Updated: Jul 25, 2022
Guide Kit Do you have the Software Bill of Materials (SBOM) for the open source project you are integrating into your application? Are you aware of potential vulnerabilities that you may be cascading to your users? The Log4j exploit and similar incidents have highlighted the spread and criticality of open source software and their security to the extent that the Federal Trade Commission (FTC) had urged U.S. organizations to patch the Log4Shell vulnerability immediately or risk facing punitive action from the agency. This year U.S. President Joe Biden signed an executive order on improving cybersecurity defenses. An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. SBOM help improves software development, supply chain management, vulnerability management, asset management, procurement, and high assurance processes while reducing cost, security risk, license risk, and compliance risk. Having the SBOM for your software and its dependencies is a critical step in knowing your user's impact from vulnerabilities. Software Package Data Exchange (SPDX) is the most widely used format for identifying software entities and conveying associated metadata. The kandi kit on Managing Software Bill Of Materials in OSS covers popular open source tools across the software supply chain's transform, produce, and consume steps and help you manage your SBOM. Take your first step in securing your software and users, using open source.
scancode-toolkitby nexB
1733 Version:v32.0.4
License: No License (null):mag_right: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
scancode-toolkitby nexB
Python 1733 Version:v32.0.4 License: No License
ortby oss-review-toolkit
1165 Version:CurrentA suite of tools to assist with reviewing Open Source Software dependencies.
ortby oss-review-toolkit
Kotlin 1165 Version:Current License: Permissive (Apache-2.0)
ternby tern-tools
875 Version:v2.12.0Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
ternby tern-tools
Python 875 Version:v2.12.0 License: Permissive (BSD-2-Clause)
sbom-toolby microsoft
1116 Version:v1.1.3The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
sbom-toolby microsoft
C# 1116 Version:v1.1.3 License: Permissive (MIT)
fossologyby fossology
666 Version:4.3.0-rc1FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.
fossologyby fossology
PHP 666 Version:4.3.0-rc1 License: Strong Copyleft (GPL-2.0)
in-totoby in-toto
726 Version:v2.0.0in-toto is a framework to protect supply chain integrity.
in-totoby in-toto
Python 726 Version:v2.0.0 License: Others (Non-SPDX)
augurby chaoss
513 Version:v0.50.3Python library and web service for Open Source Software Health and Sustainability metrics & data collection. You can find our documentation and new contributor information easily here: https://chaoss.github.io/augur/ and learn more about Augur at our website https://augurlabs.io
augurby chaoss
Python 513 Version:v0.50.3 License: Permissive (MIT)
fosslightby fosslight
130 Version:v1.5.0FOSSLight Hub : Integrated management web-service for Open Source Compliance Process
fosslightby fosslight
Java 130 Version:v1.5.0 License: Strong Copyleft (AGPL-3.0)
cyclonedx-cliby CycloneDX
68 Version:v0.24.0CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
cyclonedx-cliby CycloneDX
C# 68 Version:v0.24.0 License: Permissive (Apache-2.0)
tools-pythonby spdx
122 Version:v0.7.1A Python library to parse, validate and create SPDX documents.
tools-pythonby spdx
Python 122 Version:v0.7.1 License: Permissive (Apache-2.0)
bomby kubernetes-sigs
239 Version:v0.5.1A utility to generate SPDX-compliant Bill of Materials manifests
bomby kubernetes-sigs
Go 239 Version:v0.5.1 License: Permissive (Apache-2.0)
spdx-online-toolsby spdx
47 Version:v1.1.0Source for the website providing online SPDX tools
spdx-online-toolsby spdx
JavaScript 47 Version:v1.1.0 License: Permissive (Apache-2.0)
tools-javaby spdx
35 Version:v1.1.6SPDX Command Line Tools using the Spdx-Java-Library
tools-javaby spdx
Java 35 Version:v1.1.6 License: Permissive (Apache-2.0)
spdx-maven-pluginby spdx
31 Version:v0.6.4Plugin for supporting SPDX in a Maven build.
spdx-maven-pluginby spdx
Java 31 Version:v0.6.4 License: Permissive (Apache-2.0)
SPartsby hyperledger-labs
11 Version:CurrentThe Software Parts (SParts) lab delivers a Sawtooth-based ledger that provides both accountability and access to the open source components used in the construction of a software part. A software part is any software component (e.g., library, application, container or an entire operating system runtime) that is comprised of between 0% and 100% open source.
SPartsby hyperledger-labs
Go 11 Version:Current License: Permissive (Apache-2.0)
SBOMby CERTCC
9 Version:CurrentExamples and proof-of-concept for Software Bill of Materials (SBOM) code & data
SBOMby CERTCC
JavaScript 9 Version:Current License: Permissive (MIT)
npm-spdxby swinslow
8 Version:CurrentGolang tool to pull and summarize NPM license info
npm-spdxby swinslow
Go 8 Version:Current License: Permissive (Apache-2.0)
quickscanby scanoss
5 Version:v1.2.4SCANOSS Quickscan is a tool that demonstrates scanning source code against osskb.org. SCANOSS Quickscan scans source code against a knowledge base representing the entire OSS community. The results of the scan contain OSS matches (full file or snippet) of the scanned code against OSS components.
quickscanby scanoss
JavaScript 5 Version:v1.2.4 License: Strong Copyleft (GPL-2.0)
spdx-build-toolby spdx
3 Version:CurrentSupport a continuous integration (CI) generation of SPDX files by creating a plugins or extensions to build tools. These plugins or extensions will generate valid SPDX documents based on the build file metadata and source files. https://github.com/spdx/
spdx-build-toolby spdx
Python 3 Version:Current License: Others (Non-SPDX)