diff --git a/sbom.md b/sbom.md index 35f5ccd..b31e24b 100644 --- a/sbom.md +++ b/sbom.md @@ -31,6 +31,7 @@ - Successful deployment and execution of SBOM tools in our Azure DevOps environment. - Demos conducted for at least 3 shortlisted SBOM solutions. + 3. Pipeline Templates: - Creation of reusable pipeline templates for SBOM generation in Azure DevOps. @@ -78,3 +79,12 @@ Most used from this list: https://spdx.dev/use/spdx-tools/ | [SBOM Observer](https://sbom.observer) | | Proprietary | €49/user/month, €69/user/month, Custom | | [SOOS](https://soos.io) | | Proprietary | $0/month, $90/month, Custom | +## Testing & Evaluation + +| Name and Link | Result | +| ------------- | ------ | +| [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | Simple and easy to install and use. Very good result. Every package recognized including licenses and vulnerabilities information. With [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool) very nice graphical processing what is directly integradted in pipline log. | +| [Syft](https://github.com/anchore/syft) | Simple and easy to install and use. Poor result. Packages not recognized but binaries. Multiple duplicates. Difficult to evaluate the result. No license information. No graphical processing provided. | +| [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | Simple and easy to install and use. Poor result. Packages not recognized but binaries. No licenses and vulnerabilities information. Difficult to evaluate the result. Graphical processing provided with external tool. | + +Further tests are therefore carried out with [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool).