/awesome-sbom

A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles

awesome-sbom Awesome

A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles

What is SBOM (Software Bill Of Materials) ?

From Wikipedia:

A software bill of materials (SBOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause an allergies, SBOMs can help companies avoid consumption of software that could harm their organization.

The concept of a BOM is well-established in traditional manufacturing as part of supply chain management. A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.

Contents

Official projects

Articles and Blogs

  • Wikipedia - Official Wikipedia Page
  • NTIA - Official National Telecommunications and Information Administration Page
  • What is an SBOM? - The Linux Foundation Article

Tools (and classification)

Tool Build SBOM Analyze SBOM Edit SBOM View SBOM Diff SBOM Import SBOM Translate SBOM Merge SBOM Integrate with Other Tools
AnthonyHarrison SBOM4Python CycloneDX,SPDX
AnthonyHarrison SBOM4Rust CycloneDX,SPDX
AnthonyHarrison SBOM4Files CycloneDX,SPDX
AnthonyHarrison Distro2SBOM CycloneDX,SPDX
AnthonyHarrison SBOMDiff CycloneDX,SPDX CycloneDX,SPDX
AnthonyHarrison SBOM2doc CycloneDX,SPDX CycloneDX,SPDX
AnthonyHarrison SBOM2dot CycloneDX,SPDX CycloneDX,SPDX
AnthonyHarrison SBOMAudit CycloneDX,SPDX CycloneDX,SPDX
AnthonyHarrison SBOM-Manager CycloneDX,SPDX CycloneDX,SPDX
bomber CycloneDX,SPDX CycloneDX,SPDX
CycloneDX Maven Plugin CycloneDX
CycloneDX CLI tool CycloneDX CycloneDX CycloneDX,SPDX CycloneDX
CycloneDX cdxgen CycloneDX CycloneDX
Interlynk SBOM Assembler CycloneDX,SPDX CycloneDX,SPDX CycloneDX,SPDX
Interlynk SBOM Quality Score CycloneDX,SPDX CycloneDX,SPDX CycloneDX,SPDX
Interlynk SBOM Grep CycloneDX,SPDX CycloneDX,SPDX CycloneDX,SPDX
Interlynk SBOM Find & Pull CycloneDX,SPDX CycloneDX,SPDX
Google osv-scanner CycloneDX,SPDX
Kubernetes SBOM Tool SPDX
Microsoft SBOM tool SPDX
OSS Review Toolkit ORT CycloneDX,SPDX
Syft CycloneDX,SPDX CycloneDX,SPDX CycloneDX,SPDX
Snyk SBOM API & CLI CycloneDX,SPDX
Snyk SBOM Checker CycloneDX,SPDX
SBOM viewer CycloneDX,SPDX
SPDX Maven Plugin SPDX
SPDX Gradle Plugin SPDX
spdx-sbom-generator SPDX
SwiftBOM CycloneDX,SPDX,SWID
Tern CycloneDX,SPDX
Trivy CycloneDX,SPDX CycloneDX,SPDX CycloneDX,SPDX
DeepSCA CycloneDX CycloneDX CyclondeDX CyclondeDX CyclondeDX
Meta Package Manager CycloneDX,SPDX

Repositories

CycloneDX

SPDX

Community Repositories

Security Tools

  • bomber - bomber is an application that scans SBoMs for security vulnerabilities.
  • NTIA Conformance Checker - Check SPDX SBOM for NTIA minimum elements
  • sbom-scorecard - Generate a score for your sbom to understand if it will actually be useful.
  • parlay - Enrich SBOMs with data from third party services

Articles and Blogs

Videos

Slides

Podcasts

Benchmarks

  • SBOM Benchmark Quickly evaluate SBOM for quality, compliance and errors.