Top 8 software-bill-of-material Open-Source Projects
-
cdxgen
Creates CycloneDX Software Bill of Materials (SBOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
-
awesome-sbom
A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05Today, it gives me great pleasure to announce OWASP dep-scan v5. Like everyone, I was constantly frustrated with the amount of false positives generated by all Software Composition Analysis tools (including mine) and wanted to do something. I worked closely with a few colleagues (Caroline, Tim, Saket, and David) for a year to build the various capabilities that together form depscan v5.
As others have already commented:
The US government has added SBOMs to a proposed rule to update the Federal Acquisition Regulation. So if you want to sell to the US Government you'll have to provide SBOMs: https://www.federalregister.gov/documents/2023/10/03/2023-21...
Lots of large companies require SBOMs from their supplier.
In the EU we will get the Cyber Resilience Act which will make them mandatory as well in certain cases: https://data.consilium.europa.eu/doc/document/ST-12536-2023-...
And yes, there's bascially two technical standards to provide them: SPDX and CycloneDX: https://cyclonedx.org/
Project mention: An Overview of Kubernetes Security Projects at KubeCon Europe 2023 | dev.to | 2023-05-22CycloneDx-gomod
Project mention: Wolfi: A community Linux OS designed for the container and cloud-native era | news.ycombinator.com | 2023-06-27I'm not sure what you mean by "non-trivial" but here's a simple discord bot I wrote in python, that I distribute as an OCI image and that is built with Nix for both x86_64 and aarch64 linux via GitHub actions: https://github.com/starcraft66/attention-attention
There is no SBOM because I didn't bother publishing one but the way Nix builds derivations, you basically get the SBOM for free. You could use a tool like sbomnix[1] to trivially generate an SPDX-format SBOM from the nix derivation that builds the container image.
1: https://github.com/tiiuae/sbomnix
Project mention: Dependency inventory / dashboard for multiple maven projects | /r/java | 2023-06-08
software-bill-of-materials related posts
Index
What are some of the best open-source software-bill-of-material projects? This list will help you:
Project | Stars | |
---|---|---|
1 | cdxgen | 448 |
2 | awesome-sbom | 419 |
3 | cyclonedx-maven-plugin | 273 |
4 | cyclonedx-gradle-plugin | 139 |
5 | cyclonedx-gomod | 124 |
6 | sbomnix | 97 |
7 | cyclonedx-core-java | 68 |
8 | cyclonedx-bom-repo-server | 64 |
Sponsored