One of the fundamental tenets of
the SBOM faith is that the developer must produce a new SBOM whenever anything
in the code of the product has changed; even if the change is just a patch
being applied, there needs to be a new SBOM. I myself have repeated this teaching
many times. Of course, it’s also enshrined in the Minimum Elements document.
However, a recent conversation
with the Director of Project Security of one of the largest software developers
in the US has changed my thinking. There’s something special about patches that
makes a new SBOM almost impossible in most cases. The only real solution to the
problem is for the developer to do a complete version upgrade whenever there’s
been a new patch issued (or even better, they don’t issue a patch; they just require
all users to upgrade. But that would mean a lot more work for both the
developer and their customers).
Of course, given that nowadays there
are very few developers that are issuing a new SBOM with every major version
upgrade, let alone with every patch, this isn’t currently a problem. When it
becomes a problem, I’ll just count it as an indication that SBOMs have truly
arrived – somewhat like the “problem” that too many wealth managers will call
you if you just won the lottery. We should all have such problems.
Here is what my friend said:
1.
Typically, a developer
will issue multiple patches between version upgrades. The patches usually aren’t
cumulative. This means that, if there have been five patches since the last
upgrade, applying the fifth patch won’t also get you the previous four patches.
If you want all five, you need to apply each one. Of course, when the next version
upgrade comes out, you’ll receive all five patches “baked in” to the upgrade. But
it’s certainly not a good idea not to patch and to just wait for the next
upgrade!
2.
If the developer wants
to issue a new SBOM after say the fourth patch, they need to make an assumption
about which of the previous three patches were applied by the user. Of course, assuming
those patches weren’t automatically applied, it’s certain that different
combinations of the previous three patches may have been applied by different
customers (and some customers might not have applied any of them); moreover, it
would be a huge waste of time for the developer to poll their customers whenever
they release a new patch, to find out which of the previous patches they’ve
applied.
3.
What should the
developer assume when preparing the SBOM? The only thing they can assume is
that all possible combinations of the three previous patches have been applied
by at least one of their customers. So, completeness requires preparing an SBOM
for each possible combination of patches that might have been applied.
4. The number of SBOMs needed is equal to 2 raised to the number of independent patches that have been issued since the last update. If there have been three patches, this means the supplier needs to prepare 8 SBOMs (2 raised to the third power).
5. Eight SBOMs might
sound doable to some people. But how
many SBOM’s does the developer need to prepare if there have been five previous
patches? That’s 32 SBOMs. How about
ten previous patches? That’s 1,024. When you consider that the supplier would have to prepare multiple SBOMs with almost every patch they released, trying to do this would create a major burden on the supplier.
Clearly, the developer can’t be
expected to produce a new SBOM whenever they release a patch, except perhaps an
SBOM that assumes all previous patches were applied. So, please don’t try to force
your developer to follow SBOM dogma and produce a new SBOM whenever the
software changes. To start, count yourself quite lucky if the developer
promises to provide one SBOM with every major version upgrade. Just that will
be a lot better than the number of SBOMs you receive now, which is most likely zero.
Note: The original version of this post listed much larger numbers of required SBOMs, because of a math mistake. However, the numbers above are unacceptable as they are now; it doesn't matter that they're less than before.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment