Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 23 sbom Open-Source Projects
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
-
Retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
-
scancode-toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
-
-
sbom-tool
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
kubeclarity
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
-
-
cve-bin-tool
The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
-
tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)
-
dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
-
purl-spec
A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
-
-
-
-
cdxgen
Creates CycloneDX Software Bill of Materials (SBOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
-
awesome-sbom
A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles
-
-
xeol
A scanner for end-of-life (EOL) software and dependencies in container images, filesystems, and SBOMs
-
chainloop
Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: An Overview of Kubernetes Security Projects at KubeCon Europe 2023 | dev.to | 2023-05-22Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.
Retire.js
Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.
I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.
It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.
Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)
Project mention: ScanCode: Scan license and packages, dependencies and origin information | news.ycombinator.com | 2023-08-11
Project mention: Building Secure Docker Images for Production - Best Practices | dev.to | 2023-06-30In the following steps, we use a local Kubernetes cluster (such as kind) to test the image. With the cluster up and running, let's install some tooling to help us with image scanning. In this case, we're using KubeClarity. Follow the installation instructions in the README to install it into your development cluster.
Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05Depscan v5 is the first opensource SCA tool that can perform precision reachability analysis for Java, JavaScript/TypeScript, and Python applications to triage and prioritize the results. We invented an automatic symbols tagger, a lightweight data-flow analyzer, and a static slicer to compute all reachable flows with or without vulnerabilities. We open-sourced all our work, including the specification.
Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.
use https://github.com/sandworm-hq/sandworm-audit. if u run it for your app the deprecated libraries will show up in the list of issues found (contributor)
Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05Today, it gives me great pleasure to announce OWASP dep-scan v5. Like everyone, I was constantly frustrated with the amount of false positives generated by all Software Composition Analysis tools (including mine) and wanted to do something. I worked closely with a few colleagues (Caroline, Tim, Saket, and David) for a year to build the various capabilities that together form depscan v5.
Something like Meta Package Manager? https://github.com/kdeldycke/meta-package-manager
Project mention: Releasing AGPL3 project: SPDX vs full notice text and other questions | /r/gnu | 2023-06-01The SPDX header is due to a project called REUSE, which is spearheaded by the FSF Europe. You can read more about the project here. Basically you just have to add the copyright header in the format
Project mention: Choosing the “old stuff” as plugin SDK for Go in 2023 | news.ycombinator.com | 2023-07-06
NOTE:
The open source projects on this list are ordered by number of github stars.
The number of mentions indicates repo mentiontions in the last 12 Months or
since we started tracking (Dec 2020).
sbom related posts
- Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone
- Security starts before the production deployment
- An Intro to SBOMs
- How good is the sbom that was generated for your product.
- cdxgen
- Go, SBOM and DependencyTrack
- Do you SecDevOps?
-
A note from our sponsor - InfluxDB
www.influxdata.com | 29 Apr 2024
Index
What are some of the best open-source sbom projects? This list will help you:
| Project | Stars | |
|---|---|---|
| 1 | syft | 5,451 |
| 2 | Retire.js | 3,517 |
| 3 | dependency-track | 2,329 |
| 4 | scancode-toolkit | 1,972 |
| 5 | ort | 1,475 |
| 6 | sbom-tool | 1,438 |
| 7 | lunasec | 1,406 |
| 8 | kubeclarity | 1,257 |
| 9 | zarf | 1,185 |
| 10 | cve-bin-tool | 1,071 |
| 11 | tern | 932 |
| 12 | dep-scan | 699 |
| 13 | purl-spec | 613 |
| 14 | cargo-auditable | 547 |
| 15 | sandworm-audit | 462 |
| 16 | bomber | 453 |
| 17 | cdxgen | 448 |
| 18 | meta-package-manager | 439 |
| 19 | awesome-sbom | 419 |
| 20 | reuse-tool | 345 |
| 21 | xeol | 319 |
| 22 | chainloop | 305 |
| 23 | bom | 297 |
Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com