Enhancing Software Supply Chain Security with SBOMs

---
description: Enforce the generation and inclusion of a Software Bill of Materials (SBOM) in all software projects to enhance transparency and security.
globs: ['**/*']
tags: [security, compliance, sbom]
priority: 1
version: 1.0.0
---

# Enhancing Software Supply Chain Security with SBOMs

## Context
- Applicable to all software development projects.
- Aimed at improving transparency and security in software development and deployment.

## Requirements
- **SBOM Generation**: Generate an SBOM for every software project, detailing all components, dependencies, and their versions.
- **Standardized Format**: Utilize recognized SBOM formats such as CycloneDX or SPDX for consistency and interoperability.
- **Automation**: Integrate automated tools to generate and update SBOMs as part of the build and deployment processes.
- **Component Details**: Ensure the SBOM includes:
  - Component Name
  - Version
  - Supplier Name
  - Unique Identifiers (e.g., SWID tags)
  - Cryptographic Hashes
  - License Information
  - Relationships between components
- **Distribution**: Make the SBOM accessible to relevant stakeholders, ensuring it is included with software releases and updates.
- **Compliance**: Regularly review and update SBOMs to comply with the latest security standards and regulatory requirements.

## Examples

<example>
**Valid SBOM Inclusion**:
- An SBOM is generated using CycloneDX format during the build process.
- The SBOM includes all required component details and is packaged with the software release.
- Stakeholders have access to the SBOM for transparency and security assessments.
</example>

<example type="invalid">
**Missing SBOM**:
- A software project is released without an accompanying SBOM.
- Stakeholders lack visibility into the software's components and dependencies, increasing security risks.
</example>