SBOM.md

Software Bill of Materials (SBOM)

What is an SBOM?

A Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and dependencies included in this software. SBOMs provide transparency into the software supply chain, enabling security teams to identify vulnerabilities, track licenses, and ensure compliance with organizational policies.

Available Formats

This provider includes SBOMs in two industry-standard formats:

• SPDX JSON (ISO/IEC 5962:2021): The international standard for software package data exchange, widely used for regulatory compliance and legal obligations. Best for license compliance and government requirements.

• CycloneDX JSON (OWASP): An OWASP specification optimized for security use cases and vulnerability management. Best for security scanning and DevSecOps workflows.

Where to Find SBOMs

All SBOM files are stored in the sbom/ directory of this repository, organized by version. This approach:

• ✅ Keeps SBOMs version-controlled and easily accessible
• ✅ Avoids interfering with Terraform Registry publishing
• ✅ Provides stable, predictable URLs for automation

Latest Version

The most recent SBOM is available at:

• sbom/latest/sbom.spdx.json
• sbom/latest/sbom.cyclonedx.json

Download via GitHub (Raw Content):

curl -LO https://raw.githubusercontent.com/CiscoDevNet/terraform-provider-iosxe/main/sbom/latest/sbom.spdx.json
curl -LO https://raw.githubusercontent.com/CiscoDevNet/terraform-provider-iosxe/main/sbom/latest/sbom.cyclonedx.json

Specific Versions

Each release has its own directory:

• sbom/v0.14.3/sbom.spdx.json
• sbom/v0.14.3/sbom.cyclonedx.json

Download Example:

# Replace VERSION with the desired release version
VERSION=v0.14.3
curl -LO https://raw.githubusercontent.com/CiscoDevNet/terraform-provider-iosxe/main/sbom/${VERSION}/sbom.spdx.json
curl -LO https://raw.githubusercontent.com/CiscoDevNet/terraform-provider-iosxe/main/sbom/${VERSION}/sbom.cyclonedx.json

Browse All Versions

View the complete SBOM history in the repository: https://github.com/CiscoDevNet/terraform-provider-iosxe/tree/main/sbom

Using SBOM Files

Vulnerability Scanning

With Grype (SPDX or CycloneDX):

# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh

# Scan SBOM for vulnerabilities
grype sbom:./sbom/latest/sbom.spdx.json

With Trivy (CycloneDX):

# Install Trivy
brew install trivy

# Scan SBOM
trivy sbom ./sbom/latest/sbom.cyclonedx.json

With Snyk (CycloneDX):

# Requires Snyk account and CLI
snyk test --file=sbom/latest/sbom.cyclonedx.json --package-manager=gomodules

License Compliance

With SPDX Tools:

# Validate SPDX format
pip install spdx-tools
pyspdxtools -i sbom/latest/sbom.spdx.json

Extract License Information:

# Using jq to extract licenses
jq '.packages[].licenseConcluded' sbom/latest/sbom.spdx.json | sort -u

Dependency Analysis

List All Dependencies:

# SPDX format
jq '.packages[] | select(.name != "terraform-provider-iosxe") | {name, version}' sbom/latest/sbom.spdx.json

# CycloneDX format
jq '.components[] | {name, version}' sbom/latest/sbom.cyclonedx.json

Track Dependency Changes:

# Compare SBOMs across versions using git
git diff v0.13.0 v0.14.0 -- sbom/latest/sbom.spdx.json

Generation Details

• Tool: Syft by Anchore
• Input: Provider source code and Go module dependencies (go.mod)
• Automation: Fully automated during release via GitHub Actions
• Frequency: Every release (tagged with v* pattern)
• Repository Storage:
  • Version-specific directory: sbom/{version}/
  • Latest reference: sbom/latest/
• Update Timing: Automated commit within minutes of release publication

SBOMs are generated by scanning the provider's source code and analyzing the complete dependency tree, including direct and transitive dependencies. After the release is created, a separate workflow job automatically:

1. Creates sbom/{version}/ directory with SBOM files
2. Updates sbom/latest/ to reference the new version
3. Commits changes to the main branch

Verification and Integrity

SBOM files are stored in the repository and version-controlled via Git. Integrity is ensured through:

1. Git Commit Signatures: Commits are made by GitHub Actions with verifiable identity
2. Repository History: Full audit trail via Git history
3. Immutable Versions: Once published, version directories are not modified

Verify SBOM Integrity:

# Clone repository
git clone https://github.com/CiscoDevNet/terraform-provider-iosxe.git
cd terraform-provider-iosxe

# View commit that added the SBOM
VERSION=v0.14.3
git log --all -- sbom/${VERSION}/

# Verify commit author and message
git show <commit-hash>

# Optional: Verify SBOM content matches the release
syft scan dir:. -o json | jq -c '.artifacts | sort_by(.name)' > /tmp/current.json
jq -c '.packages | sort_by(.name)' sbom/${VERSION}/sbom.spdx.json > /tmp/published.json
diff /tmp/current.json /tmp/published.json

Compliance and Standards

This SBOM implementation follows:

• NTIA Minimum Elements for SBOM (U.S. Executive Order 14028)
• SPDX 2.3 specification (ISO/IEC 5962:2021)
• CycloneDX 1.5+ specification (OWASP)

Questions or Issues?

If you have questions about SBOM usage or find issues with the generated SBOMs, please open an issue with the sbom label.

Additional Resources

• SPDX Specification
• CycloneDX Specification
• Syft Documentation
• NTIA SBOM Guidelines
• CISA SBOM Resources