Alcides Fonseca

40.197958, -8.408312

Software Bill of Materials (in Rust)

Ferrous Systems has been hired to improve the state of SBOM (Software Bill of Materials) in Rust.

What is an SBOM and why is it important? A Software Bill of Materials (or SBOM) declares, among other things, the inventory of all components used to build the software artifacts, as part of the software supply chain. Using this information can help detect vulnerability / security issues with the software or determine all conflicts in used licenses. A major reason to provide SBOMs for software in Germany is that the Federal Office for Information Security highly recommends them as part of their technical guidelines for Cyber Resilience (see PDF for details).

In recent years a number of pieces of legislations have been passed to improve cybersecurity. For example the US issued an Executive Order on improving the Nation’s Cybersecurity. In Europe, the EU has proposed the Cyber Resilience Act to improve cybersecurity and cyber resilience. These efforts are in response to an increased number of cyber attacks in recent years.

Not that most companies care, but verifying the compatibility of the software licenses in all dependencies of your project should be a one command task. Furthermore, high-risk projects should vendor all their dependencies, and keep track of the progress of their dependencies. Which is rarely accounted when budgeting for a new software project.