The SBOM life cycle can be broken down into three phases: generation, collaboration, and analysis. The structure below aligns with the life cycle.
There’s also a GitHub repository called sbom-benchmarks that sets to benchmark the various tools (from the Generation phase) against each other, along with providing examples how they are used.
Generation
The generation phase is where you create an SBOM from a source. There are various strategies for generating SBOMs, but this phase generally involves taking a set of inputs (such as a dependency file) and generating an SBOM in either the CycloneDX or SPDX format.
Generic
Tools that spans multiple formats and languages.
Specific
Language or format-specific tools.
Docker / Containers
You can see how they compare side-by-side in the sbom-benchmark repository.
Python
You can see how they compare side-by-side in the sbom-benchmark repository.
- CycloneDX Python from CycloneDX
- sbom4python from Anthony Harrison
- SPDX Python from SPDX
Rust
- CycloneDX Rust from CycloneDX
- sbom-rs from Paul Sastrasinh
- sbom4rust from Anthony Harrison
Go
- CycloneDX Go from CycloneDX
- SPDX Golang from SPDX
.NET
- CycloneDX .NET from CycloneDX
- SBOM Tool from Microsoft
Java
- CycloneDX Java from CycloneDX
- SPDX Java from SPDX
JavaScript
- CycloneDX JavaScript
- Retire.js from RetireJS
- sbom4js from Anthony Harrison
Others
- protobom
- Hoppr from Lockheed Martin Corporation
- OSS Review Toolkit (ORT)
Assembly and Enrichment
- CycloneDX Editor/Validator from Festo
- Parlay from Snyk
- jq is commonly used for assembly
- sbomasm from Interlynk
- sbomaudit from Anthony Harrison
Collaboration
The collaboration phase focuses on how you share the SBOM with internal and external stakeholders.
- sbomify
- Project Koala (a.k.a. Transparency Exchange API) from CycloneDX
Analysis
The analysis phase involves how you use the SBOM, typically for compliance or security purposes. Mature organizations may use multiple tools or services for different purposes.
- Cybellum from Cybellum
- Dependency Track from OWASP
- Eclipse SW360
- GUAC from OpenSSF
- Helm from Medcrypt
- NTIA Conformance Checker from SPDX
- Open Source Vulnerabilities (OSV) from Google
- bomber from DKFM
- bomshell from Adolfo García Veytia (a.k.a. Puerco)
- grype from Anchore
- sbomaudit from Anthony Harrison
- sbommerge from Anthony Harrison
- sbomqs from Interlynk