This week, Microsoft announced Salus, an open-source software bill of materials (SBOM) tool, following the Executive Order on Improving the Nation’s Cybersecurity which made SBOMs a key requirement.
The tool generates SBOMs across Windows, Linux, and Mac, and uses the standard Software Package Data Exchange (SPDX) format.
Salus can be integrated into build workflows and it auto-detects NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories, and more through Component Detection.
The SBOMs generated by Salus contain four main sections based on the SPDX specification including document creation information, a list of files that compose the piece of software, a list of packages used when building the software, and a list of relationships between the different elements of the SBOM, such as files and packages.
“Microsoft wants to work with the open source community to help everyone be compliant with the Executive Order. Open sourcing Salus is an important step towards fostering collaboration and innovation within our community, and we believe this will enable more organizations to generate SBOMs as well as contribute to its development,” Danesh Kumar Badlani, product manager of One Engineering Systems (1ES) and Adrian Diglio, principal program manager of 1ES program management wrote in a blog post.