Software Bill of Materials (SBoM)

Software Bill of Materials (SBoM)

A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application - Wikipedia

Use cases

Inventory of libraries used in software artifact

Scan for vulnerabilities

Scan for license compliance

Formats

OWASP’s CycloneDX

Linux Foundation’s Software Package Data Exchange (SPDX)

Tools (Excerpt)

SBoM generators

Anchore syft , Aqua Security trivy , docker-sbom , BuildKit >=0.11.0-rc1 , Kubernetes bom , Microsoft sbom-tool

Vulnerability scanners

Anchore grype , Aqua Security trivy

Converters

cyclonedx-cli

Installation

Using docker-setup

docker-setup install --tags sbom --plan

Demo

SBoM generation

SBoM scanning

SBOM Formats

CycloneDX

Metadata

Components

SPDX

Packages and files

Relationships (what is found where)

syft

Metadata (source, distro, descriptor)

Artifacts and files

Demo

Distribution of SBOMs

No standard available yet

What is out there

Download from website

Release asset

Separate container image with same digest and suffix

Manifest list (BuiltKit)

OCI 1.1 referrer (more later)