Managing Software Bill Of Materials in OSS
by Ashok Balasubramanian Updated: Jul 25, 2022
Do you have the Software Bill of Materials (SBOM) for the open source project you are integrating into your application? Are you aware of potential vulnerabilities that you may be cascading to your users? The Log4j exploit and similar incidents have highlighted the spread and criticality of open source software and their security to the extent that the Federal Trade Commission (FTC) had urged U.S. organizations to patch the Log4Shell vulnerability immediately or risk facing punitive action from the agency. This year U.S. President Joe Biden signed an executive order on improving cybersecurity defenses. An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. SBOM help improves software development, supply chain management, vulnerability management, asset management, procurement, and high assurance processes while reducing cost, security risk, license risk, and compliance risk. Having the SBOM for your software and its dependencies is a critical step in knowing your user's impact from vulnerabilities. Software Package Data Exchange (SPDX) is the most widely used format for identifying software entities and conveying associated metadata. The kandi kit on Managing Software Bill Of Materials in OSS covers popular open source tools across the software supply chain's transform, produce, and consume steps and help you manage your SBOM. Take your first step in securing your software and users, using open source.
:mag_right: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
Python 1717 Version:v32.0.0 License: No License
A suite of tools to assist with reviewing Open Source Software dependencies.
Kotlin 1155 Version:Current License: Permissive (Apache-2.0)
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
Python 834 Version:v2.11.0 License: Permissive (BSD-2-Clause)
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
C# 1104 Version:v1.1.2 License: Permissive (MIT)
FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.
PHP 667 Version:4.3.0-rc1 License: Strong Copyleft (GPL-2.0)
in-toto is a framework to protect supply chain integrity.
Python 723 Version:v2.0.0 License: Others (Non-SPDX)
Python library and web service for Open Source Software Health and Sustainability metrics & data collection. You can find our documentation and new contributor information easily here: https://chaoss.github.io/augur/ and learn more about Augur at our website https://augurlabs.io
Python 510 Version:v0.50.2 License: Permissive (MIT)
FOSSLight Hub : Integrated management web-service for Open Source Compliance Process
Java 122 Version:v1.5.0 License: Strong Copyleft (AGPL-3.0)
CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
C# 68 Version:v0.24.0 License: Permissive (Apache-2.0)
A Python library to parse, validate and create SPDX documents.
Python 118 Version:v0.7.1 License: Permissive (Apache-2.0)
A utility to generate SPDX-compliant Bill of Materials manifests
Go 236 Version:v0.5.1 License: Permissive (Apache-2.0)
Source for the website providing online SPDX tools
SPDX Command Line Tools using the Spdx-Java-Library
Java 35 Version:v1.1.6 License: Permissive (Apache-2.0)
Plugin for supporting SPDX in a Maven build.
Java 31 Version:v0.6.4 License: Permissive (Apache-2.0)
The Software Parts (SParts) lab delivers a Sawtooth-based ledger that provides both accountability and access to the open source components used in the construction of a software part. A software part is any software component (e.g., library, application, container or an entire operating system runtime) that is comprised of between 0% and 100% open source.
Go 11 Version:Current License: Permissive (Apache-2.0)
Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
Golang tool to pull and summarize NPM license info
Go 8 Version:Current License: Permissive (Apache-2.0)
SCANOSS Quickscan is a tool that demonstrates scanning source code against osskb.org. SCANOSS Quickscan scans source code against a knowledge base representing the entire OSS community. The results of the scan contain OSS matches (full file or snippet) of the scanned code against OSS components.
Support a continuous integration (CI) generation of SPDX files by creating a plugins or extensions to build tools. These plugins or extensions will generate valid SPDX documents based on the build file metadata and source files. https://github.com/spdx/
Python 3 Version:Current License: Others (Non-SPDX)