5 Tools to Automate SBOM Creation
If you search for “How to Automate SBOM Creation” you’ll find a huge number of results. As a software engineer, I personally get frustrated by those results almost instantly. Instead of telling me how to automate the creation of my SBOM, most of them spend half the article telling me why I should automate my SBOM creation. Then the article might close with some select examples or concepts to consider while I’m working. I’m going to skip most of that, since I know you can find it easily enough. I did find one good article here, but I want to do this a bit differently by focusing just on tools you can actually use in your CI pipeline for free right now.
In this article, we’ll look at five different real-world tools that you can pull down and try as soon as you like. It doesn’t matter which of these you use, as long as you use something. Don’t procrastinate any longer… Just pick one, crack open the docs, and get started!
These tools produce either or both of the common SBOM formats: SPDX and CycloneDX. You’ll need to consider which is best for your use. In a future article I will show you how to convert between the two, so don’t feel like you’re marrying one when you set up your tooling today.
1. CycloneDX Maven Plugin
“The CycloneDX Maven plugin generates CycloneDX Software Bill of Materials (SBOM) containing the aggregate of all direct and transitive dependencies of a project. CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.” –
https://github.com/CycloneDX/cyclonedx-maven-plugin
Java Only. This plugin can create SBOMS for modules, packages, or be run against the root of a project to create (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Eddie Knight. Read the original post at: https://blog.sonatype.com/5-tools-to-automate-sbom-creation
