smrcptr VS syft

Syft (https://github.com/anchore/syft) and ScanCode (https://github.com/aboutcode-org/scancode-toolkit) are good open-source tools to generate SBOMs and search repos for licensing information — I'm curious to hear if there are reasons why those wouldn't work for enterprise purposes.

Software Bill of Materials (SBOM): Knowing what’s in your software is the new cool. Tools like Syft and Trivy can generate SBOMs as part of your CI/CD pipeline, enhancing supply chain security.

Grype downloads a fresh instance of its vulnerability.db database, then scans the image for specific packages, files, configurations, and so on, building a manifest in the form of a Software Bill of Materials (SBOM) itemizing the software contained in the image. (Under the hood, Grype uses a sister tool, Syft, for this step.)

1. Syft

CycloneDX tools offer packages for each and every programming language. [1]

The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]

Container SBOMs can be generated with syft and grype [3] [4]

[1] https://github.com/CycloneDX

[2] https://github.com/DependencyTrack

[3] https://github.com/anchore/syft

[4] https://github.com/anchore/grype

There are various methods and standards for creating AI SBOMs for model attestation. These methods often require you to have some form of SBOM pipeline that extracts relevant information from your project and uses it to generate the SBOM. If you are using container-based technology, you can leverage information from the container images as your SBOM pipeline to create your AI SBOMs. You can directly generate your AI project's SBOMs from Docker container images using Syft.

I can wholeheartedly recommend Syft.[0]

Decoupling SBOM data collection from vulnerability tracking (with your tool of choice) is a nice capability.

0: https://github.com/anchore/syft

Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.

Inside of the SBOMs, we can detect a lot: https://github.com/anchore/syft#supported-ecosystems

You're right that the active/dormant detection needs to be customized per type of runtime. We cover rpm/deb, python and java with the node and others coming very soon. The compiled languages will be our main focus next. For example, Go binaries embed some dependency metadata in the binary itself.

Also related to this effort is the "in-toto" integrity chain: https://in-toto.io/in-toto/ Since we're already connecting build to run, we aim to complete the chain.

Installing syft is pretty straight forward. On any Linux/Mac environment you can run the following command to install