From b17745bdf08e41f2a6378db16cbc58e629f323aa Mon Sep 17 00:00:00 2001
From: Christian Fravi <christian.fravi@xwr.ch>
Date: Mon, 13 Jan 2025 16:42:56 +0100
Subject: [PATCH 1/4] new: Software Bill of Material (SBOM).

---
 sbom.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 sbom.md

diff --git a/sbom.md b/sbom.md
new file mode 100644
index 0000000..67401dc
--- /dev/null
+++ b/sbom.md
@@ -0,0 +1,60 @@
+# Software Bill of Material (SBOM)
+
+## Work order
+
+### Description
+
+**When:** evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,
+
+**As:** a DevSecOps Engineer Team Lead,
+
+**I want:**
+
+- To conduct a market overview of available SBOM tools.
+- Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
+- Build and document reusable pipeline templates for SBOM generation and validation.
+
+**This ensures:**
+
+- Compliance with increasing customer demands for SBOM capabilities.
+- Streamlined implementation of SBOM generation in our DevOps pipelines.
+- Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)
+
+### Acceptance Criteria
+
+1. Market Overview:
+
+    - A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
+    - git repo docs-onboarding, neue sbom.md datei
+
+2. Testing & Evaluation:
+
+    - Successful deployment and execution of SBOM tools in our Azure DevOps environment.
+    - Demos conducted for at least 3 shortlisted SBOM solutions.
+3. Pipeline Templates:
+
+    - Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
+    - Inclusion of relevant metadata, such as Licenses, CVEs etc.
+    - git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner
+
+4. Documentation:
+
+    - Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
+    - Example configurations if possible
+
+5. Training and Adoption:
+
+    - Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
+    - Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn
+
+## Market Overview
+
+Most used list: https://spdx.dev/use/spdx-tools/
+
+| Name and Link | Key Features | Licenses | Approx Costs |
+| ------------- | ------------ | -------- | ------------ |
+| [Microsofts SBOM Tool](https://github.com/microsoft/sbom-tool) | `tbd` | MIT | Open Source |
+| [Syft](https://github.com/anchore/syft) | `tbd` | Apache-2.0 | Open Source |
+| [ScanCode toolkit](https://github.com/aboutcode-org/scancode-toolkit) | `tbd` | Apache-2.0 | Open Source |
+| [SCANOSS](https://www.scanoss.com) | `tbd` | Proprietary | Free, 35K per Year, Custom |
+| [Vigilant Ops](https://www.vigilant-ops.com)| `tbd` | Proprietary | Unknown |

From eb00298994ed3ff3c661f675acfe587aac0fbf14 Mon Sep 17 00:00:00 2001
From: Christian Fravi <christian.fravi@xwr.ch>
Date: Tue, 14 Jan 2025 14:52:08 +0100
Subject: [PATCH 2/4] update: Further suppliers added.

---
 sbom.md | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/sbom.md b/sbom.md
index 67401dc..daaffe4 100644
--- a/sbom.md
+++ b/sbom.md
@@ -49,12 +49,32 @@
 
 ## Market Overview
 
-Most used list: https://spdx.dev/use/spdx-tools/
+Most used from this list: https://spdx.dev/use/spdx-tools/
 
-| Name and Link | Key Features | Licenses | Approx Costs |
-| ------------- | ------------ | -------- | ------------ |
+| Name and Link | Key Features | License | Approx Costs |
+| ------------- | ------------ | ------- | ------------ |
 | [Microsofts SBOM Tool](https://github.com/microsoft/sbom-tool) | `tbd` | MIT | Open Source |
 | [Syft](https://github.com/anchore/syft) | `tbd` | Apache-2.0 | Open Source |
 | [ScanCode toolkit](https://github.com/aboutcode-org/scancode-toolkit) | `tbd` | Apache-2.0 | Open Source |
 | [SCANOSS](https://www.scanoss.com) | `tbd` | Proprietary | Free, 35K per Year, Custom |
-| [Vigilant Ops](https://www.vigilant-ops.com)| `tbd` | Proprietary | Unknown |
+| [Vigilant Ops](https://www.vigilant-ops.com) | `tbd` | Proprietary | Unknown |
+| [Threatrix](https://threatrix.io) | `tbd` | Proprietary | Unknown |
+| [Black Duck](https://www.blackduck.com) | `tbd` | Proprietary | Unknown |
+| [OSS Review Toolkit](https://oss-review-toolkit.org) | `tbd` | Apache-2.0 | Open Source |
+| [Manifest](https://www.manifestcyber.com) | `tbd` | Proprietary | Unknown |
+| [Lib4SBOM](https://github.com/anthonyharrison/lib4sbom) | `tbd` | Apache-2.0 | Open Source |
+| [GUAC](https://guac.sh) | `tbd` | Apache-2.0 | Open Source |
+| [FOSSology](https://www.fossology.org) | `tbd` | GPL-2.0 / LGPL-2.1 | Open Source |
+| [DISTRO2SBOM](https://github.com/anthonyharrison/distro2sbom) | `tbd` | Apache-2.0 | Open Source |
+| [CycloneDX](https://github.com/CycloneDX) | `tbd` | Apache-2.0 | Open Source |
+| [CAST SBOM Manager](https://www.castsoftware.com/sbommanager) | `tbd` | Proprietary | Free |
+| [Dependency Track](https://dependencytrack.org) | `tbd` | Apache-2.0 | Open Source |
+| [Trivy](https://trivy.dev) | `tbd` | Apache-2.0 | Open Source |
+| [Parlay](https://github.com/snyk/parlay) | `tbd` | Apache-2.0 | Open Source |
+| [Finite State](https://finitestate.io) | `tbd` | Proprietary | Unknown |
+| [Checkmarx](https://checkmarx.com/product/sbom/) | `tbd` | Proprietary | Unknown |
+| [Anchore](https://anchore.com) | `tbd` | Proprietary | Unknown |
+| [Qwiet](https://qwiet.ai) | `tbd` | Proprietary | Unknown |
+| [Snyk](https://snyk.io) | `tbd` | Proprietary | Unknown |
+| [SBOM Observer](https://sbom.observer) | `tbd` | Proprietary | 49 EUR/user/month, 69 EUR/user/month, Custom |
+| [SOOS](https://soos.io) | `tbd` | Proprietary | $0/month, $90/month, Custom |

From 7f46aa2a70026fe81a8b031aa7b01493d60054a1 Mon Sep 17 00:00:00 2001
From: Christian Fravi <christian.fravi@xwr.ch>
Date: Tue, 14 Jan 2025 16:36:28 +0100
Subject: [PATCH 3/4] update: Key features added.

---
 sbom.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/sbom.md b/sbom.md
index daaffe4..3dbd857 100644
--- a/sbom.md
+++ b/sbom.md
@@ -78,3 +78,32 @@ Most used from this list: https://spdx.dev/use/spdx-tools/
 | [Snyk](https://snyk.io) | `tbd` | Proprietary | Unknown |
 | [SBOM Observer](https://sbom.observer) | `tbd` | Proprietary | 49 EUR/user/month, 69 EUR/user/month, Custom |
 | [SOOS](https://soos.io) | `tbd` | Proprietary | $0/month, $90/month, Custom |
+
+
+| Name and Link | Key Features | License | Approx Costs |
+| ------------- | ------------ | ------- | ------------ |
+| [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | <ul><li>**SBOM Generation**: Scans source folders for dependencies and generates SBOMs.</li><li>**CI/CD Integration**: Seamless integration with GitHub Actions and Azure DevOps.</li><li>**Validation**: Validates SBOMs and redacts sensitive data.</li></ul> | MIT | Open Source |
+| [Syft](https://github.com/anchore/syft) | <ul><li>**SBOM Creation**: Builds SBOMs for containers, files, and cloud artifacts.</li><li>**Multiple Formats**: Supports SPDX and CycloneDX.</li><li>**Ecosystem Integration**: Compatible with Anchore's other tools for security analysis.</li></ul> | Apache-2.0 | Open Source |
+| [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | <ul><li>**License Detection**: Scans for open-source licenses and copyrights.</li><li>**Component Identification**: Identifies components, vulnerabilities, and origin data.</li><li>**Customizable**: Extensible with plugins and tailored scanning options. | Apache-2.0 | Open Source |
+| [SCANOSS](https://www.scanoss.com) | <ul><li>**Real-Time Scanning**: Detects open-source components during development.</li><li>**Comprehensive Detection**: Uses an extensive database for accurate results.</li><li>**APIs for Integration**: Offers APIs for workflow integration.</li></ul> | Proprietary | Free, $35K/year, Custom |
+| [Vigilant Ops](https://www.vigilant-ops.com) | <ul><li>**SBOM Management**: Manages and tracks SBOMs for transparency.</li><li>**Vulnerability Analysis**: Identifies risks in software components.</li><li>**Compliance Tools**: Ensures adherence to industry standards.</li></ul> | Proprietary | Unknown |
+| [Threatrix](https://threatrix.io) | <ul><li>**SCA Analysis**: Monitors and analyzes software components.</li><li>**Real-Time Updates**: Detects emerging vulnerabilities.</li><li>**Detailed Reporting**: Helps manage security and compliance risks.</li></ul> | Proprietary | Unknown |
+| [Black Duck](https://www.blackduck.com) | <ul><li>**Component Insights**: Tracks open-source licenses and vulnerabilities.</li><li>**Policy Automation**: Creates and enforces usage policies.</li><li>**Continuous Monitoring**: Monitors for new threats and compliance issues.</li></ul> | Proprietary | Unknown |
+| [OSS Review Toolkit](https://oss-review-toolkit.org) | <ul><li>**Dependency Scanning**: Automates open-source dependency analysis.</li><li>**Policy Evaluation**: Ensures compliance with organizational policies.</li><li>**CI/CD Integration**: Fits into existing pipelines.</li></ul> | Apache-2.0 | Open Source |
+| [Manifest](https://www.manifestcyber.com) | <ul><li>**SBOM Tools**: Manages and generates SBOMs for software.</li><li>**Vulnerability Scans**: Identifies risks in the supply chain.</li><li>**Compliance Support**: Helps meet regulatory standards.</li></ul> | Proprietary | Unknown |
+| [Lib4SBOM](https://github.com/anthonyharrison/lib4sbom) | <ul><li>**Library for SBOMs**: Simplifies SBOM creation in various formats.</li><li>**Standard Support**: Compatible with SPDX and CycloneDX.</li><li>**Development Friendly**: Easy integration with workflows.</li></ul> | Apache-2.0 | Open Source |
+| [GUAC](https://guac.sh) | <ul><li>**SBOM Aggregation**: Consolidates SBOMs into a unified graph.</li><li>**Provenance Tracking**: Tracks the origin of software components.</li><li>**Querying**: Provides deep insights into dependencies.</li></ul> | Apache-2.0 | Open Source |
+| [FOSSology](https://www.fossology.org) | <ul><li>**License Scanning**: Detects and analyzes software licenses.</li><li>**Metadata Extraction**: Extracts copyright and component details.</li><li>**Custom Workflows**: Supports flexible compliance processes.</li></ul> | GPL-2.0 / LGPL-2.1 | Open Source |
+| [DISTRO2SBOM](https://github.com/anthonyharrison/distro2sbom) | <ul><li>**Distribution Focused**: Creates SBOMs for Linux distributions.</li><li>**Comprehensive Scans**: Analyzes all installed packages.</li><li>**Standards Compatible**: Supports SPDX and CycloneDX formats.</li></ul> | Apache-2.0 | Open Source |
+| [CycloneDX](https://github.com/CycloneDX) | <ul><li>**SBOM Standard**: Defines a standardized SBOM format.</li><li>**Extensive Tooling**: Libraries and tools for CycloneDX SBOMs.</li><li>**Broad Adoption**: Industry-standard for supply chain transparency.</li></ul> | Apache-2.0 | Open Source |
+| [CAST SBOM Manager](https://www.castsoftware.com/sbommanager) | <ul><li>**Centralized Management**: Manages SBOMs from various tools.</li><li>**Vulnerability Tracking**: Monitors components for security issues.</li><li>**Compliance Features**: Generates reports for regulatory requirements.</li></ul> | Proprietary | Free |
+| [Dependency Track](https://dependencytrack.org) | <ul><li>**Continuous Analysis**: Analyzes SBOMs for vulnerabilities.</li><li>**Ecosystem Integration**: Works with CycloneDX SBOMs.</li><li>**Comprehensive Monitoring**: Tracks components for new risks.</li></ul> | Apache-2.0 | Open Source |
+| [Trivy](https://trivy.dev) | <ul><li>**Vulnerability Scanning**: Scans containers, dependencies, and code.</li><li>**SBOM Support**: Generates and analyzes SBOMs.</li><li>**Broad Compatibility**: Works across multiple platforms and CI/CD tools.</li></ul> | Apache-2.0 | Open Source |
+| [Parlay](https://github.com/snyk/parlay) | <ul><li>**SBOM Enhancements**: Improves and consolidates SBOM data.</li><li>**Integration Ready**: Supports Snyk tools and others.</li><li>**Scalability**: Handles large-scale SBOMs efficiently.</li></ul> | Apache-2.0 | Open Source |
+| [Finite State](https://finitestate.io) | <ul><li>**SBOM Automation**: Automates SBOM creation and management.</li><li>**Vulnerability Analysis**: Identifies and mitigates risks.</li><li>**Compliance Features**: Meets regulatory requirements.</li></ul> | Proprietary | Unknown |
+| [Checkmarx](https://checkmarx.com/product/sbom/) | <ul><li>**SBOM Creation**: Generates SBOMs with detailed component analysis.</li><li>**Security Focus**: Prioritizes identifying vulnerabilities.</li><li>**Policy Compliance**: Ensures adherence to internal policies.</li></ul> | Proprietary | Unknown |
+| [Qwiet](https://qwiet.ai) | <ul><li>**Real-Time Scans**: Monitors open-source components during CI/CD.</li><li>**AI-Driven Analysis**: Leverages AI for threat detection.</li><li>**Comprehensive Reporting**: Details vulnerabilities and compliance.</li></ul> | Proprietary | Unknown |
+| [Snyk](https://snyk.io) | <ul><li>**SBOM Support**: Integrates SBOM generation with its security tools.</li><li>**Vulnerability Scans**: Identifies threats in open-source and proprietary code.</li><li>**Policy Compliance**: Assists in maintaining secure supply chains.</li></ul> | Proprietary | Unknown |
+| [SBOM Observer](https://sbom.observer) | <ul><li>**Visualization**: Visualizes SBOM data for better understanding.</li><li>**Collaboration**: Designed for team use with access controls.</li><li>**Multi-Tier Plans**: Offers flexible subscription options</li></ul> | Proprietary | €49/user/month, €69/user/month, Custom |
+| [SOOS](https://soos.io) | <ul><li>**Affordable Security**: Provides low-cost vulnerability analysis.</li><li>**SBOM Tools**: Creates and manages SBOMs efficiently.</li><li>**Developer Focus**: Tailored for small to medium teams.</li></ul> | Proprietary | $0/month, $90/month, Custom |
+

From c19561f21b0bee381c2ee97824a5557b34d74a97 Mon Sep 17 00:00:00 2001
From: Christian Fravi <christian.fravi@xwr.ch>
Date: Tue, 14 Jan 2025 16:37:46 +0100
Subject: [PATCH 4/4] delete: Removed old table.

---
 sbom.md | 29 -----------------------------
 1 file changed, 29 deletions(-)

diff --git a/sbom.md b/sbom.md
index 3dbd857..35f5ccd 100644
--- a/sbom.md
+++ b/sbom.md
@@ -51,35 +51,6 @@
 
 Most used from this list: https://spdx.dev/use/spdx-tools/
 
-| Name and Link | Key Features | License | Approx Costs |
-| ------------- | ------------ | ------- | ------------ |
-| [Microsofts SBOM Tool](https://github.com/microsoft/sbom-tool) | `tbd` | MIT | Open Source |
-| [Syft](https://github.com/anchore/syft) | `tbd` | Apache-2.0 | Open Source |
-| [ScanCode toolkit](https://github.com/aboutcode-org/scancode-toolkit) | `tbd` | Apache-2.0 | Open Source |
-| [SCANOSS](https://www.scanoss.com) | `tbd` | Proprietary | Free, 35K per Year, Custom |
-| [Vigilant Ops](https://www.vigilant-ops.com) | `tbd` | Proprietary | Unknown |
-| [Threatrix](https://threatrix.io) | `tbd` | Proprietary | Unknown |
-| [Black Duck](https://www.blackduck.com) | `tbd` | Proprietary | Unknown |
-| [OSS Review Toolkit](https://oss-review-toolkit.org) | `tbd` | Apache-2.0 | Open Source |
-| [Manifest](https://www.manifestcyber.com) | `tbd` | Proprietary | Unknown |
-| [Lib4SBOM](https://github.com/anthonyharrison/lib4sbom) | `tbd` | Apache-2.0 | Open Source |
-| [GUAC](https://guac.sh) | `tbd` | Apache-2.0 | Open Source |
-| [FOSSology](https://www.fossology.org) | `tbd` | GPL-2.0 / LGPL-2.1 | Open Source |
-| [DISTRO2SBOM](https://github.com/anthonyharrison/distro2sbom) | `tbd` | Apache-2.0 | Open Source |
-| [CycloneDX](https://github.com/CycloneDX) | `tbd` | Apache-2.0 | Open Source |
-| [CAST SBOM Manager](https://www.castsoftware.com/sbommanager) | `tbd` | Proprietary | Free |
-| [Dependency Track](https://dependencytrack.org) | `tbd` | Apache-2.0 | Open Source |
-| [Trivy](https://trivy.dev) | `tbd` | Apache-2.0 | Open Source |
-| [Parlay](https://github.com/snyk/parlay) | `tbd` | Apache-2.0 | Open Source |
-| [Finite State](https://finitestate.io) | `tbd` | Proprietary | Unknown |
-| [Checkmarx](https://checkmarx.com/product/sbom/) | `tbd` | Proprietary | Unknown |
-| [Anchore](https://anchore.com) | `tbd` | Proprietary | Unknown |
-| [Qwiet](https://qwiet.ai) | `tbd` | Proprietary | Unknown |
-| [Snyk](https://snyk.io) | `tbd` | Proprietary | Unknown |
-| [SBOM Observer](https://sbom.observer) | `tbd` | Proprietary | 49 EUR/user/month, 69 EUR/user/month, Custom |
-| [SOOS](https://soos.io) | `tbd` | Proprietary | $0/month, $90/month, Custom |
-
-
 | Name and Link | Key Features | License | Approx Costs |
 | ------------- | ------------ | ------- | ------------ |
 | [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | <ul><li>**SBOM Generation**: Scans source folders for dependencies and generates SBOMs.</li><li>**CI/CD Integration**: Seamless integration with GitHub Actions and Azure DevOps.</li><li>**Validation**: Validates SBOMs and redacts sensitive data.</li></ul> | MIT | Open Source |