If your software supplier publishes their SBOM through RKVST, there are a few things you need to know in order to access it. This article outlines the few simple steps required to enjoy access to privately shared SBOMs.
Registering for an RKVST account
To download the SBOM and view its lifecycle history you will need an RKVST account, so let's get that done now.
Good news! Your RKVST SBOM Hub account gives you free access to RKVST. The same credentials and application keys you use to access SBOM Hub can also manage records in RKVST. Click here to sign up, then come back here to continue when you're ready.
Discovering the SBOM
There are 2 main ways to discover the SBOM:
- Browse or search SBOM Hub (detailed here)
- Direct distribution by the vendor (not detailed here: please just proceed straight to "Viewing the SBOM release history" below)
Browse or search SBOM Hub
When searching for an SBOM in RKVST you will see some entries have a Blue RKVST tick:
SBOM Hub is a simple SBOM repository solution that allows people to store SBOMs fully privately and then choose to publish them publicly when ready. For many people this is enough, but for sensible product categories and supply chains more care is required in when and how to publish detailed software lifecycle information, including SBOMs.
RKVST is used to record events in the lifecycle of assets like a Software Package and securely share data between trusted parties with fine-grained access policies.
By using the two products together, vendors can publicly advertise new versions of product and their SBOMs in SBOM Hub (providing maximum visibility to the user community) whilst also controlling how and to whom the detailed information is released. By default collaborators will not be able to get access until they are explicitly given permission.
If you're interested in knowing more about exactly how this works, please see this article on refBOMs (Reference SBOMs), otherwise just read on to see how to request access to a privately distributed SBOM.
Viewing the SBOM release history
By clicking the Blue Tick in SBOM Hub or the direct link provided by your vendor you will be asked to sign in and will then be taken to the RKVST page for that Asset.
If you have been granted access already then all is well: you'll be able to see the history of the asset and download its SBOM. But on the first time you will probably find that you are not authorized, and will see a page similar to the following. In that case you'll need to connect to your vendor in RKVST to start the flow of software lifecycle transparency information.
Even though their identities are public, Asset records are private by default. If you see this screen then you can follow the instructions on screen to request a connection to your vendor
Connect to a partner in RKVST
Connecting to a partner in RKVST is a simple one-time out-of-band exchange of identities
1. Contact the owner of the Asset and send them your Organization Subject ID.
On the Asset Overview Page use the button to copy your Organization Subject ID, a unique identifier for your RKVST Tenancy (a little like a contact card) that can be used by your partner to add you to their access policy.
Note: This Organization Subject ID can also be found by navigating to Access Policies -> Subjects
How you contact them will differ depending on who the Asset Owner is, but it will typically be an email with your account representative. Contacting the relevant Support Team or Account Manager is a sensible step to find out more about their sharing process.
Note: This out-of-band process is an important part of maintaining security and assurance for your shared data. It is important to ensure you are communicating with the real vendor. If you have any doubts about what you're being asked to do, please contact RKVST Support.
2. They will add you as a partner organization and send you their Subject ID in return
Once in contact you will also need to request the Asset Owner's Organization ID to import into your own RKVST Tenancy as sharing requires two-party consent.
To add them as a partner you must:
- Navigate to Access Policies -> Subjects
- Select Import Subject where you will be prompted to enter the Subject String (The Organization Subject ID) and a Friendly Name to identify them by
3. Start enjoying the benefits of knowing Who Did What When
RKVST will share the ongoing history for the asset from the point it is shared with you, ensuring that whenever any new SBOMs are created you will be to see them.
Note: Prior history will not be available. New partners only see data generated after the mutual connection is established.
Simply use the Blue Tick against the RefBOM in SBOM Hub to navigate again to the Asset and the history will be visible, even for future versions.
You can also use the Assets Homepage in the RKVST UI to see any and all Assets the have been shared with your account.