The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →
Top 9 sbom-generator Open-Source Projects
-
Retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
sbom-tool
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
-
awesome-sbom
A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Retire.js
As others have already commented:
The US government has added SBOMs to a proposed rule to update the Federal Acquisition Regulation. So if you want to sell to the US Government you'll have to provide SBOMs: https://www.federalregister.gov/documents/2023/10/03/2023-21...
Lots of large companies require SBOMs from their supplier.
In the EU we will get the Cyber Resilience Act which will make them mandatory as well in certain cases: https://data.consilium.europa.eu/doc/document/ST-12536-2023-...
And yes, there's bascially two technical standards to provide them: SPDX and CycloneDX: https://cyclonedx.org/
Project mention: An Overview of Kubernetes Security Projects at KubeCon Europe 2023 | dev.to | 2023-05-22CycloneDx-gomod
Project mention: Wolfi: A community Linux OS designed for the container and cloud-native era | news.ycombinator.com | 2023-06-27I'm not sure what you mean by "non-trivial" but here's a simple discord bot I wrote in python, that I distribute as an OCI image and that is built with Nix for both x86_64 and aarch64 linux via GitHub actions: https://github.com/starcraft66/attention-attention
There is no SBOM because I didn't bother publishing one but the way Nix builds derivations, you basically get the SBOM for free. You could use a tool like sbomnix[1] to trivially generate an SPDX-format SBOM from the nix derivation that builds the container image.
1: https://github.com/tiiuae/sbomnix
sbom-generator related posts
- An Intro to SBOMs
- Do you SecDevOps?
- SBOM management
- Renovate, a Dependabot alternative
- SBOM Tool
- sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
- sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
-
A note from our sponsor - WorkOS
workos.com | 26 Apr 2024
Index
What are some of the best open-source sbom-generator projects? This list will help you:
Project | Stars | |
---|---|---|
1 | Retire.js | 3,508 |
2 | ort | 1,475 |
3 | sbom-tool | 1,438 |
4 | lunasec | 1,406 |
5 | awesome-sbom | 416 |
6 | cyclonedx-maven-plugin | 273 |
7 | cyclonedx-gradle-plugin | 138 |
8 | cyclonedx-gomod | 124 |
9 | sbomnix | 97 |
Sponsored