sbom-tool
ort
Our great sponsors
sbom-tool | ort | |
---|---|---|
8 | 3 | |
1,422 | 1,472 | |
5.0% | 2.2% | |
8.9 | 9.9 | |
5 days ago | 5 days ago | |
C# | Kotlin | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sbom-tool
-
An Intro to SBOMs
I use them. With the Microsoft SBOM tool[0] I generate a SBOM (which is unfortunately missing license information) and then feed them to Google OSV scanner to check for vulnerabilities. Not unlike Github Advanced Security does.
[0]: https://github.com/microsoft/sbom-tool
-
Do you SecDevOps?
Alternative it would be nice, if there is way to get an SBOM (Software Bill of Materials). Microsoft created an Open Source Tool to get an SBOM for many programming languages, but pascal is not one of this. With a SBOM file, it should be possible to run it against a tool like CycloneDX.
- Renovate, a Dependabot alternative
- SBOM Tool
- sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
- Salus – SBOM Tool
- Microsoft released their SBOM generation tool as open source!
ort
-
Microsoft open sources Salus software bill of materials (SBOM) generation tool
> Do HN got a recommendation for other CLI based SBOM generators?
Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also a the lead of the SPDX Defects/Security Profile).
If people have questions on SBOMs, comparing SCA/SBOM tools or ORT - feel free to reach out to me https://github.com/tsteenbe/
ORT plug below ;-)
ORT is much more than a SBOM generator though, it's a cli/library that enables you to safely use, integrate, modify and redistribute third party software including FOSS.
You can use ORT to:
1. Generate CycloneDX or SPDX SBOMs for your software project
-
OPEN source alternative to whitesource
Depends if you are interested in both the license and security side of things. There are tools like ORT (https://github.com/oss-review-toolkit/ort) that are quite powerful but have a little learning curve. I also know about initiatives like OpenChain and Double Open (https://github.com/doubleopen-project/doubleopen-publications/blob/master/publication.md#double-open-landscape-survey) that have information available.
- OSS Review Toolkit: analyze dependencies of a project, download them, scan them for licenses, security advisories, and much more
What are some alternatives?
cyclonedx-gradle-plugin - Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
scancode-toolkit - :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
cyclonedx-bom-repo-server - A BOM repository server for distributing CycloneDX BOMs
renovate - Universal dependency automation tool.
cyclonedx-maven-plugin - Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
osv-scanner - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
barista - project barista - open source license and vulnerability management
awesome-sbom - A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles
fossology - FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.
cyclonedx-gomod - Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
tern - Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.