There's More Than One Way To Do It

SBOM requirements for legal regulation (in Japan)

Introduction to Software Bill of Materials

What is SBOM?

SBOM (Software Bill of Materials) is a list of software components and their dependencies. It is not always the same as the list of libraries because some of the software may use in-house components. But roughly speaking, it is a list of libraries that are used.

In the U.S., SBOM is required for software provided to government agencies to improve supply chain security since the Presidential Decree on cybersecurity was issued in 2021. Similarly, in Europe, the Cyber Resilience Act (CRA) is scheduled to strengthen the SBOM.

While the U.S. Presidential Decree does not require the disclosure of SBOM, the draft of the EU CRA requires disclosure for all digital products. There seems to be a difference in motivation.

With the announcement of the Joint Principles for the Safety of Government Procurement Software at QUAD (Japan-US-Australia-India Strategic Dialogue), the introduction of regulations around SBOM is being considered in Japan, and in 2023/7 Guidance on the Introduction of the Software Bill of Materials (SBOM) for Software Management was published.

This section summarizes the specifications around SBOM in preparation for future regulations.

Package manager lock file is not SBOM

My first question is whether the package manager lock file is SBOM or not.

For modern languages, there are language-specific package managers, such as bundler for Ruby, composer for PHP, npm or yarn for node.js, etc. For Ruby, it is a Gemfile that defines version requirements and is used to install libraries (gem). After instalment in the development environment, a Gemfile.lock is generated as a result of the dependency resolution.

In terms of library vulnerability management, there are libraries that analyze the Gemfile.lock and tell you which gems need to be updated. At first glance it seems that what SBOM wanted to accomplish can be accomplished without using SBOM. Is package manager lock file SBOM?

The NTIA (National Telecommunications and Information Administration) has published The Minimum Elements For a Software Bill of Materials , which requires the following to be included in the data fields

  • Supplier Name
  • Component Name
  • Component Version
  • Other unique identifier
  • Dependencies
  • SBOM creator
  • Timestamp

Talking based on Gemfile.lock in discourse, component names, component versions, dependencies, and gems installed via GitHub(since the owner of repository is known), which we can see the supplier name, can be identified. However there seems to be no information abount SBOM creator and timestamp.

At least in the bare output, it seems to say that Gemfile.lock is not an SBOM as defined by NTIA.

Types of SBOM

Now then, if you need an SBOM, you need to generate an SBOM file, but to complicate matters, the SBOM itself only indicates the requirements, and there are variations in the SBOM file format.

  • SPDX(Software Package Data Exchange)
  • SPDX-Lite
  • CycloneDX
  • SWID Tag(Software Identification Tag)

SPDX、CycloneDX are two major choice.

(Material from the 7th Task Force on Software Management Methods to Ensure Cyber Physical Security

SPDX is a SBOM format developed by a project under the umbrella of the Linux Foundation. It has been internationally standardized as ISO/IEC 5962:2021 in 2021. Tag-Value(txt), RDF, xls, json, YAML, xml are supported.

SPDX-Lite is a Japan-originated format that extracts some items from SPDX, and supports Tag-Value(txt), RDF, xls, json, YAML, and xml.

CycloneDX is a SBOM format created by OWASP. OWASP is also famous for vulnerability assessment tools such as OWASP ZAP. json, xml, protobuf are supported.

SWID tag is an international standard (ISO/IEC 19770-2) for creating software identification (SWID) tags. xml is supported.

How to output SBOM

There are both free and paid tools for SBOM output.

GitHub supports SBOM output in 2023/3, so it may be easiest to use that for supported languages. SPDX and CycloneDX are supported.

There should be more libraries for each language, and for Ruby, it seems that a gem exists for CycloneDX only.

Free tools

  • Augur
  • BOM Doctor
  • Checkov
  • Daggerboard
  • Dependency- Track
  • FOSSology
  • in-toto
  • OSS Review Toolkit (ORT)
  • SBOM Tool
  • Scancode Toolkit
  • SW360
  • SwiftBOM
  • Syft & Grype
  • Trivy
  • GitHub
  • Lnaguage Librariies

Paid tools

  • Black Duck
  • Checkmarx SCA
  • FossID
  • Insignary Clarity
  • Revenera SCA
  • Snyk
  • Sonatype Lifecycle
  • Veracode SCA
  • Yamory

The file format alone is complicated enough, but the minimum requirements of the NTIA's SBOM are only partial. So the free portions are freely extended by each company.

(Excerpts from the 6th Task Force on Software Management Methods to Ensure Cyber Physical Security)

The extent to which automatic extraction is effective is also a point of debate.

If the scripting language library is partially accelerated by C, is the C library included in SBOM? It is not so clear.

export SBOM on GitHub

As mentioned above, since GitHub supports SBOM export, you can get the file by pressing Export SBOM from the Dependency graph. The output is in SPDX format. If you want it in CycloneDX, it looks like you have to get via cli.

  "spdxVersion": "SPDX-2.3",
  "creationInfo": {
    "created": "2023-08-12T09:59:17Z",
    "creators": [
  "name": "com.github.discourse/discourse",
  "dataLicense": "CC0-1.0",
  "documentDescribes": [
  "documentNamespace": "",
  "packages": [
      "SPDXID": "SPDXRef-com.github.discourse-discourse",
      "name": "com.github.discourse/discourse",
      "versionInfo": "",
      "downloadLocation": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "licenseConcluded": "NOASSERTION",
      "filesAnalyzed": false,
      "supplier": "NOASSERTION"
      "SPDXID": "SPDXRef-rubygems-actionview-precompiler",
      "name": "rubygems:actionview_precompiler",
      "versionInfo": ">= 0",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "supplier": "NOASSERTION"
      "SPDXID": "SPDXRef-rubygems-active-model-serializers",
      "name": "rubygems:active_model_serializers",
      "versionInfo": "~> 0.8.3",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "supplier": "NOASSERTION"
      "SPDXID": "SPDXRef-rubygems-debug-inspector-1.1.0",
      "name": "rubygems:debug_inspector",
      "versionInfo": "1.1.0",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "MIT",
      "licenseDeclared": "NOASSERTION",
      "supplier": "NOASSERTION",
      "externalRefs": [
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:gem/debug_inspector@1.1.0",
          "referenceType": "purl"



  • SBOM is a file that summarizes dependencies in a software bill of materials
  • Regulations are already in place in the U.S. and Europe and are likely to come to Japan
  • Existing package manager lock files cannot be used as SBOM
  • There are different types of SBOM file formats
  • SBOM export can be done with free/paid tools, and output on GitHub is relatively easy