US 12,333,020 B2
Systems and processes for creating software bill of materials for large distributed builds
Frank Joseph Bussell, Issaquah, WA (US); Henry James Lyons, Seattle, WA (US); Nicholas Allan Schwerzler, Sammamish, WA (US); Sencer Nuri Yeralan, Seattle, WA (US); Dale Russel Rolf, Renton, WA (US); Minh Trong Tran, Bellevue, WA (US); David John Janson, Kirkland, WA (US); Thomas George Yaryan, Seattle, WA (US); and Ian James McCarty, Sammamish, WA (US)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by MICROSOFT TECHNOLOGY LICENSING, LLC, Redmond, WA (US)
Filed on May 16, 2022, as Appl. No. 17/745,689.
Prior Publication US 2023/0367881 A1, Nov. 16, 2023
Int. Cl. H04L 9/00 (2022.01); G06F 21/57 (2013.01)
CPC G06F 21/577 (2013.01) [G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for creating an SBOM (software bill of materials) for a programming build, wherein the programming build is composed of a plurality of program chunks, each of the program chunks being composed of a unique set of files that are stored within a plurality of files in a monolithic repository, each program chunk of the plurality of program chunks being associated with a corresponding program chunk SBOM that includes file declarations for the unique set of files that are incorporated into the corresponding program chunk and dependency declarations associated with one or more of the files, the method comprising:
identifying a programming build to generate a build SBOM for, the programming build comprising a particular configuration build that utilizes at least one or more files from each program chunk of a set of program chunks;
identifying a program chunk SBOM corresponding to each program chunk of the set of program chunks, each program chunk SBOM comprising declarations of files and dependencies associated with files included within each corresponding program chunk;
verifying each program chunk of the set of program chunks based at least in part on a strong identifier of the corresponding program chunk SBOM associated with said each program chunk;
examining evidence associated with said each program chunk of the set of program chunks to identify at least one program chunk of the set of program chunks that includes at least a particular file or dependency that is not utilized by the programming build, and which is declared in the corresponding program chunk SBOM for that at least one program chunk; and
generating the build SBOM for the programming build based at least in part on each of the program chunk SBOMs by at least including declarations of files and dependencies specified in each of the program chunk SBOMs for the program chunks utilized in the programming build and while refraining from adding a declaration of the particular file or dependency to the build SBOM that identifies the particular file or dependency as being incorporated into the programming build, and wherein the program build utilizes the at least one program chunk having the corresponding program chunk SBOM that does include a declaration for the particular file or dependency.