CERTCC / SBOM

Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
MIT License
57 stars 16 forks source link
bill-of-materials sbom sbom-generator

SBOM

A "Software Bill of Materials" (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. You can learn more about SBOM at https://www.ntia.gov/sbom. There are several links to community developed documents in the NTIA's website.

SwiftBOM a SBOM generator tool here is part of CERT's work in supporting SBOM generation efforts for Proof-of-Concepts and Demo purposes. This tool is currently being explored by Healthcare Proof of Concept teams for their PoC efforts.

The SwiftBOM has some live demo that you can run to see SBOM generation supported by the tool. The tool also has some limited import capability to accept SBOM input and provide multiple format outputs.

SBOM Formats

SwiftBOM currently generates SBOM in SPDX, CycloneDX and SWID formats. A tree graph is also generated by SwiftBOM that can be downloaded as a PNG file to quickly visualize relationships between components in an SBOM. Currently the tool uses CONTAINS as the default relationship mode (SWID Relationships)[https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/#71-relationship]. A generated SBOM in all three formats is currently a standalone document and does not support external relationships.