Security News > 2022 > May > How Microsoft will publish info to comply with executive order on software bill of materials
When you install software are you sure it's code you can trust? There are so many questions we need to ask: do you know how that application got to you, how it was built and what third-party software is running under the hood?
With no visibility into how that software was built, there was no way to know that that software shouldn't be trusted.
A year ago, the U.S. Government issued an executive order that aimed to get the industry to work to protect the software supply chain, requiring a Software Bill of Materials for all applications provided to the U.S. federal government.
Microsoft has been using software manifests internally for a long time, allowing it to keep track of the various components and modules used to build its software.
License compliance may have driven the development of SPDX, but as it requires understanding what software you're using and where it's from it needs to be easily extensible to adding other verifications, such as digital signatures and hashes, allowing you to build a SBOM that covers binaries and other software artefacts as well as source code.
The result is a cross-platform tool that not only identifies commercial software components, it also detects and identifies open-source components from most common software repositories, like its own NuGet or the popular JavaScript NPM repository, and even works with languages like Go and Rust, as well as applications that have their own Git repositories.