How to use the ActiveState Platform for generating SBOMs (Software Bill of Materials)
- Create a runtime environment on demand in just a few minutes.
- Use the GraphQL API to generate an SBOM for that runtime, which shows:
- Supplier – the name of the software vendor/author
- Version – the published version of the component
- Name – the name of the component
- Relationship – which component is dependent upon other component(s)
- License – the high-level license of the component
This feature allows customers to understand and identify all the components in their runtime environments (packages, libraries, dependencies, etc) in order to allow security and compliance personnel to track and audit the software, and satisfy their cybersecurity, legal, and compliance requirements. Reports are generated in either a light-weight JSON, or a signed heavier-weight ISO Standard SPDX v2.2.1 format.
Note: Creating secure, reproducible environments are functions available to all users of the ActiveState Platform, including free tier users. Just start by creating your account using your email or GitHub credentials. As you work with the ActiveState Platform to create new Python environments, you may need to upgrade to higher tiers to obtain access to features available only to paid tier users. These include role-based access control and project branching. Please get in touch with us to help you find the best tier for your needs.
At ActiveState, we use the Platform to build not only our popular open source language distributions, but also custom runtimes for our enterprise clients (i.e. builds containing just the language and packages their project requires). Try it out yourself or get a personalized demo and understand how it can support your enterprise’s open source needs.
To read the blog based on this video ”How Software Bill of Materials (SBOMs) Support Secure Development’, head here.
What are SBOMs? How are they important to securely integrating open source?
Software Bill of Materials (SBOMs) are is a list of ingredients required to build and run your software application, along with all the relevant metadata about those ingredients:
A complete list of software supply chain dependencies, including all transitive dependencies.
Details about each open source and commercial software component, such as the author/vendor, software license, release version, etc.
SBOMs are packaged in a machine-readable format that can enable organizations to automate their consumption, as well as integrate them within their existing processes. But not all SBOMs are created equal. There are currently three leading candidates:
- Software Package Data eXchange (SPDX)
- SoftWare IDentification tags (SWID)
- Choose a language (Python, Perl or Tcl right now)
- Select your operating system (Linux or Windows, plus Mac for Python)
- Add the packages your project requires
ActiveState regularly pulls packages from each language’s standard open source repository (CPAN, PyPI, etc) to ensure that your open source language and components are up to date, can be compiled from source, and are then verified to work together in a distribution that is packaged for most major operating systems. Go ahead and try our beta today! We are hanging out at our Community Forum to provide support as you explore.