Our great sponsors
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
-
-
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
https://github.com/anchore/syft is an easier to use alternative. Just point it at a container image, path or archive and it will generate the SBOM for you.
Salus seems to be more flexible - you can also feed the sources and the package manager files into it. I guess the results could be more accurate.
I'm confused. When would I need "https://dependencytrack.org/"? Is it when I've completely lost my marbles and can no longer answer the questions "what does your app run on" and "what are your app's dependencies"? Is the idea that I would then download and install this "dependency tracker", hoping it would give me a list of things I depend on, so that I could inform the end user? What's the use case?
Oh, so it's a security lookup tool, and I imagine you'd want a web and search interface on top of it.
I've seen a project https://backstage.io/ which does something similar to what you're describing.
> Do HN got a recommendation for other CLI based SBOM generators?
Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also a the lead of the SPDX Defects/Security Profile).
If people have questions on SBOMs, comparing SCA/SBOM tools or ORT - feel free to reach out to me https://github.com/tsteenbe/
ORT plug below ;-)
ORT is much more than a SBOM generator though, it's a cli/library that enables you to safely use, integrate, modify and redistribute third party software including FOSS.
You can use ORT to:
1. Generate CycloneDX or SPDX SBOMs for your software project
6. Create a source code archive for your software project, including its dependencies to comply with certain license or have your own copy as nothing on the internet is forever
ORT is being built by Open Source Program Office for several years who got frustrated with the state of SCA/SBOM tools not being able to support license compliance properly and the 30+ build tools you can find in a lot of large organizations.
To get started with ORT on your local machine I recommend using https://github.com/oss-review-toolkit/orthw/.
Just to expand on this a bit: One of the largest fallouts from the Log4Shell vulnerability was that companies realized how hard it was to identify where they had log4j in their infrastructure in the first place.
I've spoken with dozens of companies and it was a very similar story: Writing a detection script and then SSH'ing into every box, applying a Helm chart to scan every running container, putting the script into every CI job... Which takes weeks to months of manual effort to deal with.
And that's not even dealing with the "once you found it, who goes in and patches it?" Which is it's own can of worms.
For context: I helped deal with the fallout of Log4Shell by writing a blog post about it (I gave it that name). Since then, we've been working on an Open Source SBOM database called LunaTrace[0] to help fix what I wrote above.
0: https://github.com/lunasec-io/lunasec/tree/master/lunatrace