developer + Visual Studio + Visual Studio Code + Visual Studio for Mac + DevOps + Developer support + CSE Developer + Engineering@Microsoft + Azure SDK + IoT + Command Line + Perf and Diagnostics + Dr. International + Notification Hubs + Math in Office * Technology + DirectX + PIX + SurfaceDuo + Startups + Sustainable Engineering + Windows AI Platform * Languages + C++ + C# + F# + Visual Basic + TypeScript + PowerShell Community + PowerShell Team + Python + Q# + JavaScript + Java + Java Blog in Chinese * .NET + .NET + .NET MAUI + Blazor + ASP.NET + NuGet + Xamarin * Platform Development + #ifdef Windows + Apps for Windows + Azure Depth Platform + Azure Government + Bing Dev Center + Microsoft Edge Dev + Microsoft Azure + Microsoft 365 Developer + Old New Thing + Windows MIDI and Music dev + Windows Search Platform * Data Development + Azure Cosmos DB + Azure Data Studio + Azure SQL Database + OData + Revolutions R + SQL Server Data Tools * More [ ] Search Search Cancel Microsoft open sources Salus software bill of materials (SBOM) generation tool [png] Danesh Kumar Badlani [png] Adrian Diglio July 12th, 20221 We are excited and proud to open source Salus, Microsoft's software bill of materials (SBOM) tool. A key requirement of the Executive Order on Improving the Nation's Cybersecurity, SBOMs are lists of ingredients that make up software components and provide organizations with insight into their supply chain dependencies. The Salus SBOM tool is a general purpose, enterprise-proven, build-time SBOM generator. It works across platforms including Windows, Linux, and Mac, and uses the standard Software Package Data Exchange (SPDX) format. (To see the previous announcement about our SBOM tool, please read Generating Software Bills of Materials (SBOMS) with SPDX at Microsoft.) Salus can be easily integrated into build workflows and auto-detects NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories, and more through Component Detection. As we add more detectors to Component Detection, it will improve our SBOM tool as well. SBOMs generated by Salus contain four main sections based on the SPDX specification: 1. Document creation information: General information about the SBOM document, such as software name, SPDX license, SPDX version, who created the document, when it was created, etc. 2. Files section: A list of files that compose the piece of software. Each file has some properties including the hashes of its content (SHA-1, SHA-256). 3. Packages section: A list of packages used when building the software. Each package has additional properties such as name, version, supplier, hashes (SHA-1, SHA-256) and a Package URL ( purl) software identifier. 4. Relationships section: A list of relationships between the different elements of the SBOM, such as files and packages. Salus can also reference other SBOM documents for capturing a full dependency tree. This is an important capability for including dependency references to SBOM documents, or SBOM documents from predecessor builds that are consumed into a subsequent build, shown below. Image SALUS layered build process The resulting SBOM document references are added to the Document Creation Information section, with an example shown below. "externalDocumentRefs": [ { "externalDocumentId": "DocumentRef-Demo-861-71558f43fca51a285338834fb9b3c7c14a78cd77", "spdxDocument": "https://sbom.microsoft/1:VF6zo7ndBEakT2mCbPwGug:j5h1PLm-TkijVnfDJD_CCA/7:861/MMerAxYfQkOTN4dWqqlV-A", "checksum": { "algorithm": "SHA1", "checksumValue": "71558f43fca51a285338834fb9b3c7c14a78cd77" } }, Microsoft wants to work with the open source community to help everyone be compliant with the Executive Order. Open sourcing Salus is an important step towards fostering collaboration and innovation within our community, and we believe this will enable more organizations to generate SBOMs as well as contribute to its development. Ready to get started? Please read the guidelines to learn more about contributing and follow these instructions to generate an SBOM. If you want to share any feedback and/or report any bugs, please feel free to do so via discussions and issues. Your feedback will help shape the future of the Salus SBOM tool and ensure supply chain security for all. If you find the tool useful, we'd love a star on the microsoft/sbom-tool GitHub repo. [png] Danesh Kumar Badlani Product Manager, One Engineering System (1ES) Follow [png] Adrian Diglio Principal Program Manager, 1ES Program Management Follow Tagged 1ES DevSecOps SBOM secure supply chain security Software Bill of Materials Read next The pursuit of an autonomic scale and efficiency system for Microsoft 365: Making it as easy as breathing Through automated profiling and data collection of performance behavior, Microsoft's M365 Core team can derive the context with which to inform the engineer about the impact of their code, as they write it. Randy Lehner likens it to the autonomic nervous system in this post on their Cloud Profiling and Reporting Pipeline. [png]Randy Lehner March 29, 2022 0 comment Accessibility Insights for Web In this post, Jacqueline Gibson goes over Accessibility Insights for Web, Microsoft's open-sourced Chrome and Edge extension that helps users find and fix web accessibility issues. [png]Jacqueline Gibson February 14, 2022 0 comment 1 comment Leave a commentCancel reply Log in to join the discussion. * [png] Wild, Markus July 14, 2022 1:02 am collapse this comment Hi Danesh, Adrian, thanks for the info. Can you please briefly explain what is the difference of your SBOM generator compared to e.g. a SCA tools like Mends unified agent and ws_sbom_generator? It is not very clear how this tool will compete in the SCA tool landscape. Markus Wild Log in to Reply Related Links The DevOps Journey at Microsoft 1ES DevOps Story Five Steps to Culture Change DevOps Resource Center Open Source at Microsoft Top Bloggers [png] Randy Lehner Partner General Engineering Manager [png] Michael C. Fanning [png] Jacqueline Gibson Software Engineer [png] Bryan Sullivan [png] Suresh Thummalapenta Principal Software Engineering Manager Topics Engineering@Microsoft Stay informed Login Insert/edit link Close Enter the destination URL URL [ ] Link Text [ ] [ ] Open link in a new tab Or link to existing content Search [ ] No search term specified. Showing recent items. Search or use up and down arrow keys to select an item. Cancel [Add Link] Code Block x Paste your code snippet [ ] Cancel Ok What's new * Surface Pro 8 * Surface Laptop Studio * Surface Pro X * Surface Go 3 * Surface Duo 2 * Surface Pro 7+ * Windows 11 apps * HoloLens 2 Microsoft Store * Account profile * Download Center * Microsoft Store support * Returns * Order tracking * Virtual workshops and training * Microsoft Store Promise * Flexible Payments Education * Microsoft in education * Devices for education * Microsoft Teams for Education * Microsoft 365 Education * Education consultation appointment * Educator training and development * Deals for students and parents * Azure for students Business * Microsoft Cloud * Microsoft Security * Azure * Dynamics 365 * Microsoft 365 * Microsoft Advertising * Microsoft Industry * Microsoft Teams Developer & IT * Developer Center * Documentation * Microsoft Learn * Microsoft Tech Community * Azure Marketplace * AppSource * Microsoft Power Platform * Visual Studio Company * Careers * About Microsoft * Company news * Privacy at Microsoft * Investors * Diversity and inclusion * Accessibility * Security English (United States) * Sitemap * Contact Microsoft * Privacy * Manage cookies * Terms of use * Trademarks * Safety & eco * About our ads * (c) Microsoft 2022