SBOM Resources

The SBOM life cycle can be broken down into three phases: generation, distribution, and analysis. The structure below aligns with the life cycle.

There’s also a GitHub repository called sbom-benchmarks that sets to benchmark the various tools (from the Generation phase) against each other, along with providing examples how they are used.

Video Resources

• Introduction to SBOMs: sbomify at Ubuntu Engineering Sprint
• Interview with the creator of CycloneDX: SBOMs, CycloneDX, and Software Security with Steve Springett
• Interview with “the father of SBOMs”: SBOMs and Cybersecurity: A Deep Dive with Allan Friedman

Generation / Authoring

The SBOM generation phase, also known as authoring, is where you create an SBOM from a source. There are various strategies for generating SBOMs, but this phase generally involves taking a set of inputs (such as a dependency file) and generating an SBOM in either the CycloneDX or SPDX format.

Generic

Tools that spans multiple formats and languages.

• Snyk from Snyk
• Syft from Anchore
• Trivy from Aqua

Specific

Language or format-specific tools.

Docker / Containers

You can see how they compare side-by-side in the sbom-benchmark repository.

• bom from The Linux Foundation
• Tern

Python

See guide The ultimate SBOM guide for Python for more language specific details.

You can see how they compare side-by-side in the sbom-benchmark repository.

• CycloneDX Python from CycloneDX
• sbom4python from Anthony Harrison
• SPDX Python from SPDX

Rust

• CycloneDX Rust from CycloneDX
• sbom-rs from Paul Sastrasinh
• sbom4rust from Anthony Harrison

Go

• CycloneDX Go from CycloneDX
• SPDX Golang from SPDX

.NET

• CycloneDX .NET from CycloneDX
• SBOM Tool from Microsoft

Java

• CycloneDX Java from CycloneDX
• SPDX Java from SPDX

JavaScript

• CycloneDX JavaScript
• Retire.js from RetireJS
• sbom4js from Anthony Harrison

Others

• Hoppr from Lockheed Martin Corporation
• OSS Review Toolkit (ORT)
• protobom

Assembly and Enrichment

• CycloneDX Editor/Validator from Festo
• jq is commonly used for assembly
• Parlay from Snyk
• sbomasm from Interlynk
• sbomaudit from Anthony Harrison

Distribution / Transportation

The distribution phase, also known as Transportation, focuses on how you share the SBOM with internal and external stakeholders.

• sbomify
• Project Koala (a.k.a. Transparency Exchange API) from CycloneDX

Analysis

The analysis phase involves how you use the SBOM, typically for compliance or security purposes. Mature organizations may use multiple tools or services for different purposes.

• bomber from DKFM
• bomshell from Adolfo García Veytia (a.k.a. Puerco)
• Cybellum from Cybellum
• Dependency Track from OWASP
• Eclipse SW360
• Grype from Anchore
• GUAC from OpenSSF
• Helm from Medcrypt
• NTIA Conformance Checker from SPDX
• Open Source Vulnerabilities (OSV) from Google
• SBOM Observer from Bitfront
• sbomaudit from Anthony Harrison
• sbommerge from Anthony Harrison
• sbomqs from Interlynk
• SecObserve from MaibornWolff

Other SBOM resources

• CISA’s SBOM Sharing Primer
• CISA’s Software Bill of Materials (SBOM) Sharing Lifecycle Report
• CISA’s Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (3rd Edition)
• NTIA’s The Minimum Elements For a Software Bill of Materials (SBOM)

Edit me on GitHub