Over 83 million Open Source Packages (and counting). Unprecedented Resource Exposes Valuable Software Supply Chain Intelligence.
WINOOSKI, Vt., March 28, 2023 — Today, SOOS is announcing the launch of its public SBOM database, a community resource that will transform open source software security and fortify the software supply chain. Now, for the first time ever, anyone can find and download an SPDX or CycloneDX SBOM for over 83 million packages, at no cost.
This brand new resource is publicly available for all to access at https://app.dev-www.soos.io/research/packages.
SOOS was founded with the mission of making open source security tools accessible and affordable to all developers. SOOS already produces the most efficient and affordable SCA tool on the market, but has doubled down on democratizing open source security by generating SBOMs on an unprecedented scale.
SBOMs (software bill of materials) provide a critical accounting of all the components that make up an application. It’s a list of ingredients tied together with any known vulnerabilities, as well as an accounting of all licenses, within the code. Generating SBOMs is a critical step in securing the software supply chain, but due to the cost and inconvenience previously associated with generating SBOMs, too many organizations have failed to make this critical activity a part of their development lifecycle.
“Look across any industry, and there’s an expectation that the components of the product you buy (whether it’s milk from the local dairy or the airbag in your SUV) have been checked to ensure they are not going to harm you,” said Josh Jennings, SOOS’s Founder and Chief Engineer. “But due to lack of affordable and easy-to-use tools, we traditionally haven’t held organizations accountable in this way when it comes to vetting open source software.”
“That has to change. It is far too dangerous to ignore the risks,” Jennings continued. “We realized the fastest way to create this change is to remove the barriers and make SBOMs public, for everyone to use.”
“Widespread adoption of SBOMs continues to be slow, despite the stakes. It’s been more than a year since Log4J, and yet progress has lagged in many areas,” said Katie Norton, Senior Research Analyst, DevOps & DevSecOps at IDC. “This innovative public resource from SOOS helps make open source security more accessible and can help organizations more effectively execute their SBOM strategy.”
“SOOS’s public SBOM repository is a game-changer, because it enables everyone to have full traceability for open source components in their software,” said Keith Wiley, President of Medical Aegis, the leading full lifecycle cybersecurity risk management platform focused on smart medical devices. “By making this resource public, SOOS is really showing the depth of their commitment to the industry as a whole, and specifically all businesses that use custom software solutions.”
The launch of SOOS’s public SBOM database comes on the heels of the release of their Community Edition SCA tool, which provides free software composition analysis to any developer working on open source projects.
About SOOS
SOOS is on a mission to democratize software security. Founded in 2020, SOOS makes it easy to build, manage, and monitor SBOMs, with a straightforward pricing model and easy workflow integration. Peace of mind, without the hassle, means safer software for everyone.