└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # awesome-sbom [![Awesome](https://awesome.re/badge.svg)](https://awesome.re) 2 | A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles 3 | 4 | # What is SBOM (Software Bill Of Materials) ? 5 | From [Wikipedia](https://en.wikipedia.org/wiki/Software_bill_of_materials): 6 | > A software bill of materials (SBOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause an allergies, SBOMs can help companies avoid consumption of software that could harm their organization. 7 | > 8 | > The concept of a BOM is well-established in traditional manufacturing as part of supply chain management. A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products. 9 | 10 | ## Contents 11 | 12 | - 💼 [Official Projects](#official-projects) 13 | - 📂 [Repositories](#repositories) 14 | - 🗒️ [Docs](#docs) 15 | - 📰 [Blogs](#blogs-and-articles) 16 | - 🐾 [Community Repositories](#community-repositories) 17 | - 🗃️ [Blogs and Articles](#articles-and-blogs-1) 18 | - 📹 [Videos](#videos) 19 | - 📑 [Slides](#slides) 20 | - 🎤 [Podcasts](#podcasts) 21 | - :chart_with_upwards_trend: [Benchmarks](#benchmarks) 22 | 23 | ## Official projects 24 | 25 | ### Articles and Blogs 26 | 27 | - [Wikipedia](https://en.wikipedia.org/wiki/Software_bill_of_materials) - Official Wikipedia Page 28 | - [NTIA](https://www.ntia.gov/SBOM) - Official National Telecommunications and Information Administration Page 29 | - [What is an SBOM?](https://www.linuxfoundation.org/blog/what-is-an-sbom/) - The Linux Foundation Article 30 | 31 | ### Tools (and [classification](https://ntia.gov/sites/default/files/publications/ntia_sbom_tooling_taxonomy-2021mar30_0.pdf)) 32 | 33 | |Tool|Build SBOM|Analyze SBOM|Edit SBOM|View SBOM|Diff SBOM|Import SBOM|Translate SBOM|Merge SBOM|Integrate with Other Tools| 34 | |----|:--------:|:----------:|:-------:|:-------:|:-------:|:---------:|:------------:|:--------:|:------------------------:| 35 | |AnthonyHarrison [SBOM4Python](https://pypi.org/project/sbom4python/)|CycloneDX,SPDX | 36 | |AnthonyHarrison [SBOM4Rust](https://pypi.org/project/sbom4rust/)|CycloneDX,SPDX| 37 | |AnthonyHarrison [SBOM4Files](https://pypi.org/project/sbom4files/)|CycloneDX,SPDX| 38 | |AnthonyHarrison [Distro2SBOM](https://pypi.org/project/distro2sbom/)|CycloneDX,SPDX| 39 | |AnthonyHarrison [SBOMDiff](https://pypi.org/project/sbomdiff/)| |CycloneDX,SPDX|CycloneDX,SPDX| 40 | |AnthonyHarrison [SBOM2doc](https://pypi.org/project/sbom2doc/)| |CycloneDX,SPDX|CycloneDX,SPDX| 41 | |AnthonyHarrison [SBOM2dot](https://pypi.org/project/sbom2dot/)| |CycloneDX,SPDX|CycloneDX,SPDX| 42 | |AnthonyHarrison [SBOMAudit](https://pypi.org/project/sbomaudit/)| |CycloneDX,SPDX|CycloneDX,SPDX| 43 | |AnthonyHarrison [SBOM-Manager](https://pypi.org/project/sbom-manager/)| |CycloneDX,SPDX|CycloneDX,SPDX| 44 | |[bomber](https://github.com/devops-kung-fu/bomber)| |CycloneDX,SPDX| |CycloneDX,SPDX| 45 | |[CycloneDX Maven Plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)|CycloneDX| 46 | |[CycloneDX CLI tool](https://github.com/CycloneDX/cyclonedx-cli)| | |CycloneDX| |CycloneDX| |CycloneDX,SPDX|CycloneDX| 47 | |CycloneDX [cdxgen](https://github.com/CycloneDX/cdxgen)|CycloneDX| | | | | | | |CycloneDX| 48 | |Interlynk [SBOM Assembler](https://github.com/interlynk-io/sbomasm)|CycloneDX,SPDX| | | | | | |CycloneDX,SPDX|CycloneDX,SPDX| 49 | |Interlynk [SBOM Quality Score](https://github.com/interlynk-io/sbomqs)| |CycloneDX,SPDX| |CycloneDX,SPDX| | | | |CycloneDX,SPDX| 50 | |Interlynk [SBOM Grep](https://github.com/interlynk-io/sbomgr)| |CycloneDX,SPDX||CycloneDX,SPDX|||||CycloneDX,SPDX| 51 | |Interlynk [SBOM Find & Pull](https://github.com/interlynk-io/sbomex)| || |CycloneDX,SPDX| | | | |CycloneDX,SPDX| 52 | |Google [osv-scanner](https://github.com/google/osv-scanner)| |CycloneDX,SPDX| 53 | |[Kubernetes SBOM Tool](https://sigs.k8s.io/bom)|SPDX| 54 | |Microsoft [SBOM tool](https://github.com/microsoft/sbom-tool)|SPDX| 55 | |OSS Review Toolkit [ORT](https://github.com/oss-review-toolkit/ort)|CycloneDX,SPDX | 56 | |scm-rs [sbom-cli](https://github.com/scm-rs/csaf-walker)| | CycloneDX,SPDX | | CycloneDX,SPDX | | | | | CycloneDX,SPDX 57 | |[Syft](https://github.com/anchore/syft)|CycloneDX,SPDX|CycloneDX,SPDX| |CycloneDX,SPDX| 58 | |Snyk SBOM [API](https://docs.snyk.io/snyk-api-info) & [CLI](https://docs.snyk.io/snyk-cli)|CycloneDX,SPDX| 59 | |[Snyk SBOM Checker](https://snyk.io/code-checker/sbom-security/)| |CycloneDX,SPDX| 60 | |[SBOM viewer](https://apps.rancher.io/sbom-viewer)| | | | CycloneDX,SPDX| 61 | |[SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin)|SPDX| 62 | |[SPDX Gradle Plugin](https://github.com/spdx/spdx-gradle-plugin)|SPDX| 63 | |[spdx-sbom-generator](https://github.com/spdx/spdx-sbom-generator)|SPDX| 64 | |[SwiftBOM](https://github.com/CERTCC/SBOM/tree/master/SwiftBOM)|CycloneDX,SPDX,SWID| 65 | |[Tern](https://github.com/tern-tools/tern)|CycloneDX,SPDX| 66 | |[Trivy](https://github.com/aquasecurity/trivy)|CycloneDX,SPDX|CycloneDX,SPDX| |CycloneDX,SPDX| 67 | |[DeepSCA](https://tools.deepbits.com)|CycloneDX|CycloneDX||CyclondeDX||CyclondeDX|||CyclondeDX| 68 | |[Meta Package Manager](https://github.com/kdeldycke/meta-package-manager#readme)|CycloneDX,SPDX||||||||| 69 | 70 | ### Repositories 71 | 72 | - [CycloneDX Specification](https://github.com/CycloneDX/specification) 73 | - [CycloneDX BOM Examples](https://github.com/CycloneDX/bom-examples) 74 | - [CycloneDX/cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin) 75 | - [spdx-sbom-generator](https://github.com/spdx/spdx-sbom-generator) 76 | - [tern-tools/tern](https://github.com/tern-tools/tern) 77 | - [anchore/syft](https://github.com/anchore/syft) 78 | - [dlorenc/sbom-oci](https://github.com/dlorenc/sbom-oci) 79 | - [Cosign SBOM Spec](https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md) 80 | - [microsoft/sbom-tool](https://github.com/microsoft/sbom-tool) 81 | - [SwiftBOM - generate SBOMs](https://github.com/CERTCC/SBOM/tree/master/SwiftBOM) 82 | - [Kubernetes SBOM Tool](https://sigs.k8s.io/bom) 83 | - [Aqua Trivy](https://github.com/aquasecurity/trivy) 84 | - [Google osv-scanner](https://github.com/google/osv-scanner) 85 | - [bomber](https://github.com/devops-kung-fu/bomber) 86 | - [Snyk provider](https://github.com/devops-kung-fu/bomber/tree/main/providers/snyk) 87 | - Snyk SBOM [API](https://docs.snyk.io/snyk-api-info) and [CLI](https://docs.snyk.io/snyk-cli) 88 | - [Snyk SBOM Checker](https://snyk.io/code-checker/sbom-security/) 89 | - [Interlynk SBOM Assembler](https://github.com/interlynk-io/sbomasm) 90 | - [Interlynk SBOM Quality Score](https://github.com/interlynk-io/sbomqs) 91 | - [Interlynk SBOM Grep](https://github.com/interlynk-io/sbomgr) 92 | - [Interlynk SBOM Find and Pull](https://github.com/interlynk.io/sbomex) 93 | - [NTIA Conformance Checker](https://github.com/spdx/ntia-conformance-checker) 94 | 95 | ## CycloneDX 96 | 97 | - [CycloneDX Capabilities](https://cyclonedx.org/capabilities/) 98 | - [CycloneDX Use Cases and Examples](https://cyclonedx.org/use-cases/) 99 | - [CycloneDX Tool Center](https://cyclonedx.org/tool-center/) 100 | - [Specification Overview](https://cyclonedx.org/specification/overview/) 101 | 102 | ## SPDX 103 | 104 | - [The Software Package Data Exchange® (SPDX®)](https://spdx.dev/) 105 | - [ISO/IEC 5962 - SPDX® Specification](https://www.iso.org/standard/81870.html) 106 | - [ISO/IEC 5230:2020 - OpenChain Specification](https://www.iso.org/standard/81039.html) 107 | - [SPDX Spec](https://spdx.github.io/spdx-spec/) 108 | - [SPDX: It’s Already in Use for Global Software Bill of Materials (SBOM)](https://www.linuxfoundation.org/blog/spdx-its-already-in-use-for-global-software-bill-of-materials-sbom-and-supply-chain-security/) 109 | 110 | ## Community Repositories 111 | 112 | - [SBOM-Operator for Kubernetes](https://github.com/ckotzbauer/sbom-operator) 113 | 114 | ### Security Tools 115 | 116 | - [bomber](https://github.com/devops-kung-fu/bomber) - bomber is an application that scans SBoMs for security vulnerabilities. 117 | - [NTIA Conformance Checker](https://github.com/spdx/ntia-conformance-checker) - Check SPDX SBOM for NTIA minimum elements 118 | - [sbom-scorecard](https://github.com/eBay/sbom-scorecard) - Generate a score for your sbom to understand if it will actually be useful. 119 | - [parlay](https://github.com/snyk/parlay) - Enrich SBOMs with data from third party services 120 | 121 | ## Articles and Blogs 122 | 123 | - [Software Bill Of Materials: Formats, Use Cases, and Tools](https://fossa.com/blog/software-bill-of-materials-formats-use-cases-tools/) 124 | - [Software Bill of Materials Required by 2021 Cyber Security Executive Order](https://fossa.com/blog/software-bill-of-materials-formats-use-cases-tools/) 125 | - [The world needs a software bill of materials](https://news.ycombinator.com/item?id=26529619) 126 | - [What is a software bill of materials?](https://www.synopsys.com/blogs/software-security/software-bill-of-materials-bom/) 127 | - [Easily and Quickly Build an Accurate Open Source Inventory](https://www.revenera.com/software-composition-analysis/business-solutions/bill-of-materials.html) 128 | - [Create a Cybersecurity Bill of Materials](https://www.promenadesoftware.com/blog/create-a-software-bill-of-materials) 129 | - [What is an SBOM, and why should you Care??](https://boxboat.com/2021/05/12/what-is-sbom-and-why-should-you-care/) 130 | - [Are you ready with your SBOM ? Think again !](https://nadgowdas.github.io/blog/2021/trust-sbom/) 131 | - [Nisha Kumar and Allan Friedman - RSAC DevOps connect keynote](https://blogs.vmware.com/opensource/2021/06/15/software-bill-of-materials-and-modern-app-development-devops-connect-rsac-2021/) 132 | - [Rose Judge on using Tern to generate a SBoM for containers](https://blogs.vmware.com/opensource/2020/08/29/rose-judge-on-tern-container-bill-of-materials/) 133 | - [Creating a Software Supply Chain Landscape](https://zt.dev/posts/supply-chain-content-created/) 134 | - [Analysis of a spdx-sbom-generator generated SBOM](https://zt.dev/posts/analysis-spdx-sbom-generator/) 135 | - [Creating an SBOM for a golang app using spdx-sbom-generator](https://zt.dev/posts/creating-spdx-sbom/) 136 | - [Analysis of a cyclonedx-gomod generated SBOM](https://zt.dev/posts/analysis-cyclonedx-gomod-sbom/) 137 | - [Creating an SBOM for a golang app using cyclonedx-gomod](https://zt.dev/posts/creating-cyclonedx-gomod-sbom/) 138 | - [What an SBOM Can Do for You](https://chainguard.dev/posts/2022-01-13-what-an-sbom-can-do-for-you) 139 | - [BOM 101 – All the questions you were afraid to ask Software Bill of Materials](https://sysdig.com/blog/sbom-101-software-bill-of-materials/) 140 | - [How to create SBOMs in Java with Maven and Gradle](https://snyk.io/blog/create-sboms-java-maven-gradle/) - Snyk blog 141 | - [Comparing SBOM Standards: SPDX vs. CycloneDX](https://blog.sonatype.com/comparing-sbom-standards-spdx-vs.-cyclonedx-vs.-swid) 142 | - [Top 10 Things You Should Know About Using SBOM to Secure Industrial IoT Devices - Red Alert Labs](https://www.redalertlabs.com/blog/top-10-things-you-should-know-about-using-sbom-to-secure-industrial-iot-devices) 143 | - [The Minimum Elements For a Software Bill of Materials (SBOM)](https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf) 144 | - [What Makes a Good SBOM?](https://edu.chainguard.dev/open-source/sbom/what-makes-a-good-sbom/) 145 | - [Are SBOMs Any Good? Preliminary Measurement of the Quality of Open Source Project SBOMs](https://www.chainguard.dev/unchained/are-sboms-any-good-preliminary-measurement-of-the-quality-of-open-source-project-sboms) 146 | - [Software Dark Matter is the Enemy of Software Transparency](https://www.chainguard.dev/unchained/software-dark-matter-is-the-enemy-of-software-transparency) 147 | - [The Linux Foundation’s Software Bill of Materials (SBOM) and Cybersecurity Readiness Report](https://www.linuxfoundation.org/research/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness) 148 | - [When will SBOMs finally benefit the federal government’s software supply chain?](https://federalnewsnetwork.com/commentary/2022/10/when-will-sboms-finally-benefit-the-federal-governments-software-supply-chain/) 149 | - [Are SBOMs good enough for government work?](https://www.chainguard.dev/unchained/are-sboms-good-enough-for-government-work) 150 | - [Not All SBOMs Are Created Equal](https://www.chainguard.dev/unchained/not-all-sboms-are-created-equal) 151 | 152 | ## Videos 153 | 154 | - [Mentorship Session: Generating Software Bill Of Materials](https://www.youtube.com/watch?v=EVnQ4Riecy8) 155 | - [Software Bill of Materials: How to generate an SBOM from container images using Syft](https://www.youtube.com/watch?v=9oj3BC3vOtc) 156 | - [SwiftBOM - generate SBOMs for PoC efforts and demos](https://youtube.com/playlist?list=PLKr8MJRsuoPHGqfcoj8auu7zax8oLRPsH) 157 | - [Kubernetes Atlanta Meetup - Nov 2021 - SBOMs Container Signing and Verification, Intro to Gatekeeper](https://www.youtube.com/watch?v=PuTJ176djsc&t=22s) 158 | - [FOSDEM 2023 - The 7 key ingredients of a great SBOM](https://fosdem.org/2023/schedule/event/sbom_key_ingredients/) 159 | 160 | ## Slides 161 | 162 | - [Software Bill of Materials Presentation](https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/Spring_2019/8MayAM2.3_Software_Bill_of_Materials_Robert_Martin_05_08_19_clean.pdf) 163 | 164 | ## Podcasts 165 | - [DaBOM Podcast](https://dabom.show/) 166 | 167 | ## Benchmarks 168 | - [SBOM Benchmark](https://sbombenchmark.dev) Quickly evaluate SBOM for quality, compliance and errors. 169 | 170 | 171 | 172 | --------------------------------------------------------------------------------