Continuing our commitment to providing the most secure products for our customers, we're pleased to announce that we'll now be providing Software Bill of Materials (SBOMs) for all Data Center products.
An SBOM is a detailed list or inventory of all the components in a piece of software. These components can include open-source software, proprietary code, libraries, frameworks, and other elements used in the software development process.
The SBOM is essential for ensuring compliance with different regulations and standards, for example, the U.S. Executive Order on Improving the Nation's Cybersecurity, the EU NIS 2 Directive, and Cyber Resilience Act. It enhances transparency and facilitates a deeper understanding of software components, their versions, dependencies, and updates on their security vulnerabilities. This can help developers and users identify potential security risks, manage licenses, and maintain the software more effectively. For example, if a vulnerability is discovered in a specific open-source component, anyone with access to SBOM can quickly check if their software is affected.
Atlassian will provide SBOMs for all Data Center products across all feature releases starting from the following versions:
Product |
Version |
---|---|
Bamboo | 9.6.0 LTS |
Bitbucket | 8.19.0 |
Confluence | 8.9.0 |
Crowd | 5.3.0 |
Jira Software | 9.15.0 |
Jira Service Management | 5.15.0 |
We use Syft, an open-source tool, to automatically generate SBOM files during the product build process. Syft scans the code, identifies the dependencies, and compiles a JSON file with the results. Syft supports various SBOM formats, with CycloneDX being Atlassian's current choice due to its popularity. However, we're open and will consider other formats if there is increasing demand. Comment under this post if you’d like to see other formats included or leave general feedback about the change.
The content of the SBOMs complies with the set of required elements outlined by the United States National Telecommunications and Information Administration and contains the following elements:
supplier of the software
name of the tool used to generate the SBOM (Snyk)
timestamp when the SBOM was generated.
In addition, the SBOM contains a complete description of the artifact components:
component name and version
relationship with other components
any additional information, such as licensing, repository information, description, or owner.
To locate the SBOM, go to the sbom/
folder in the product installation directory and search for a file named according to the following pattern: <product_name>-<version>-cyclonedx-sbom.json
.
Example SBOM location paths:
Jira Software: atlassian-jira-software-9.4.14-cyclonedx-sbom.json
Jira Service Management: atlassian-jira-servicedesk-5.4.14-cyclonedx-sbom.json
Due to the complex, plugin- and component-based architecture of our product suite, we are gradually revealing all front-end dependencies. Our current SBOMs cover a portion of these dependencies.
We are committed to transparency and have begun identifying any missing dependencies to guarantee that there are no surprises in our software. Our next step is to gradually incorporate their complete coverage in our SBOMs. We are giving priority to this task as it is essential for quality assurance, risk management, and maintaining your trust.
It will take some time to navigate these complexities, but we are confident that our efforts will result in more reliable software for everyone.
You can get basic information from SBOMs using jq queries (GitHub - jqlang/jq: Command-line JSON processor). For a more detailed analysis, you may require dedicated tools. Here’s a list of some example queries:
Total number of components:jq '.components | length' sbom.json
Number of unique components:jq '.components | unique_by(.name) | length' sbom.json
Number of Maven components:jq '.components | map(select((.purl) | startswith("pkg:maven"))) | unique_by(.purl) | length' sbom.json
Number of NPM components:jq '.components | map(select((.purl) | startswith("pkg:npm"))) | unique_by(.purl) | length' sbom.json
The standardized format of the Atlassian SBOM facilitates smooth integration into automated security checks within other supply chains. Additionally, it eliminates the necessity for adjustments in security scans in response to changes in the product’s structure.
We have designed our SBOMs with a thorough understanding of our software, ensuring that they are accurate and reliable sources of information. Therefore, Atlassian recommends using provided SBOMs because they not only streamline your operations but also guarantee the security and reliability of your software.
Hey @Maria Groth thanks for highlighting Cloud products. Currently, our SBOMs focus is on self-managed products.
@Aga Walczak-Karbowska - I think some of the images in this post are access-restricted? They’re not loading for me… (Try viewing them in an incognito window / not on VPN.) 👀
Thanks for the heads up @Dave Liao! There should be no problematic graphics now.
I see that, thank you! 🙏
AWK: Read that the first SBOM available should be for Bitbucket (DC) v8.19.0 which is now out. Any idea when the SBOM will be made available. I also noted that they would be in the /sbom directory...any chance linking it to the release notes pages in the future...one-stop for most of us...
Hey @james.woodworth I've double checked that the `sbom` folder is present in the ZIP download of Bitbucket 8.19.0. Apologies the release notes haven't mentioned it. Thanks for the feedback about directly linking, we'll consider it! For our own understanding, could you please describe how you'll use the SBOM? Will there be automated ingestion? Is there anything processing it? etc.
The DoD and NIST are pushing for programs to either obtain SBOMs from vendors or implement their own capabilities to produce them as part of their RFM/ATO supporting evidence. It's not absolute mandatory right now, but heading that way. Thanks for the heads up on the Bitbucket SBOM and we look forward to viewing the ones for Jira/JSM/Confluence down the road. Again, would appreciate a direct link to the SBOM files from the release notes, just helps with release/patch management actions.
@Aga Walczak-Karbowska , great development!
How is the SBOM implemented for Marketplace apps either developed bij Atlassian or third party suppliers?
@Daniël These SBOMs cover the core part of the mentioned products developed by Atlassian.
@Daniël Right now, our focus is on gradually integrating front-end dependencies. We'll keep you updated with any new plans on our public roadmap.
It looks good to me. But I am wondering: How does an SBOM enhance software transparency and security, and what motivates its integration into the development process?
@Noah - Devsamurai, SBOMs are integral to the US National Cyber Security Strategy and the amended EU Cyber Resilience Act. They significantly improve the software selection process. With SBOMs, identifying vulnerable components becomes easier. They pave the way for targeted security analysis and source verification
Compliance with policies can be also ensured through SBOMs. They shed light on end-of-life components, offer insights into how software integrates, and aid in planning before purchase and installation, acting as a crucial market signal.
For more information on the benefits of SBOMs, you can check out this NTIA document.
Bitbucket DC 9.0.0 is released on 22-Jul-2024.
But this release doesn't has SBOM.
When will Atlassian publish Bitbucket 9.x's SBOM?
It sound like the SBOMS will be made available on the Bitbucket server n the sbom directory. Will there be a way for users to access the SBOM their code generates if they do not have access to the server?
Also interested in hearing response to McRoberts question.
Tested that changes quite very useful :)
Thank you very much