EU

How to Improve your Software Supply Chain Risk Management with ParaView

September 6, 2024
, and

Software Bill Of Materials (SBOM) is now considered an essential part of software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components.

A skateboard illustration

A skateboard BOM would be:

  • 1 board
  • 4 wheels, each composed of 1 tire, 1 rim, 4 screws
  • 2 axles
  • 8 screws

Using the BOM and sufficient expertise, one can reconstruct the product.

In the software world an SBOM is the list of all individual components and dependencies, which together are part of a shipped package.

Providing an SBOM is critical as it enhances software security and software supply chain risk management, mainly because it facilitates easy tracking of the licenses used and checking for Common Vulnerabilities and Exposures (CVE).

More and more companies requires an SBOM for their own software or software they use.

There are multiple formats to describe an SBOM. One such format is the Software Package Data Exchange (SPDX), which is designed and maintained by the Linux Foundation.

An illustration of the SPDX standard

Since ParaView 5.13.0, Kitware now ships the complete SPDX 2.2 description of all components and dependencies inside a dedicated directory of its binary release, ./share/paraview-5.13/spdx/.

Complete list of all SPDX file in ParaView linux binary release
An example SPDX file, for ADIOS2 dependency

By using these standardized files, ParaView users, their IT department, and security officers can reliably track the components’ licenses, copyrights, and versions, and easily check for CVEs and license issues in an automated way.

In addition, the SPDX generation mechanism is completely automatic and can be enabled in any ParaView based application. It is controlled using a CMake option of the ParaView Superbuild: GENERATE_SPDX.

This work is crucial in order to let company control and validate their supply chain. Kitware is passionate about improving out open source tools so they comply with the constraints of commercial companies. If you need assistance with recovering SPDX information from ParaView or would like to develop further for your specific use case or product, please contact our team!

Tags:
CVECybersecurityParaViewSBOMSoftware ProcessSPDXsupplychain

Leave a Reply