A deep dive into Software Bill of Materials (SBOM), its importance in Go projects, and how to generate one using CycloneDX.

Understanding SBOM in Go: Why It Matters and How to Generate One

This blog has a deeper dive video lesson available to watch here

As software projects grow in complexity, keeping track of dependencies and ensuring security become critical concerns. A Software Bill of Materials (SBOM) is a structured list of all the components that make up a software application, helping teams gain better visibility into their dependencies. SBOMs can be generated for most programming languages, not just Go. By using a consistent and standard format, managing them at scale becomes possible.

Key Benefits of SBOM:

  • Security: Identifies vulnerabilities in dependencies early.
  • License Compliance: Ensures all dependencies have compatible licenses.
  • Standardization: Helps reduce redundant libraries and enforces best practices.
  • Regulatory Requirements: Required for certifications like FedRAMP when working with the US government.

SBOM in Go: Why It’s Important

In Go projects, dependency management revolves around the go.mod file. While this file lists all dependencies, an SBOM provides additional benefits, such as:

  • Tracking transitive dependencies (dependencies of dependencies).
  • Providing a standardized format that external tools can analyze.
  • Improving security workflows by enabling vulnerability scanning.

Generating an SBOM in Go

To generate an SBOM for a Go project, we can use CycloneDX, a widely adopted SBOM format.

Step 1: Install CycloneDX for Go

go install github.com/CycloneDX/cyclonedx-go@latest

Once installed, navigate to your Go project directory and run:

cyclonedx-go mod -json -output sbom.json

Analyzing Your SBOM

Once you have an SBOM, you can analyze it using tools like Grype:

grype sbom.json

Checking License Compliance

To check for license compliance:

cyclonedx-go mod -licenses -json -output licenses.json

Working with Go Workspaces

For larger Go projects like Kubernetes, generating an SBOM can be more complex due to Go Workspaces. Some tools may not support Workspaces natively, so disabling them might be necessary. You can see me do this live and explain a little more in this lesson I created.

GO111MODULE=off cyclonedx-go mod -json -output sbom.json