Create a Software Bill of Materials

October 11, 2017
Need help on this topic?
Contact Us

A Bill of Materials (BOM) is a list of the raw materials, sub-assemblies, intermediate assemblies, sub-components, parts and the quantities of each needed to manufacture an end product.   We can apply this concept to software development and create a Software BOM – a list of all software packages (with version numbers) that are incorporated into the build of a software product.

Why I should bother creating a Software Bill of Materials?

Your customers will like it

With the proliferation of cybersecurity threats, particularly ransomware and botnets, network administrators for healthcare providers (such as hospitals, clinical labs, etc) are becoming increasingly wary of connecting medical devices to their network.   If you can present your customers with a Software BOM for your device, then anytime a new vulnerability alert is issued, they know whether your device is affected or not. 

Your lawyers will like it

Many medical devices incorporate open source libraries.  Many open source licenses have very specific requirements you have to follow to be in compliance.  For example, to comply with the GPL license (applies to the Linux kernel and many Linux utilities) and the LGPL license (the Qt application framework), you MUST, somewhere in the user interface of the device, allow the user to view a copy of the license and what software packages it applies to.   If you don't know what software packages you have on your device, how can you be sure you are in compliance with open-source licenses?

You will like it

Setting up a Software BOM is the first step towards continuously monitoring your devices for new security vulnerabilities, which will help make sure your company isn't on the front page as the entry point for the next major cybersecurity incident. 

How do I create a Software Bill of Materials?

The BEST way – Ask your build system

You DO use a build system that can build a repeatable software image or executable from source code, right?  Right?  Well, for a build system to produce a repeatable image, it must have access to all the information you need for a software BOM – all the required software packages and their versions. 

The advantage of this method is that it can be completely automated.  Every new software release can automatically include a software bill of materials. 

  • Java  
  •   mvn dependency:tree
  •   gradle app:dependencies
  • Python
  •   pip freeze
  • Node
  •   npm list
  • C#
  •   References XML
  • C/C++
  •   Makefile
  • Embedded Linux
  •   Yocto (see "buildhistory")
  •   Buildroot
  •   make legal-info

The WORST way – Ask your software engineers

You could just ask your software team to come up with a list of all the libraries they used.  This is the easiest way to get something, but it's really not recommended.  Humans are lazy and error prone.   It's tedious for them to do, they might will miss something, and you have to repeat the exercise for every new software release in case something has changed.  

BACKUP Method # 1 – Ask your Operating System or Package Manager

This method works if you have an existing device with no repeatable way to recreate the software image.   The operating system can generally give you a list of all software packages that are installed via the OS package manager.

Linux:

$ rpm -qa
$ apt list --installed
$ dpkg --list
$ yum list

Windows:

C:\>  wmic /OUTPUT:InstallList.txt product list BRIEF /format:csv

BACKUP Method #2 – Ask your file system

This is another method that can work if you have an existing device with no repeatable way to recreate the software image.   The software libraries are usually contained in a few places in the filesystem.  For example, on Linux, you may be able to see something like this:

$ find /lib

/lib/libjpeg.so.62.0.0
/lib/libcrypt.so.1
/lib/libm.so.6
/lib/libjson.so.0
/lib/libjpeg.so.62
/lib/libiconv.so.2
/lib/libgcc_s.so.1

This method can be combined with the package manager method above to be somewhat automated and somewhat accurate.  However, components can and will be missed by these methods.

OK, I have a Software BOM. Now what?

You can search the [National Vulnerability Database](https://nvd.nist.gov/) (NVD) to see if any of your software packages (with version numbers) have any known vulnerabilities.  If so, you'll need to mitigate those vulnerabilities or provide a security update to your device's software to upgrade those packages to the latest version.

We've built a tool to do this for you, at www.devicevulnerabilitychecker.com.  Paste in your software BOM in one of several supported formats, and the tool will automatically search the NVD and inform you of any known vulnerabilities.

Daniel Beard

Daniel is the technology enthusiast. He is passionate about technologies in web and application development, including security, communication and automation.

About Promenade Software

Promenade Software, Inc. specializes in software development for Medical Devices and other safety-critical applications.

Contact

Promenade Software, Inc.
16 Technology Drive,  Suite 100
Irvine, CA 92618 
U.S.A.
info@promenadesoftware.com
(949) 329-8570
Go to Contact Form