Importing third-party SBOMs

Before we can discuss exporting SBOMs, we must first acknowledge that a complete and accurate SBOM includes all application dependencies. This means that third-party and custom components should be included, as well as open source libraries included by your development teams. While open source does make up the vast majority of the modern application, many development teams still rely heavily on vendor-supplied components, like libraries, SKDs, drivers, and so on. If these components are not accounted for in the SBOM shipped with the finished application, complete visibility of supply chain risk has not been obtained. The good news is, most vendors can be reasonably expected to provide SBOMs for these components. But, as the consumer of this software, you need the tools and processes for effectively leveraging the information provided by these SBOMs, and making sure it is perpetuated into the SBOMs that you generate.

Black Duck SCA enables teams to import third-party SBOMs so that the included components can be added to relevant projects, continuously analyzed for risk, and added to any reports or SBOMs generated as part of the application lifecycle. Additionally, for custom components that don’t already exist in the open source KnowledgeBase, Black Duck will automatically create an associated component, and identify it in any future scans. With Black Duck, development and security teams can establish complete visibility of their supply chains, so that they can effectively manage risk and communicate application composition to their own consumers.