SBOM Resources

New to SBOMs? Start with What is an SBOM? to learn the basics.

The SBOM life cycle can be broken down into three phases: generation, distribution, and analysis. The structure below aligns with the life cycle.

There’s also a GitHub repository called sbom-benchmarks that sets to benchmark the various tools (from the Generation phase) against each other, along with providing examples how they are used.

For step-by-step guides on generating SBOMs for specific languages and platforms, see our comprehensive SBOM Guides.

Video Resources

• Introduction to SBOMs: sbomify at Ubuntu Engineering Sprint
• Interview with the creator of CycloneDX: SBOMs, CycloneDX, and Software Security with Steve Springett
• Interview with “the father of SBOMs”: SBOMs and Cybersecurity: A Deep Dive with Allan Friedman
• A deep dive into the SBOM format SPDX with Kate Stewart from the Linux Foundation and Gary O’Neall, a long-time SPDX contributor, about the evolution of SPDX and its role in software transparency
• CRA deep dive with a member of the EU Commission’s CRA expert group: CRA Explained: What the Cyber Resilience Act Means for Device Manufacturers with Sarah Fluchs

Generation / Authoring

The SBOM generation phase, also known as authoring, is where you create an SBOM from a source. There are various strategies for generating SBOMs, but this phase generally involves taking a set of inputs (such as a dependency file) and generating an SBOM in either the CycloneDX or SPDX format.

Generic

Tools that spans multiple formats and languages.

• sbomify GitHub Action from sbomify
• Snyk from Snyk
• Syft from Anchore
• Trivy from Aqua

Specific

Language or format-specific tools.

Docker / Containers

See guide SBOM Generation Guide for Docker and Containers for more details.

You can see how they compare side-by-side in the sbom-benchmark repository.

• bom from The Linux Foundation
• Tern

Python

See guide The ultimate SBOM guide for Python for more language specific details.

You can see how they compare side-by-side in the sbom-benchmark repository.

• CycloneDX Python from CycloneDX
• sbom4python from Anthony Harrison
• SPDX Python from SPDX

Rust

See guide SBOM Generation Guide for Rust - Cargo for more language specific details.

• CycloneDX Rust from CycloneDX
• sbom-rs from Paul Sastrasinh
• sbom4rust from Anthony Harrison

Go

See guide SBOM Generation Guide for Go - Go Modules for more language specific details.

• CycloneDX Go from CycloneDX
• SPDX Golang from SPDX

.NET

See guide SBOM Generation Guide for .NET - NuGet for more language specific details.

• CycloneDX .NET from CycloneDX
• SBOM Tool from Microsoft

Java

See guide SBOM Generation Guide for Java - Maven, Gradle for more language specific details.

• CycloneDX Java from CycloneDX
• SPDX Java from SPDX

JavaScript

See guide SBOM Generation Guide for JavaScript - npm, yarn, pnpm, Bun for more language specific details.

• CycloneDX JavaScript
• Retire.js from RetireJS
• sbom4js from Anthony Harrison

Ruby

See guide SBOM Generation Guide for Ruby - Bundler for more language specific details.

• CycloneDX Ruby from CycloneDX

PHP

See guide SBOM Generation Guide for PHP - Composer for more language specific details.

• CycloneDX PHP Composer from CycloneDX

Swift

See guide SBOM Generation Guide for Swift - Swift Package Manager for more language specific details.

Dart / Flutter

See guide SBOM Generation Guide for Dart and Flutter - pub for more language specific details.

Elixir

See guide SBOM Generation Guide for Elixir - Mix for more language specific details.

Scala

See guide SBOM Generation Guide for Scala - sbt for more language specific details.

C/C++

See guide SBOM Generation Guide for C/C++ - Conan for more language specific details.

Related blog posts by Chris Swan:

• The C conundrum - generating SBOMs when there’s no lockfile
• Using Conan for C SBOMs

Terraform

See guide SBOM Generation Guide for Terraform - Infrastructure as Code for more language specific details.

Yocto

See guide SBOM Generation Guide for Yocto - Embedded Linux for more details.

Related blog posts:

• Mastering SBOM Generation with Yocto

Raspberry Pi

See guide SBOM Generation Guide for Raspberry Pi - rpi-image-gen for more details.

Related blog posts:

• Unpacking Raspberry Pi’s Built-In SBOM Magic

Others

• Hoppr from Lockheed Martin Corporation
• OSS Review Toolkit (ORT)
• protobom

Assembly and Enrichment

• CycloneDX Editor/Validator from Festo
• jq is commonly used for assembly
• Parlay from Snyk
• sbomasm from Interlynk
• sbomaudit from Anthony Harrison

Distribution / Transportation

The distribution phase, also known as Transportation, focuses on how you share the SBOM with internal and external stakeholders.

• sbomify
• Project Koala (a.k.a. Transparency Exchange API) from CycloneDX

Analysis

The analysis phase involves how you use the SBOM, typically for compliance or security purposes. Mature organizations may use multiple tools or services for different purposes.

• bomber from DKFM
• bomshell from Adolfo García Veytia (a.k.a. Puerco)
• Cybellum from Cybellum
• Dependency Track from OWASP
• Eclipse SW360
• Grype from Anchore
• GUAC from OpenSSF
• Helm from Medcrypt
• NTIA Conformance Checker from SPDX
• Open Source Vulnerabilities (OSV) from Google
• SBOM Observer from Bitfront
• sbomaudit from Anthony Harrison
• sbommerge from Anthony Harrison
• sbomqs from Interlynk
• SecObserve from Stefan Fleckenstein

Other SBOM resources

• CISA’s SBOM Sharing Primer
• CISA’s Software Bill of Materials (SBOM) Sharing Lifecycle Report
• CISA’s Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (3rd Edition)
• NTIA’s The Minimum Elements For a Software Bill of Materials (SBOM) (2021)
• CISA’s 2025 Minimum Elements for a Software Bill of Materials (SBOM) (Public Comment Draft, updates the 2021 NTIA guidance)