awesome-sbom

A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles

What is SBOM (Software Bill Of Materials) ?

From Wikipedia:

A software bill of materials (SBOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause an allergies, SBOMs can help companies avoid consumption of software that could harm their organization.

The concept of a BOM is well-established in traditional manufacturing as part of supply chain management. A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.

Contents

• 💼 Official Projects
  • 📂 Repositories
  • 🗒️ Docs
  • 📰 Blogs
• 🐾 Community Repositories
• 🗃️ Blogs and Articles
• 📹 Videos
• 📑 Slides
• 🎤 Podcasts
• :chart_with_upwards_trend: Benchmarks

Official projects

Articles and Blogs

• Wikipedia - Official Wikipedia Page
• NTIA - Official National Telecommunications and Information Administration Page
• What is an SBOM? - The Linux Foundation Article

Tools (and classification)

Repositories

• CycloneDX Specification
• CycloneDX BOM Examples
• CycloneDX/cyclonedx-maven-plugin
• spdx-sbom-generator
• tern-tools/tern
• anchore/syft
• dlorenc/sbom-oci
• Cosign SBOM Spec
• microsoft/sbom-tool
• SwiftBOM - generate SBOMs
• Kubernetes SBOM Tool
• Aqua Trivy
• bomber
  • Snyk provider
• Snyk SBOM API and CLI
• Snyk SBOM Checker
• Interlynk SBOM Assembler
• Interlynk SBOM Quality Score
• Interlynk SBOM Grep
• Interlynk SBOM Find and Pull

CycloneDX

• CycloneDX Capabilities
• CycloneDX Use Cases and Examples
• CycloneDX Tool Center
• Specification Overview

SPDX

• The Software Package Data Exchange® (SPDX®)
• ISO/IEC 5962 - SPDX® Specification
• ISO/IEC 5230:2020 - OpenChain Specification
• SPDX Spec
• SPDX: It’s Already in Use for Global Software Bill of Materials (SBOM)

Community Repositories

• SBOM-Operator for Kubernetes

Security Tools

• bomber - bomber is an application that scans SBoMs for security vulnerabilities.

Articles and Blogs

• Software Bill Of Materials: Formats, Use Cases, and Tools
• Software Bill of Materials Required by 2021 Cyber Security Executive Order
• The world needs a software bill of materials
• What is a software bill of materials?
• Easily and Quickly Build an Accurate Open Source Inventory
• Create a Cybersecurity Bill of Materials
• What is an SBOM, and why should you Care??
• Are you ready with your SBOM ? Think again !
• Nisha Kumar and Allan Friedman - RSAC DevOps connect keynote
• Rose Judge on using Tern to generate a SBoM for containers
• Creating a Software Supply Chain Landscape
• Analysis of a spdx-sbom-generator generated SBOM
• Creating an SBOM for a golang app using spdx-sbom-generator
• Analysis of a cyclonedx-gomod generated SBOM
• Creating an SBOM for a golang app using cyclonedx-gomod
• What an SBOM Can Do for You
• BOM 101 – All the questions you were afraid to ask Software Bill of Materials
• How to create SBOMs in Java with Maven and Gradle - Snyk blog
• Comparing SBOM Standards: SPDX vs. CycloneDX
• Top 10 Things You Should Know About Using SBOM to Secure Industrial IoT Devices - Red Alert Labs

Videos

• Mentorship Session: Generating Software Bill Of Materials
• Software Bill of Materials: How to generate an SBOM from container images using Syft
• SwiftBOM - generate SBOMs for PoC efforts and demos
• Kubernetes Atlanta Meetup - Nov 2021 - SBOMs Container Signing and Verification, Intro to Gatekeeper
• FOSDEM 2023 - The 7 key ingredients of a great SBOM

Slides

• Software Bill of Materials Presentation

Podcasts

• DaBOM Podcast

Benchmarks

• SBOM Benchmark Quickly evaluate SBOM for quality, compliance and errors.