Q: What's the best way to get insights from the SBOMs in your company?

[artemptushkin]

There is a concept of SBOM that's implemented with different standards and one of them is CycloneDX looking the most popular these days.

There is a repository of all the SBOM-related tools and links.

Let's say I have many services that expose their SBOM at /actuator/sbom/application or they push to an arbitrary repository.

I want a tool/platform where I can provide insights and statistics regarding dependencies usage company-wide, for example, which Spring Boot version is used mostly or any other library.

What could I use these days? I passed from the tools in that awesome page and I can not find anything related.

I wonder how others get global dependencies insights.

---

The copy of this my SOF question

[anthonyharrison]

What you need is a tool which ingests SBOMs of either format (SPDX and CycloneDX) and then start analysing the SBOMs to look at all of the components. I might be developing such a tool :-). Of course the big challenges is that many of the SBOM generators (I won't name names...) don't have enough information to allow for this to be reliably done.

[artemptushkin]

@anthonyharrison ah good to know, it would be helpful to let here know if you have a ready one