Introducing Software Bill of Materials (SBOM) in our DC products
Continuing our commitment to providing the most secure products for our customers, we're pleased to announce that we'll now be providing Software Bill of Materials (SBOMs) for all Data Center products.
What is SBOM and why are we adding it?
An SBOM is a detailed list or inventory of all the components in a piece of software. These components can include open-source software, proprietary code, libraries, frameworks, and other elements used in the software development process.
The SBOM is essential for ensuring compliance with different regulations and standards, for example, the U.S. Executive Order on Improving the Nation's Cybersecurity, the EU NIS 2 Directive, and Cyber Resilience Act. It enhances transparency and facilitates a deeper understanding of software components, their versions, dependencies, and updates on their security vulnerabilities. This can help developers and users identify potential security risks, manage licenses, and maintain the software more effectively. For example, if a vulnerability is discovered in a specific open-source component, anyone with access to SBOM can quickly check if their software is affected.
When will SBOMs be available?
Atlassian will provide SBOMs for all Data Center products across all feature releases starting from the following versions:
|
Product |
Version |
|---|---|
| Bamboo | 9.6.0 LTS |
| Bitbucket | 8.19.0 |
| Confluence | 8.9.0 |
| Crowd | 5.3.0 |
| Jira Software | 9.15.0 |
| Jira Service Management | 5.15.0 |
How an SBOM is generated?
We use Syft, an open-source tool, to automatically generate SBOM files during the product build process. Syft scans the code, identifies the dependencies, and compiles a JSON file with the results. Syft supports various SBOM formats, with CycloneDX being Atlassian's current choice due to its popularity. However, we're open and will consider other formats if there is increasing demand. Comment under this post if you’d like to see other formats included or leave general feedback about the change.
The content of the SBOMs complies with the set of required elements outlined by the United States National Telecommunications and Information Administration and contains the following elements:
-
supplier of the software
-
name of the tool used to generate the SBOM (Snyk)
-
timestamp when the SBOM was generated.
In addition, the SBOM contains a complete description of the artifact components:
-
component name and version
-
relationship with other components
-
any additional information, such as licensing, repository information, description, or owner.
How to find SBOM?
To locate the SBOM, go to the sbom/ folder in the product installation directory and search for a file named according to the following pattern: <product_name>-<version>-cyclonedx-sbom.json.
Example SBOM location paths:
Jira Software: atlassian-jira-software-9.4.14-cyclonedx-sbom.json
Jira Service Management: atlassian-jira-servicedesk-5.4.14-cyclonedx-sbom.json
Limitations of current SBOMs
Due to the complex, plugin- and component-based architecture of our product suite, we are gradually revealing all front-end dependencies. Our current SBOMs cover a portion of these dependencies.
We are committed to transparency and have begun identifying any missing dependencies to guarantee that there are no surprises in our software. Our next step is to gradually incorporate their complete coverage in our SBOMs. We are giving priority to this task as it is essential for quality assurance, risk management, and maintaining your trust.
It will take some time to navigate these complexities, but we are confident that our efforts will result in more reliable software for everyone.
How to get information out of the SBOMs
You can get basic information from SBOMs using jq queries (
GitHub - jqlang/jq: Command-line JSON processor). For a more detailed analysis, you may require dedicated tools. Here’s a list of some example queries:
-
Total number of components:
jq '.components | length' sbom.json -
Number of unique components:
jq '.components | unique_by(.name) | length' sbom.json -
Number of Maven components:
jq '.components | map(select((.purl) | startswith("pkg:maven"))) | unique_by(.purl) | length' sbom.json -
Number of NPM components:
jq '.components | map(select((.purl) | startswith("pkg:npm"))) | unique_by(.purl) | length' sbom.json
Safeguard your business with Atlassian SBOM
The standardized format of the Atlassian SBOM facilitates smooth integration into automated security checks within other supply chains. Additionally, it eliminates the necessity for adjustments in security scans in response to changes in the product’s structure.
We have designed our SBOMs with a thorough understanding of our software, ensuring that they are accurate and reliable sources of information. Therefore, Atlassian recommends using provided SBOMs because they not only streamline your operations but also guarantee the security and reliability of your software.
9 comments
