This is a simple Maven project that builds a standalone JAR which contains a Jetty webserver and a simple bookstore servlet. The repository hosts a demo and resources to accompany SEC020: What are SBOMs, and how do I make them useful?, a talk presented at Universe 2022.
This project includes a workflow file (sbom-upload.yml) that uses Anchore's SBOM Action, which scans the JAR file and creates a software bill of materials using Syft. The action then transposes the SBOM to the required submission format for the dependency submission API and uploads it to the repository's dependency graph. This provides the repository with a more comprehensive dependency graph, including transitive Maven dependencies that are not parsed from the pom.xml with the dependency graph's default static scanning capabilities. Dependabot Alerts for these new dependencies are synced automatically and appear in the Security tab.
GitHub builds a repository's dependency graph from static scans of checked-in manifest files by default, which limits the completeness of the graph in some ecosystems. The dependency submission API allows developers to upload dependency information directly to GitHub, for instance, from a build tool.
There are several community-owned GitHub Actions in the Marketplace that will scan projects from different ecosystems and upload the dependencies to the repository's dependency graph. You can also write your own GitHub Action to submit dependencies with the dependency submission toolkit.
Resources:
- Blog post: Creating a more comprehensive dependency graph with build time detection
- Dependency submission API documentation
- Dependency graph documentation
Software bills of materials are an inventory of everything that your software uses summed up in a specific format.
There are various tools that generate SBOMs:
- kubernetes-sigs/bom
- microsoft/sbom-tool
- opensbom-generator/spdx-sbom-generator
- anchore/syft and anchore/sbom-action
- sbs2001/fatbom
There are GitHub Actions that submit SBOMs to the dependency submission API:
- Submit a CycloneDX SBOM
- Submit an SPDX SBOM
- anchore/sbom-action can both generate the SBOM and upload it!
Add a discussion in community/community with any questions about the dependency graph, dependency submission API, or how to integrate them with SBOMs.