Software Bill of Materials (SBoM)

Software Bill of Materials (SBoM)

A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application - Wikipedia

Use cases

Inventory of libraries used in software artifact

Scan for vulnerabilities

Scan for licenses of libraries

Formats

OWASP’s CycloneDX

Linux Foundation’s Software Package Data Exchange (SPDX)

Tools

SBoM generators

Anchore syft Aqua Security trivy docker-sbom BuildKit >=0.11.0-rc1 Kubernetes bom Microsoft sbom-tool

Vulnerability scanners

Anchore grype Aqua Security trivy

Converters

cyclonedx-cli

Installation

Using docker-setup

docker-setup --tags=sbom plan

Demo

SBoM generation

SBoM scanning