Software Bill of Materials (SBOM) and Flutter Apps

Software Bill of Materials (SBOM) and Flutter Apps

Enhancing security, compliance and transparency for applications

In my last article, Flutter Takes a Leap Towards Enhanced Security with SLSA Compliance, we touched on the Software Bill of Materials (SBOM) and how Google has achieved Supply Chain Levels for Software Artifacts (SLSA) Level 1 for Flutter.

With the ability to build performant native-compiled applications for desktops on Windows, Mac, and Linux leveraging a single codebase and access to native functionality and the underlying Win32, Cocoa, or UNIX platform APIs; we will see more and more enterprise desktop applications being built in Flutter and Dart.

In this article, I want to delve deeper into the SBOM and its relevance to Flutter apps and Dart packages, particularly to this market segment.

The Evolution of SBOM

The concept of SBOM can be traced back to the late 1990s when the Open Source Software (OSS) movement gained momentum. As software ecosystems expanded, so did the usage of third-party dependencies, which brought challenges of security vulnerabilities and license compliance.

To address these concerns, the National Telecommunications and Information Administration (NTIA) introduced SBOM in 2019. The idea was to create a standardized way to document a software project's components and their origins, allowing for improved security, risk management, and supply chain visibility.

The Significance of SBOM

In the enterprise environment, desktop applications are critical tools that facilitate business processes, streamline operations, and improve productivity. However, as these applications become more complex and interconnected, managing security, license compliance, and supply chain transparency become increasingly challenging.

This is where the Software Bill of Materials (SBOM) emerges as a powerful and indispensable asset for enterprise desktop applications, especially when developed using technologies like Flutter and Dart packages. Let's explore how SBOM empowers enterprise developers and stakeholders:

Enhanced Security

Security breaches and cyber-attacks pose significant risks to enterprise data and operations. The use of third-party dependencies in desktop applications increases the attack surface, potentially exposing vulnerabilities that malicious actors can exploit. By adopting SBOM, enterprises gain greater visibility into the software components used in their applications, allowing them to perform comprehensive security assessments.

With SBOM, developers can identify known vulnerabilities in the third-party packages they utilize. Armed with this knowledge, they can quickly prioritize and apply security patches, reducing the window of exposure and strengthening the application's overall security posture. Enterprises can also leverage SBOM to assess the security profiles of potential software vendors, ensuring that their desktop applications come from trusted sources.

License Compliance

Compliance with open-source licenses is a vital aspect of enterprise software development. Non-compliance can lead to legal challenges, financial penalties, and damage to an organization's reputation. SBOM enables developers to maintain a precise record of the licenses associated with each software component in their desktop applications.

With this comprehensive license inventory, enterprises can easily identify license conflicts or potential violations and take the necessary steps to remedy the situation. SBOM empowers organizations to make informed decisions about the open-source packages they include in their applications, ensuring that the licenses align with their business goals and legal requirements.

Supply Chain Transparency

For enterprise desktop applications, understanding the supply chain of software components is crucial. The use of third-party dependencies introduces a chain of interconnected packages, and vulnerabilities in one component can cascade to affect the entire application. SBOM provides transparency into this intricate web of dependencies.

With SBOM, enterprises can trace the origins of each component used in their desktop applications, verifying the authenticity and integrity of the software supply chain. This information empowers stakeholders to make informed decisions about the risk associated with specific dependencies, leading to better-informed development practices and mitigating potential security and compliance issues.

Streamlined Vendor Management

Enterprise desktop applications often involve collaboration with external vendors or development teams. The adoption of SBOM in the development process streamlines vendor management by providing a clear view of the software components introduced by each party.

By exchanging SBOM data with vendors, enterprises can assess the security and compliance risks associated with third-party contributions effectively. This proactive approach fosters better collaboration and facilitates smoother integration of vendor code into the final desktop application, leading to a more robust and secure end product.

Where SBOM may be Mandatory

SBOM has become increasingly mandatory in various sectors, especially in government, military, and industries where security, compliance, and transparency are of utmost importance. he White House Office of Management and Budget last month gave federal agencies a year to collect software attestations and artifacts like SBOMs from government software vendors verifying adherence to secure development practices. Let's take a look at some examples of where SBOM is or will become mandatory:

Government Agencies and Contractors

Government agencies at the local, state, and federal levels often deal with sensitive data and critical systems. To ensure the security and integrity of their software infrastructure, these agencies may mandate the use of SBOM. SBOM enables government bodies to assess the risk associated with the software components they use, facilitating better decision-making and ensuring compliance with security standards and regulations.

Defence and Military Organisations

In the defence and military sectors, security is paramount. Any vulnerability or compromise in the software systems used for defence applications could have severe consequences. SBOM becomes mandatory in these industries to maintain a clear inventory of software components and their security profiles. It allows defence organizations to assess the supply chain of their software, detect potential threats, and respond proactively to security incidents.

Healthcare and Medical Devices

In the healthcare industry, the safety and privacy of patient data are critical concerns. For medical devices and healthcare software, regulatory bodies such as the U.S. Food and Drug Administration (FDA) require manufacturers to provide an SBOM. This allows regulators and stakeholders to assess the security and compliance aspects of medical devices, ensuring patient safety and protecting sensitive medical information.

Financial Services

Financial institutions handle vast amounts of sensitive customer data and transactions. To maintain regulatory compliance and secure their systems against potential cyber threats, financial organizations may enforce SBOM practices. SBOM helps financial institutions evaluate the security posture of their applications, including third-party components, ensuring a robust and resilient software environment.

Critical Infrastructure and Utilities

Industries operating critical infrastructure, such as energy, transportation, and utilities, are prime targets for cyber-attacks. SBOM plays a vital role in these sectors to identify and address security vulnerabilities in software systems that control critical operations. By implementing SBOM, these industries can enhance their cybersecurity strategies and safeguard against potential disruptions.

Aerospace and Aviation

The aerospace and aviation industries rely heavily on complex software systems to operate aircraft and manage air traffic. To ensure the safety of passengers and air transportation, SBOM may be required to identify potential risks in the software used for flight controls, navigation, and communication systems.

SBOM for Flutter and Dart

Flutter, Google's UI toolkit, has rapidly gained popularity in the development of cross-platform applications. As Flutter apps often rely on numerous third-party packages, managing their security and licensing aspects can be challenging. Integrating SBOM into Flutter projects empowers developers to mitigate risks effectively.

SPDX Format and its Relevance

SPDX (Software Package Data Exchange) is an industry-standard format for describing and sharing SBOM information. It provides a standardized way to document software components, licenses, and copyright information. The use of the SPDX format ensures consistency and interoperability between different tools and platforms, streamlining SBOM sharing and analysis.

Utilizing the SBOM Package for Flutter and Dart

The sbom package available on is a valuable resource for Flutter developers seeking to generate SBOM SPDX files seamlessly. The SBOM is generated from the Dart files contained in the package and the pubspec.yaml. Generation is controlled by a configuration file named sbom.yaml which must be present in the top-level directory of the package. The configuration file allows the setting of the SBOM format, generation directives and field overrides. Overrides can be found in the example directory when viewing the source code on GitHub. Generation is effectively a merge of any field overrides in this file and data generated from the package environment and its pubspec file. Currently, only the Software Package Data Exchange (SPDX) format is supported at specification version 2.2, but support for other SBOM format types such as CycloneDX and SWID will be added in future releases.

Adding the sbom.yaml is as easy as including the following in your package root:

type: spdx

  SPDXFormat: 'tagvalue'

Add the sbom executable to the global path:

% dart pub global activate sbom

Resolving dependencies... (1.1s)
+ args 2.4.2
+ collection 1.18.0
+ crypto 3.0.3
+ meta 1.9.1
+ path 1.8.3
+ pub_cache 0.3.2
+ pub_semver 2.1.4
+ sbom 2.0.0
+ source_span 1.10.0
+ string_scanner 1.2.0
+ term_glyph 1.2.1
+ typed_data 1.3.2
+ yaml 3.1.2
Building package executables...
Built sbom:sbom.
Installed executable sbom.
Activated sbom 2.0.0.

Now execute the sbom command in the package root directory:

% sbom

SBOM generator for Dart packages
Parsing SBOM configuration file
Generating the SBOM
SBOM type is SPDX
SBOM generation complete

The generator will create a new file called sbom.spdx.

Full Transparency

The Dart sbom generator only generates the SPDX for your package. It doesn't recursively generate SBOMs for every dependency and their dependencies, etc. To provide a fully transparent bill of materials for an application, the SBOM package could be improved to perform this for every dependency, currently, this would have to be done manually.

What Have We Learned?

In sectors where security, compliance, and transparency are paramount, the use of SBOM has become mandatory. Government agencies, military organizations, healthcare providers, financial institutions, critical infrastructure operators, and aerospace and aviation industries all benefit from SBOM's ability to enhance software security, ensure license compliance, and provide supply chain transparency. As software development continues to evolve, SBOM will continue to be an essential tool in safeguarding critical systems and protecting against cybersecurity threats across various sectors.

For enterprise desktop applications developed using Flutter and Dart packages, SBOM becomes a game-changing asset, empowering organizations to create secure, compliant, and transparent software systems. The enhanced security, license compliance, and supply chain transparency that SBOM offers are instrumental in safeguarding sensitive data, mitigating risks and maintaining customers' trust.

By embracing SBOM as a best practice, enterprises can effectively manage the complexities of modern software development, strengthen their software supply chains, and build resilient desktop applications that stand up to the rigorous demands of the business landscape. In the ever-evolving world of technology and cybersecurity, SBOM stands as a reliable tool to empower enterprises with the knowledge and insight needed to stay ahead of potential threats and challenges and increase an organisation's security posture.