A Software Bill of Materials (SBOM) is a formal, machine-readable inventory that lists every component, library, and dependency included within a software application. Think of it as a digital “ingredient label” that tells you exactly what went into building the software, which versions are running, and where each piece originated. Typically, it documents:
- Component Name: The specific name of the software package or open-source library.
- Version Number: The exact version of the component currently in use.
- Source/Supplier: The developer, vendor, or open-source community that created it.
- License Information: The legal license governing that component (e.g., MIT, Apache, GPL).
- Dependency Relationships: How different components connect and link to one another
SBOMs are increasingly becoming a legal requirement. For instance, governments and strict regulatory frameworks (e.g. the U.S. Executive Order on Improving the Nation’s Cybersecurity and the EU Cyber Resilience Act) mandate that software vendors provide SBOMs to maintain compliance and sell to public or critical sectors.
Why SBOMs are Crucial for Cybersecurity ?
Modern software is rarely written entirely from scratch; developers rely heavily on third-party and open-source frameworks. While this speeds up production, it introduces risks. SBOMs solve this by providing:
- Rapid Vulnerability Response: When a new security flaw is discovered in a popular library (like Log4j or XZ Utils), an SBOM allows security teams to instantly see if their applications are affected without manually digging through code.
- License Compliance: It prevents organizations from accidentally using open-source code with restrictive licenses that could spark legal or financial disputes.
- Supply Chain Transparency: It helps organizations verify the integrity of the software they buy or build, ensuring malicious code or backdoors haven’t slipped into the development pipeline.
SBOMs in ntop Tools
Our decision to release a Software Bill of Materials (SBOM) is highly important due to the critical role these tools play in modern infrastructure. Because ntop tools operate at the foundational layer of network observability and security, their transparency directly impacts the security of the entire organization. The ntop ecosystem blends open-source development with commercial licensing (such as Enterprise L bundles). This hybrid model can make license tracking complex for enterprise legal teams. Providing a machine-readable SBOM clearly maps out the licensing boundaries of every integrated sub-component, preventing accidental compliance violations or legal risks for the organizations hosting the software.
As SBOMs are platform dependent (i.e. for the same ntopng version, the SBOM for Ubuntu 22.04 and Ubuntu 26.04 is different due different versions of the underlying libraries), ntop packages (dev branch at the moment, but soon also the stable branch) now include SBOMs. When you install ntopng packages you will find them under /usr/share/ntop/sbom/ with name <application>.json. The only exception to this rules is ntopng for which there are two SBOMs: one for the binary application (ntopng.json) and one for the user interface (ntopng-gui.json).
Searching Vulnerabilities using SBOMs
You can use SBOMs to check vulnerabilities using tools such as grype:
Environment detection
---------------------
[INFO] Architecture: x86_64 → amd64
[INFO] OS: Linux / Ubuntu 24.04.4 LTS
[INFO] Distro flag: --distro ubuntu:24.04
[INFO] SBOM: nprobe.json
[INFO] App: nprobe 7e1bb19b
[INFO] Components in SBOM: 1
Prerequisites
-------------
[ OK ] grype: 0.114.0
[ OK ] python3: Python 3.12.3
Updating vulnerability database
-------------------------------
[INFO] Current DB: Built: 0001-01-01T00:00:00Z
unknown
Vulnerability database updated to latest version!
[ OK ] Vulnerability DB updated
Scanning nprobe 7e1bb19b (amd64 / ubuntu:24.04)
-----------------------------------------------
[INFO] Running grype...
Results
-------
════════════════════════════════════════════════════════════
Vulnerability Report
════════════════════════════════════════════════════════════
App: nprobe 7e1bb19b
Architecture: amd64
Distro: ubuntu:24.04
Scan time: 2026-06-26 05:01 UTC
SBOM file: nprobe.json
────────────────────────────────────────────────────────────
Severity Count Status
────────────── ───── ────────────────────
────────────── ─────
No vulnerabilities found
Fix status:
Clean — no vulnerabilities detected.
════════════════════════════════════════════════════════════
Full table: nprobe-vulns.txt
Full JSON: nprobe-vulns.json
════════════════════════════════════════════════════════════
Enjoy !