The Eclipse Foundation Security Team’s vision for the “Implementing Software Bills of Materials (SBOMs) for projects” initiative is that all Eclipse Foundation projects automatically generate SBOMs for new releases and upload them to a centralized, publicly accessible registry. Building on this vision, SBOMs are generated during the build process and retained for all releases, with the registry supporting multiple versions per software product.
The process of implementing SBOM generation workflows for a single project is a non-trivial task, as it requires careful customization to accommodate project-specific requirements. Scaling this effort to hundreds of Eclipse Foundation projects magnifies the challenge significantly. The complexity is further compounded by the fact that each project may include dozens of products, each with its own release pipelines and versioning schemes. Moreover, software products are developed across diverse ecosystems, each demanding different SBOM tooling, making it impossible to implement a uniform, automated process across all. Taken together, these factors make the goal of implementing SBOMs at scale an immense challenge.
Whilst we wish to continue to support projects in this endeavour through hands-on involvement where necessary (read more about this in our “Driving Software Supply Chain Security: Practical Support for Open Source Projects in SBOM Implementation” blog post), with the increased scale, we are focusing on ways to address this complex issue more broadly, by enabling projects in implementing SBOMs by themselves.
Taking a holistic approach, we have developed a comprehensive set of resources aimed to facilitate this process.
- Knowledge Base: We made considerable additions to our Security Handbook with documentation meant to lower the entry bar for SBOMs (see Introduction to SBOM)
- Tooling: Given the sparse nature of information concerning available SBOM tooling, we created a mapping of the Tooling Ecosystem for the CycloneDX standard, providing a starting point for projects searching for a tool best suited to their needs.
- Plug-and-Play Template Workflows: To enable hands-on development, we offer a set of example workflows that require minimal project-specific customization.
- Independent Implementation Guides: Complementing the above, we provide a detailed guide on how to develop SBOM generation and upload workflows tailored to individual projects needs, empowering teams to take a proactive approach in adopting supply chain security best practices (see How to generate and upload SBOMs).
Building on this holistic approach, we have also undertaken a set of engineering initiatives, including:
- SBOM Registry: Centralized SBOM management is handled through a dedicated Dependency-Track instance, enabling all projects to upload their SBOMs into a single place. Dependency-Track, an open source continuous SBOM analysis platform, provides a broad set of features that enable faster evaluation of potentially vulnerable dependencies, rapid risk mitigation and quick risk assessments. (see SBOM Registry)
- Plug-and-Play Upload Integration: SBOM uploads to the registry are simplified through otterdog integrations, streamlining adoption across projects (see How to upload an SBOM to Dependency-Track),
We strongly encourage projects to take an active role in their SBOM implementation. By leading their own implementation process, projects not only foster long-term adoption but also identify and mitigate risks early, while gaining the confidence and autonomy to integrate SBOM practices into their development lifecycle in a sustainable and effective way.
This work is part of an investment by the Sovereign Tech Fund - a program of the Sovereign Tech Agency.
