Sonatype Inc. today introduced a new product, SBOM Manager, to help companies more easily track the components of their internal software.

The offering made its debut at the KubeCon + CloudNativeCon Europe conference taking place this week in Paris. 

Sonatype provides a collection of developer tools with more than 15 million users worldwide. The cornerstone of its product portfolio, Nexus Repository, allows software teams to store frequently used code components in a centralized location for easy access. Sonatype also sells tools that help developers prevent insecure open-source code from finding its way into their software. 

SBOM Manager, the company’s newest product, is a tool for managing software bills of materials. Those are files that list the open-source components and other code building blocks an application contains. A SBOM can, for example, provide information on whether an application includes an open-source library with a known vulnerability.

Sonatype says SBOM Manager enables development teams to store all their software bills of materials in a centralized repository. If an application doesn’t have a SBOM, developers can use the tool to create one. There’s also a feature for importing existing software component lists. 

SBOMs can be difficult for users to review because they often contain technical data about upwards of dozens of code components. According to Sonatype, SBOM Manager organizes this data in a format that is accessible for not only developers but also business users. The company envisions the tool easing the work of legal and procurement teams, which are often involved in software cybersecurity assessments.

To boost users’ productivity further, SBOM Manager prioritizes the issues that it finds in an application’s SBOM based on their severity. That allows software teams to fix the most urgent issues first. For example, if an application is found to contain multiple vulnerabilities, a company’s first priority may be to remediate the ones that are actively being targeted in cyberattacks.

SBOM Manager can also surface other types of issues besides cybersecurity flaws. Some open-source components have licenses that limit how they may be integrated into commercial applications. By reviewing an application’s SBOM, developers can determine if it contains open-source modules that are used in an unauthorized manner.

“With new regulations pushing for SBOMs, many are left wondering what to do with them. Without practical application, SBOMs risk being ignored, merely filed away,” said Sonatype Chief Technology Officer Brian Fox (pictured, right). “Our SBOM Manager turns these ingredient lists into actionable assets, allowing organizations to actually use their SBOMs for improving security and compliance.”

SBOM Manager is currently in preview. Sonatype plans to make a software-as-a-service version generally available in June, with on-premises and air-gapped editions set to follow suit later this year. The air-gapped edition is designed for use in sensitive application environments that are isolated from the rest of a company’s network and the public web. 

Photo: SiliconANGLE