VMware Application Catalog Now Delivers Open Source SBoM in SPDX Format

April 26, 2023 Bala Bharathy U

The software bill of materials (SBoM) that comes with the container images of VMware Application Catalog is now available in Software Package Data Exchange (SPDX) format, an international open standard developed by the Linux Foundation for communication of SBoM information.

The growing complexities of software supply chains

At VMware, we believe every company today is a custom software company, as all modern-day businesses are invariably required to build their own software applications to deliver value and serve their customers. While building their own applications, businesses have generally moved away from a legacy monolithic architecture into small, self-contained microservices. This microservices-based architecture has clearly made the software products much more robust than before, while also making the software development process more efficient. Developers now get to leverage standard application components like databases, streaming and messaging services, API gateways, service meshes, etc. from third-party and often open source software vendors.

On the downside, it is safe to admit that the microservices-based architecture has also made the software application ecosystem of today more complicated than ever. The third-party open source software dependencies of a microservices-based modern application result in a highly complex software supply chain that security teams, platform engineers, and infrastructure and operations (I&O) teams have limited or no visibility. As a result, most businesses end up as sitting ducks for software supply chain attackers. This is the reason why having a software bill of materials (SBoM) has gained prominence among security and compliance stakeholders over the last few years.

Why is having an SBoM the need of the hour? 

An SBoM is a list of an application’s dependencies, such as third-party services, software packages, open source software stacks, and codebases. SBoM empowers organizations with an exhaustive inventory of software components, allowing them to track application changes and identify and remediate vulnerabilities. Further, with a healthy SBoM, organizations can easily share the list of application dependencies, enhancing the efficiency of development teams. It makes the typically complex process of patching and remediation of vulnerabilities much simpler, as the security teams just have to locate the specific third-party service, software package, open source software stack, or codebase listed in the SBoM and make the needed remediations.

The recent issues surrounding SolarWinds and Apache Log4j have raised awareness of how insecure and vulnerable software supply chains can be. Government and security leaders across the globe are now rethinking their security strategies. With the growing number of software supply chain attacks, SBoM has rightly become the front and center of modern-day cybersecurity initiatives. SBoM also holds a central role in Executive Order 14028, set on improving the nation’s cybersecurity, issued by the White House in May 2021.

Overcoming open source challenges with VMware Application Catalog 

VMware Application Catalog (formerly Tanzu Application Catalog) is a catalog of trusted, continuously maintained, and verifiably tested open source software images that is custom-built to enterprise specifications, and privately delivered directly to a customer’s registry of choice. With VMware Application Catalog, our goal is to enable developers to be at their best by providing ready-to-use open source software images, while also providing platform engineering and IT operations teams with strong control over the open source software consumption by their developers. 

Open source SBoM from VMware

VMware Application Catalog allows our customers to gain deep visibility into their open source software supply chain with a detailed SBoM. Every container image that is delivered to a customer’s registry comes with a downloadable SBoM that has details like author, supplier, and component names, as well as version details.

From now on, the SBoM for container images from VMware Application Catalog will be available in the SPDX format.

What is Software Package Data Exchange (SPDX) format? 

SPDX provides a common format for companies and communities to share SBoM data, thereby streamlining and improving compliance. SPDX is an international open standard developed by the Linux Foundation for communication of SBoM information, including components, licenses, copyrights, and security references. Additionally, it is one of the three standards prescribed by the National Telecommunications and Information Administration (NTIA). 

How can an SPDX standard SBoM deliver more value to our customers?

With SPDX standard SBoM from VMware Application Catalog, businesses can

  • Achieve compliance with NTIA standards as it contains all details including component hash, unique identifiers, and dependency relationships as prescribed by the NTIA pursuant to Executive Order 14028. 
  • Reduce redundant work by adopting a common format broadly used by the community to consume SBoM metadata in a standardized, understandable, and reusable way.
  • Optimize and automate security-related decision making processes by working with tools which can directly consume SPDX formats as inputs.

How can you get SPDX standard SBoM from VMware Application Catalog? 

The SPDX standard SBoM from VMware Application Catalog will be pushed into the customer’s private Open Container Initiative (OCI)-compliant registry along with the respective open source software artifact.

Alternatively, users can also access the SPDX standard SBoM from the user interface of VMware Application Catalog with the following steps.

After logging in to the VMware Cloud Services console and launching VMware Application Catalog

  1. Select  Applications from the left-hand pane of the user interface (UI); this will bring up the My Applications tab.
  2. From the list of all applications you see on the My Applications tab, click the DETAILS button corresponding to the container image whose SBoM you need. 

Graphical user interfaceDescription automatically generatedThe UI of VMware Application Catalog highlighting the Applications section, My Applications tab, and DETAILS button corresponding to Golang container image.

  1. In the page that opens, you will be able to download the SPDX standard SBoM, by clicking the DOWNLOAD button corresponding to SBoM (SPDX) in the Build Time Reports section. 
    Graphical user interface, text, application, emailDescription automatically generatedThe UI of VMware Application Catalog highlighting Build Time Reports, SBoM (SPDX), and the DOWNLOAD button.

Next steps

If you are interested in learning more about VMware Application Catalog please go through our resources page. To contact one of our experts, please fill out this form and our team will get in touch with you soon!

About the Author

Bala Bharathy U

Bala Bharathy U is part of the product marketing team of VMware Tanzu, focusing on VMware Application Catalog and VMware Image Builder. He started his product marketing career in 2020 and has since worked on products across multiple tech domains, including virtualization, security, remote access, and application modernization.

More Content by Bala Bharathy U
A Developer Perspective on Developer Experience
A Developer Perspective on Developer Experience

What makes a good developer experience, and how can you improve yours to make your developers happier and m...

Speed Up and Scale Amazon EKS Cluster Deployments with New VMware Tanzu Mission Control Features
Speed Up and Scale Amazon EKS Cluster Deployments with New VMware Tanzu Mission Control Features

VMware Tanzu Mission Control, a hub for multi-cluster Kubernetes management, is announcing general availabi...

SpringOne at VMware Explore 2023

Learn More