How does one go about generating SBoMs?
Software products start as ideas and concepts. Software development vendors (aka suppliers) transform these ideas by adding or removing "material" until a final desired product is created. Consumers obtain these products and may further transform them to suit their needs. As a product is being used, users and suppliers find problems or get ideas for improvements. Products are then improved through the iterative cycle called software lifecycle.
|Software Bill of Materials and Software Lifecycle|
Information that goes into SBoMs can be best obtained from the tools and processes used in each stage of a the software lifecycle. One may have to leverage or enhance existing tools and processes to generate SBoMs. Such tools include intellectual property review, procurement review and license management workflow tools, code scanners, pre-processors, code generators, source code management systems, version control systems, compilers, build tools, continuous integration systems, packagers, compliance test suites, package distribution repositories and app stores.
Many of the currently available tools may not have the capability to generate SBoMs as a byproduct as they handle material that goes into making a product. Suppliers should consider enhancing or retrofitting existing tools and processes to generate and maintain SBoMs. It may be impractical to retroactively generate complete SBoMs for older or existing products. SBoM can be considered incomplete if some information about the materials added or removed through the stages of software lifecycle is missing or was never recorded. If the SBoMs are incomplete, suppliers should make it clear so that consumers can make informed use of SBoMs based on the available data.