In this post I will describe a specific example of how we can generate an SBOM compliant to NTIA minimum specification. I will go over existing tooling, real-world issues and how to work around them.
I Problem Statement
The document by NTIA outlining minimum SBOM elements was published in 2021. Still, it is a challenge today (I’m writing this in April 2025) to produce a compliant SBOM with existing tools.
Below, I will present a practical guide of how to generate an NTIA compliant SBOM for one of our open source npm projects.
II Generating Initial SBOM
We will use our ReARM project for experiments, specifically its front end code located under /ui directory. I will work within the CycloneDX ecosystem – that is my preferred ecosystem as I mentioned earlier in this blog.
For simplicity, we will be doing Source Code Level SBOM, not taking into account additional dependencies present in the container image.
There are several tools available to generate such SBOM, including cdxgen, cyclonedx-npm, syft and others.
I am going to use the most universal tool for the initial SBOM generation – cdxgen – which is going to work well for this case.
Here are the steps I need to take:
1. Clone the source code
2. Change directory to /ui
3. Perform npm install
Then, I am going to perfrom following steps specific to SBOM generation:
npm install -g @cyclonedx/cdxgen
cdxgen -t npm -o cdxgen.bom.jsonThis will produce cdxgen.bom.json which is our initial SBOM for the ReARM UI.
III Evaluating NTIA Compliance
I will use sbomqs tool to evaluate SBOM quality. While there are many quality metrics that are useful, I will only focus on NTIA minimum elements in this post.
With sbomqs, I perform the following:
sbomqs score -c 'NTIA-minimum-elements' cdxgen.bom.jsonI am getting the following output:
Notice, that cdxgen did a good job populating all the minimally required NTIA fields except for the component suppliers.
IV SBOM enrichment with Supplier
The process of enhancing SBOM components with additional metadata is called enrichment. First tool I’m going to discuss here is called parlay – particularly, it allows connection to ecosyste.ms repository to fetch data for components known to it.
I can run parlay with ecosyste.ms as
cat cdxgen.bom.json | parlay ecosystems enrich - | jq > parlay_enriched.bom.jsonthen analyze NTIA compliance score with sbomqs:
sbomqs score -c 'NTIA-minimum-elements' parlay_enriched.bom.jsonThis leads to significant improvement regarding supplier data:
However, there are 2 things to note here in relation to parlay:
- As we can see, not all suppliers are resolved, and for some SBOMs the number of missing resolutions may be significant.
Ecosyste.mshas licensing restrictions on data, that is CC BY-SA 4.0 – I am not a lawyer, but essentially this means that you have a requirement to put attribution toecosyste.msin your SBOM and if you are planning to share this SBOM, it must be done under compatible (share-alike) license. For many organizations, this requirement may be too restrictive. Unless you opt for commercial licensing.
Due to above issues with parlay and ecosyste.ms, we recently launched AI-based tool called BEAR (BOM Enrichment and Augmentation by Reliza).
BEAR uses either OpenAI or Gemini to resolve supplier information per purl. We are currently hosting publicly available instance of BEAR beardemo.rearmhq.com with permissive access to data (Apache 2.0). You may also self-host your own instance of BEAR, where you would need your OpenAI (recommended) or Gemini subscription.
Note however, that depending on the size of SBOM, first-time resolution on BEAR may take some time as it does sequential per-component AI processing. Subsequent resolutions will go much faster as BEAR caches results.
BEAR is a part of ReARM, and we use ReARM CLI as a client for BEAR. I can enrich my SBOM with BEAR as following:
rearm bomutils enrichsupplier -f cdxgen.bom.json -o bear_enriched.bom.jsonLet us now check NTIA compliance with sbomqs:
sbomqs score -c 'NTIA-minimum-elements' bear_enriched.bom.jsonI’m getting the following picture:
As you can see, all features are now scored 10 out of 10 – which means that we have achieved NTIA compliant SBOM!
V Conclusion and Notes
I have shown above how to create an SBOM compliant with NTIA minimum elements. On the tooling side, we were using cdxgen and ReARM CLI with BEAR for SBOM generation and enrichment and sbomqs for quality assessment.
It is important to note that while this post talks about ensuring minimum NTIA compliance, it does not go into further details about verifying SBOM quality. It is equally important to note that certain questions about SBOM quality are not yet solved and are subject of research and discussion of various work groups.
Still, I believe that NTIA compliance is a minimal baseline that is important to achieve in real-world SBOMs. And this blog post demonstrates how to reach this goal.