cyclonedx

Open-source projects categorized as cyclonedx
Edit details
Language: + Go + Python + Java + Kotlin + JavaScript + C# + TypeScript
Topics: sbom spdx purl package-url vex
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

Top 20 cyclonedx Open-Source Projects

  • grype

    A vulnerability scanner for container images and filesystems

    • Project mention: Introduction to the Kubernetes ecosystem | dev.to | 2024-04-25

    Trivy Operator : A simple and comprehensive vulnerability scanner for containers and other artifacts. It detects vulnerabilities of OS packages (Alpine, Debian, CentOS, etc.) and application dependencies (pip, npm, yarn, composer, etc.) (Alternatives : Grype, Snyk, Clair, Anchore, Twistlock)

  • syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    • Project mention: An Overview of Kubernetes Security Projects at KubeCon Europe 2023 | dev.to | 2023-05-22

    Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • dependency-track

    Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

    • Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21

    I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.

    I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.

    It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.

    Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)

  • scancode-toolkit

    :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!

    • Project mention: ScanCode: Scan license and packages, dependencies and origin information | news.ycombinator.com | 2023-08-11

  • ort

    A suite of tools to automate software compliance checks.

  • dep-scan

    OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.

    • Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05

    Depscan v5 is the first opensource SCA tool that can perform precision reachability analysis for Java, JavaScript/TypeScript, and Python applications to triage and prioritize the results. We invented an automatic symbols tagger, a lightweight data-flow analyzer, and a static slicer to compute all reachable flows with or without vulnerabilities. We open-sourced all our work, including the specification.

  • purl-spec

    A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby

    • Project mention: Purl: A Simple Tool for Text Processing | news.ycombinator.com | 2024-04-12

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo

  • bomber

    Scans Software Bill of Materials (SBOMs) for security vulnerabilities

  • cdxgen

    Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962

    • Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05

    Today, it gives me great pleasure to announce OWASP dep-scan v5. Like everyone, I was constantly frustrated with the amount of false positives generated by all Software Composition Analysis tools (including mine) and wanted to do something. I worked closely with a few colleagues (Caroline, Tim, Saket, and David) for a year to build the various capabilities that together form depscan v5.

  • chainloop

    Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.

    • Project mention: Choosing the “old stuff” as plugin SDK for Go in 2023 | news.ycombinator.com | 2023-07-06

  • cyclonedx-maven-plugin

    Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

    • Project mention: Do You Need an SBOM? | dev.to | 2024-05-06

    There are a number of SBOM standards, but we'll focus on the CycloneDX standard here. CycloneDX grew out of the Open Web Application Security Project (OWASP), is licensed under Creative Commons Zero v1 (think a "public domain" license formulated to meet the laws of many countries), and is a widely known and respected standard.

  • cyclonedx-gradle-plugin

    Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects

  • SBOM Quality Score

    SBOM quality score - Quality metrics for your sboms

  • sbomnix

    A suite of utilities to help with software supply chain challenges on nix targets

    • Project mention: Wolfi: A community Linux OS designed for the container and cloud-native era | news.ycombinator.com | 2023-06-27

    I'm not sure what you mean by "non-trivial" but here's a simple discord bot I wrote in python, that I distribute as an OCI image and that is built with Nix for both x86_64 and aarch64 linux via GitHub actions: https://github.com/starcraft66/attention-attention

    There is no SBOM because I didn't bother publishing one but the way Nix builds derivations, you basically get the SBOM for free. You could use a tool like sbomnix[1] to trivially generate an SPDX-format SBOM from the nix derivation that builds the container image.

    1: https://github.com/tiiuae/sbomnix

  • parlay

    Enrich SBOMs with data from third party services

    • Project mention: Parlay | /r/devopspro | 2023-06-12

  • scancode.io

    ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!

  • cyclonedx-core-java

    CycloneDX SBOM Model and Utils for Creating and Validating BOMs

    • Project mention: Dependency inventory / dashboard for multiple maven projects | /r/java | 2023-06-08

  • cyclonedx-bom-repo-server

    A BOM repository server for distributing CycloneDX BOMs

  • bogrod

    Manage SBOM and VEX like source code

    • Project mention: Show HN: Manage SBOM vulnerabilities analysis like source code | news.ycombinator.com | 2023-06-08

  • rebom

    Rebom by Reliza - Catalog of Software Bills of Materials (SBOMs), demo:

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

cyclonedx related posts

  • Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone

    3 projects | /r/devsecops | 5 Dec 2023

  • Package URL Specification

    1 project | news.ycombinator.com | 7 Nov 2023

  • cdxgen

    1 project | /r/devopspro | 29 Jan 2023

  • 12 Things You Might Not Know About Buildpacks

    8 projects | dev.to | 1 Dec 2022

  • Bomber - Scans SBOMs for Vulnerabilities

    1 project | /r/devsecops | 17 Oct 2022

  • bomber - a vulnerability scanner for SBOMs

    2 projects | /r/netsec | 23 Aug 2022

  • bomber: Scans SBoMs for security vulnerabilities

    1 project | /r/blueteamsec | 24 Aug 2022
  • A note from our sponsor - SaaSHub
    www.saashub.com | 7 May 2024
    SaaSHub helps you find the best software and product alternatives Learn more →

Index

What are some of the best open-source cyclonedx projects? This list will help you:

Project Stars
1 grype 7,678
2 syft 5,495
3 dependency-track 2,335
4 scancode-toolkit 1,973
5 ort 1,478
6 dep-scan 710
7 purl-spec 620
8 bomber 454
9 cdxgen 453
10 chainloop 306
11 cyclonedx-maven-plugin 273
12 cyclonedx-gradle-plugin 140
13 SBOM Quality Score 132
14 sbomnix 97
15 parlay 96
16 scancode.io 88
17 cyclonedx-core-java 68
18 cyclonedx-bom-repo-server 64
19 bogrod 8
20 rebom 4

Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com