Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 7 bill-of-material Open-Source Projects
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.
I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.
It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.
Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)
There are a number of SBOM standards, but we'll focus on the CycloneDX standard here. CycloneDX grew out of the Open Web Application Security Project (OWASP), is licensed under Creative Commons Zero v1 (think a "public domain" license formulated to meet the laws of many countries), and is a widely known and respected standard.
Project mention: An Overview of Kubernetes Security Projects at KubeCon Europe 2023 | dev.to | 2023-05-22CycloneDx-gomod
Project mention: Wolfi: A community Linux OS designed for the container and cloud-native era | news.ycombinator.com | 2023-06-27I'm not sure what you mean by "non-trivial" but here's a simple discord bot I wrote in python, that I distribute as an OCI image and that is built with Nix for both x86_64 and aarch64 linux via GitHub actions: https://github.com/starcraft66/attention-attention
There is no SBOM because I didn't bother publishing one but the way Nix builds derivations, you basically get the SBOM for free. You could use a tool like sbomnix[1] to trivially generate an SPDX-format SBOM from the nix derivation that builds the container image.
1: https://github.com/tiiuae/sbomnix
Project mention: Dependency inventory / dashboard for multiple maven projects | /r/java | 2023-06-08
bill-of-materials related posts
-
Krita fund has 0 corporate support
-
Who in your organization is responsible for deciding and implementing AppSec tools? And any recommendations for a reliable alternative for Snyk tools? Thanks!
-
SBOM management program?
-
Go, SBOM and DependencyTrack
-
How to Automate the Software Bill of Materials (SBOM)
-
How to create SBOMs in Java with Maven and Gradle
-
Looking for an alternative to gradle dependency tree
-
A note from our sponsor - InfluxDB
www.influxdata.com | 7 May 2024
Index
What are some of the best open-source bill-of-material projects? This list will help you:
Project | Stars | |
---|---|---|
1 | dependency-track | 2,335 |
2 | cyclonedx-maven-plugin | 273 |
3 | cyclonedx-gradle-plugin | 140 |
4 | cyclonedx-gomod | 124 |
5 | sbomnix | 97 |
6 | cyclonedx-core-java | 68 |
7 | cyclonedx-bom-repo-server | 64 |
Sponsored