Today we’re pleased to announce the RKVST SBOM Hub – the first place to find and fetch SBOMs. RKVST SBOM Hub is a secure, immutable, any-to-any framework that integrates into both publisher and subscriber workflows to massively simplify the effective sharing of SBOMs to help all parties comply with the Executive Order.
Try it out for yourself here.
Since the Presidential Executive Order in May 2021, tools to create SBOMs, to sign and validate them, plus others to scan and lookup vulnerabilities have proliferated. Software publishers are spoilt for choice as they create SBOMs. What’s been missing is a simple, easy to use method to distribute and discover SBOMs allowing subscribers to put them to good use.
Learning to Share
Current guidance only defines that SBOMs must be machine-readable, and made available with those that use critical software. There is little direction as to where SBOMs should be published or how to get them to the right people and their machines. Different vendors (and different developers) are making their own decisions as to how to store and distribute their SBOMs. Many open source SBOMs are gravitating towards established code repositories such as GitHub. Others are using lightweight repo tools aligned to different SBOM formats – for example, the CycloneDX BOM Repository Server, or simple hosting on their own servers.
The danger is that SBOMs will be scattered across hundreds if not thousands of sites – some pubic and open, others closed and confidential. Software customers, and those looking to integrate open-source or other 3rd party code into their designs, face open-ended and time-consuming searches for SBOMs to match up to the software packages they consume. At the same time, publishers may need to support numerous different repositories multiplying the effort and the potential for duplication, oversights and mistakes.
Clarity from confusion
RKVST SBOM Hub is the answer – a single place where both publishers and consumers can go for public SBOMs and a place to signpost privately exchanged SBOMs too. We are pleased to be included on the CycloneDX Tool Centre as an additional repository and distribution option for those writing SBOMs in that format. We have scanned open-source repositories for SBOMs in any approved format and so, unlike existing repos, we include SBOMs in CycloneDX, SPDX and SWID. Users can quickly search for a specific SBOM, or for SBOMs that match key criteria and find it in whichever format it exists. We’ll scan all the repos so that you don’t have to. If we see searches for SBOMs we don’t have, we’ll seek them out.
But RKVST is much more than a ‘Google for SBOMs’. It’s a repository, not an index and it provides publishers with privacy controls that help them manage their SBOMs as they build, publish, distribute and maintain them. Vendors are already starting to juggle multiple repositories to support the assembly of SBOMs, using separate development environment stores and production repos for publication. The opportunities for errors are clear to see.
Permissioned sharing to protect IP
We provide a secure private area that developers can log in to assemble SBOMs and to store associated assets, binaries and other artefacts. Once the SBOM is complete and signed, owners have a simple choice. They can keep it private or mark the SBOM for discovery where it can be found by anyone in the RKVST SBOM Hub. This route is most suited to SBOMs that detail the provenance of open-source code freely available for use and integration by others.
However, most critical software has some proprietary and sensitive elements. In these cases, developers can instead move their SBOMs into RKVST for fully permissioned sharing, while signalling its existence in the public-facing RKVST SBOM Hub without revealing its detail. Granular controls in RKVST allow vendors to precisely define exactly who should see the SBOM. Confidentiality, contractual clauses and legal obligations can be realised in governance and compliance policies that automate distribution to the correct parties at the correct time. It also provides for responsible disclosure of vulnerabilities to minimise risk. Supporting any governance and compliance policies vendors or customers require, RKVST provides precise distribution so that information goes to those that need it, and no further. Immutable records of every SBOM show exactly who did what when to any asset allowing for full audit.
The first place to share SBOMs
Secure and precise sharing and discovery are essential to the effectiveness of SBOMs and compliance with the Executive Order. RKVST SBOM Hub solves both sides of the challenge to SBOM sharing. Publishers have a powerful, flexible repository where they can store now and choose later how to distribute their SBOMs. And subscribers have a single destination to find the SBOMs they need, whether in public or private. With thousands of SBOMs already included in RKVST SBOM Hub, it should immediately become the first place for anyone needing to share SBOMs.