When the SBOM co-resides on a device, it can be retrieved using one of a number of protocols,
such as HTTP, Constrained Application Protocol (CoAP) or an OpenC2 binding. This is useful in
cases of highly tailored systems that have the ability to expose an API. In the case of HTTP,
CoAP and their secure variants, the SBOM would be found at a well-known location, such as
/.well-known/sbom (as described above). Such names are unique to each origin HTTP or COAP
service. OpenC2 has a number of protocol bindings, such as HTTP/S, Message Queuing
Telemetry Transport (MQTT), OpenDxl, and OpenDDS. OpenC2 super-imposes its security
model on those bindings. See the OpenC2 FAQ for more information.
Method 3: SBOM resides on a repository available to software consumers
An SBOM could be published to a public or private website, database, or other shared repository
available to consumers of the associated software. One method is to publish SBOMs on Digital
Bill of Materials (DBoM) Channel repositories. An author may publish an SBOM on a DBoM
Channel that they or others create to make it available to all or only some parties based on the
policy of that channel. See the DBoM Project GitHub for more info.
When the SBOM is on a web site (be it published on the web or through a customer portal), the
SBOM is retrieved using HTTP over Transport Layer Security (HTTPS). This is useful in the case
of small or legacy systems that have no APIs to transmit SBOMs, or when a software package is
being included by a developer, and the corresponding SBOM is to be included downstream.
Authors may leverage the security model of HTTPS to test for entitlement or otherwise limit
distribution as they see fit. Automated tooling must take care to identify portal requirements, and
may need to alert the administrator of any registration requirements.
The repository could be an offering or a function of a supply chain consortium. Some complex
supply chains require quantified trustworthiness from their participants, including specific
qualification, scoring, and tracking over time. To achieve these goals, the participants contribute
their trust data to a common database that is used for trust verification by other supply chain
partners. A wide variety of data types contribute to a supplier’s trustworthiness, and almost
anything could be included: quality test results, regulatory certification, financial health, etc. SBOM
is a natural extension to both the database and the requirements for trust.
Status Of This and Future Work
While SBOMs can be shared now, the NTIA Software Component Transparency Framing
Working Group continues to work to improve their applicability to various market segments,
associated processes, and tooling.
Sharing and Exchanging SBOMs 6