From 7f46aa2a70026fe81a8b031aa7b01493d60054a1 Mon Sep 17 00:00:00 2001
From: Christian Fravi <christian.fravi@xwr.ch>
Date: Tue, 14 Jan 2025 16:36:28 +0100
Subject: [PATCH] update: Key features added.

---
 sbom.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/sbom.md b/sbom.md
index daaffe4..3dbd857 100644
--- a/sbom.md
+++ b/sbom.md
@@ -78,3 +78,32 @@ Most used from this list: https://spdx.dev/use/spdx-tools/
 | [Snyk](https://snyk.io) | `tbd` | Proprietary | Unknown |
 | [SBOM Observer](https://sbom.observer) | `tbd` | Proprietary | 49 EUR/user/month, 69 EUR/user/month, Custom |
 | [SOOS](https://soos.io) | `tbd` | Proprietary | $0/month, $90/month, Custom |
+
+
+| Name and Link | Key Features | License | Approx Costs |
+| ------------- | ------------ | ------- | ------------ |
+| [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | <ul><li>**SBOM Generation**: Scans source folders for dependencies and generates SBOMs.</li><li>**CI/CD Integration**: Seamless integration with GitHub Actions and Azure DevOps.</li><li>**Validation**: Validates SBOMs and redacts sensitive data.</li></ul> | MIT | Open Source |
+| [Syft](https://github.com/anchore/syft) | <ul><li>**SBOM Creation**: Builds SBOMs for containers, files, and cloud artifacts.</li><li>**Multiple Formats**: Supports SPDX and CycloneDX.</li><li>**Ecosystem Integration**: Compatible with Anchore's other tools for security analysis.</li></ul> | Apache-2.0 | Open Source |
+| [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | <ul><li>**License Detection**: Scans for open-source licenses and copyrights.</li><li>**Component Identification**: Identifies components, vulnerabilities, and origin data.</li><li>**Customizable**: Extensible with plugins and tailored scanning options. | Apache-2.0 | Open Source |
+| [SCANOSS](https://www.scanoss.com) | <ul><li>**Real-Time Scanning**: Detects open-source components during development.</li><li>**Comprehensive Detection**: Uses an extensive database for accurate results.</li><li>**APIs for Integration**: Offers APIs for workflow integration.</li></ul> | Proprietary | Free, $35K/year, Custom |
+| [Vigilant Ops](https://www.vigilant-ops.com) | <ul><li>**SBOM Management**: Manages and tracks SBOMs for transparency.</li><li>**Vulnerability Analysis**: Identifies risks in software components.</li><li>**Compliance Tools**: Ensures adherence to industry standards.</li></ul> | Proprietary | Unknown |
+| [Threatrix](https://threatrix.io) | <ul><li>**SCA Analysis**: Monitors and analyzes software components.</li><li>**Real-Time Updates**: Detects emerging vulnerabilities.</li><li>**Detailed Reporting**: Helps manage security and compliance risks.</li></ul> | Proprietary | Unknown |
+| [Black Duck](https://www.blackduck.com) | <ul><li>**Component Insights**: Tracks open-source licenses and vulnerabilities.</li><li>**Policy Automation**: Creates and enforces usage policies.</li><li>**Continuous Monitoring**: Monitors for new threats and compliance issues.</li></ul> | Proprietary | Unknown |
+| [OSS Review Toolkit](https://oss-review-toolkit.org) | <ul><li>**Dependency Scanning**: Automates open-source dependency analysis.</li><li>**Policy Evaluation**: Ensures compliance with organizational policies.</li><li>**CI/CD Integration**: Fits into existing pipelines.</li></ul> | Apache-2.0 | Open Source |
+| [Manifest](https://www.manifestcyber.com) | <ul><li>**SBOM Tools**: Manages and generates SBOMs for software.</li><li>**Vulnerability Scans**: Identifies risks in the supply chain.</li><li>**Compliance Support**: Helps meet regulatory standards.</li></ul> | Proprietary | Unknown |
+| [Lib4SBOM](https://github.com/anthonyharrison/lib4sbom) | <ul><li>**Library for SBOMs**: Simplifies SBOM creation in various formats.</li><li>**Standard Support**: Compatible with SPDX and CycloneDX.</li><li>**Development Friendly**: Easy integration with workflows.</li></ul> | Apache-2.0 | Open Source |
+| [GUAC](https://guac.sh) | <ul><li>**SBOM Aggregation**: Consolidates SBOMs into a unified graph.</li><li>**Provenance Tracking**: Tracks the origin of software components.</li><li>**Querying**: Provides deep insights into dependencies.</li></ul> | Apache-2.0 | Open Source |
+| [FOSSology](https://www.fossology.org) | <ul><li>**License Scanning**: Detects and analyzes software licenses.</li><li>**Metadata Extraction**: Extracts copyright and component details.</li><li>**Custom Workflows**: Supports flexible compliance processes.</li></ul> | GPL-2.0 / LGPL-2.1 | Open Source |
+| [DISTRO2SBOM](https://github.com/anthonyharrison/distro2sbom) | <ul><li>**Distribution Focused**: Creates SBOMs for Linux distributions.</li><li>**Comprehensive Scans**: Analyzes all installed packages.</li><li>**Standards Compatible**: Supports SPDX and CycloneDX formats.</li></ul> | Apache-2.0 | Open Source |
+| [CycloneDX](https://github.com/CycloneDX) | <ul><li>**SBOM Standard**: Defines a standardized SBOM format.</li><li>**Extensive Tooling**: Libraries and tools for CycloneDX SBOMs.</li><li>**Broad Adoption**: Industry-standard for supply chain transparency.</li></ul> | Apache-2.0 | Open Source |
+| [CAST SBOM Manager](https://www.castsoftware.com/sbommanager) | <ul><li>**Centralized Management**: Manages SBOMs from various tools.</li><li>**Vulnerability Tracking**: Monitors components for security issues.</li><li>**Compliance Features**: Generates reports for regulatory requirements.</li></ul> | Proprietary | Free |
+| [Dependency Track](https://dependencytrack.org) | <ul><li>**Continuous Analysis**: Analyzes SBOMs for vulnerabilities.</li><li>**Ecosystem Integration**: Works with CycloneDX SBOMs.</li><li>**Comprehensive Monitoring**: Tracks components for new risks.</li></ul> | Apache-2.0 | Open Source |
+| [Trivy](https://trivy.dev) | <ul><li>**Vulnerability Scanning**: Scans containers, dependencies, and code.</li><li>**SBOM Support**: Generates and analyzes SBOMs.</li><li>**Broad Compatibility**: Works across multiple platforms and CI/CD tools.</li></ul> | Apache-2.0 | Open Source |
+| [Parlay](https://github.com/snyk/parlay) | <ul><li>**SBOM Enhancements**: Improves and consolidates SBOM data.</li><li>**Integration Ready**: Supports Snyk tools and others.</li><li>**Scalability**: Handles large-scale SBOMs efficiently.</li></ul> | Apache-2.0 | Open Source |
+| [Finite State](https://finitestate.io) | <ul><li>**SBOM Automation**: Automates SBOM creation and management.</li><li>**Vulnerability Analysis**: Identifies and mitigates risks.</li><li>**Compliance Features**: Meets regulatory requirements.</li></ul> | Proprietary | Unknown |
+| [Checkmarx](https://checkmarx.com/product/sbom/) | <ul><li>**SBOM Creation**: Generates SBOMs with detailed component analysis.</li><li>**Security Focus**: Prioritizes identifying vulnerabilities.</li><li>**Policy Compliance**: Ensures adherence to internal policies.</li></ul> | Proprietary | Unknown |
+| [Qwiet](https://qwiet.ai) | <ul><li>**Real-Time Scans**: Monitors open-source components during CI/CD.</li><li>**AI-Driven Analysis**: Leverages AI for threat detection.</li><li>**Comprehensive Reporting**: Details vulnerabilities and compliance.</li></ul> | Proprietary | Unknown |
+| [Snyk](https://snyk.io) | <ul><li>**SBOM Support**: Integrates SBOM generation with its security tools.</li><li>**Vulnerability Scans**: Identifies threats in open-source and proprietary code.</li><li>**Policy Compliance**: Assists in maintaining secure supply chains.</li></ul> | Proprietary | Unknown |
+| [SBOM Observer](https://sbom.observer) | <ul><li>**Visualization**: Visualizes SBOM data for better understanding.</li><li>**Collaboration**: Designed for team use with access controls.</li><li>**Multi-Tier Plans**: Offers flexible subscription options</li></ul> | Proprietary | €49/user/month, €69/user/month, Custom |
+| [SOOS](https://soos.io) | <ul><li>**Affordable Security**: Provides low-cost vulnerability analysis.</li><li>**SBOM Tools**: Creates and manages SBOMs efficiently.</li><li>**Developer Focus**: Tailored for small to medium teams.</li></ul> | Proprietary | $0/month, $90/month, Custom |
+