# Software Bill of Material (SBOM)

## Work order

### Description

**When:** evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,

**As:** a DevSecOps Engineer Team Lead,

**I want:**

- To conduct a market overview of available SBOM tools.
- Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
- Build and document reusable pipeline templates for SBOM generation and validation.

**This ensures:**

- Compliance with increasing customer demands for SBOM capabilities.
- Streamlined implementation of SBOM generation in our DevOps pipelines.
- Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)

### Acceptance Criteria

1. Market Overview:

    - A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
    - git repo docs-onboarding, neue sbom.md datei

2. Testing & Evaluation:

    - Successful deployment and execution of SBOM tools in our Azure DevOps environment.
    - Demos conducted for at least 3 shortlisted SBOM solutions.

3. Pipeline Templates:

    - Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
    - Inclusion of relevant metadata, such as Licenses, CVEs etc.
    - git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner

4. Documentation:

    - Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
    - Example configurations if possible

5. Training and Adoption:

    - Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
    - Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn

## Market Overview

Most used from this list: https://spdx.dev/use/spdx-tools/

| Name and Link | Key Features | License | Approx Costs |
| ------------- | ------------ | ------- | ------------ |
| [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | <ul><li>**SBOM Generation**: Scans source folders for dependencies and generates SBOMs.</li><li>**CI/CD Integration**: Seamless integration with GitHub Actions and Azure DevOps.</li><li>**Validation**: Validates SBOMs and redacts sensitive data.</li></ul> | MIT | Open Source |
| [Syft](https://github.com/anchore/syft) | <ul><li>**SBOM Creation**: Builds SBOMs for containers, files, and cloud artifacts.</li><li>**Multiple Formats**: Supports SPDX and CycloneDX.</li><li>**Ecosystem Integration**: Compatible with Anchore's other tools for security analysis.</li></ul> | Apache-2.0 | Open Source |
| [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | <ul><li>**License Detection**: Scans for open-source licenses and copyrights.</li><li>**Component Identification**: Identifies components, vulnerabilities, and origin data.</li><li>**Customizable**: Extensible with plugins and tailored scanning options. | Apache-2.0 | Open Source |
| [SCANOSS](https://www.scanoss.com) | <ul><li>**Real-Time Scanning**: Detects open-source components during development.</li><li>**Comprehensive Detection**: Uses an extensive database for accurate results.</li><li>**APIs for Integration**: Offers APIs for workflow integration.</li></ul> | Proprietary | Free, $35K/year, Custom |
| [Vigilant Ops](https://www.vigilant-ops.com) | <ul><li>**SBOM Management**: Manages and tracks SBOMs for transparency.</li><li>**Vulnerability Analysis**: Identifies risks in software components.</li><li>**Compliance Tools**: Ensures adherence to industry standards.</li></ul> | Proprietary | Unknown |
| [Threatrix](https://threatrix.io) | <ul><li>**SCA Analysis**: Monitors and analyzes software components.</li><li>**Real-Time Updates**: Detects emerging vulnerabilities.</li><li>**Detailed Reporting**: Helps manage security and compliance risks.</li></ul> | Proprietary | Unknown |
| [Black Duck](https://www.blackduck.com) | <ul><li>**Component Insights**: Tracks open-source licenses and vulnerabilities.</li><li>**Policy Automation**: Creates and enforces usage policies.</li><li>**Continuous Monitoring**: Monitors for new threats and compliance issues.</li></ul> | Proprietary | Unknown |
| [OSS Review Toolkit](https://oss-review-toolkit.org) | <ul><li>**Dependency Scanning**: Automates open-source dependency analysis.</li><li>**Policy Evaluation**: Ensures compliance with organizational policies.</li><li>**CI/CD Integration**: Fits into existing pipelines.</li></ul> | Apache-2.0 | Open Source |
| [Manifest](https://www.manifestcyber.com) | <ul><li>**SBOM Tools**: Manages and generates SBOMs for software.</li><li>**Vulnerability Scans**: Identifies risks in the supply chain.</li><li>**Compliance Support**: Helps meet regulatory standards.</li></ul> | Proprietary | Unknown |
| [Lib4SBOM](https://github.com/anthonyharrison/lib4sbom) | <ul><li>**Library for SBOMs**: Simplifies SBOM creation in various formats.</li><li>**Standard Support**: Compatible with SPDX and CycloneDX.</li><li>**Development Friendly**: Easy integration with workflows.</li></ul> | Apache-2.0 | Open Source |
| [GUAC](https://guac.sh) | <ul><li>**SBOM Aggregation**: Consolidates SBOMs into a unified graph.</li><li>**Provenance Tracking**: Tracks the origin of software components.</li><li>**Querying**: Provides deep insights into dependencies.</li></ul> | Apache-2.0 | Open Source |
| [FOSSology](https://www.fossology.org) | <ul><li>**License Scanning**: Detects and analyzes software licenses.</li><li>**Metadata Extraction**: Extracts copyright and component details.</li><li>**Custom Workflows**: Supports flexible compliance processes.</li></ul> | GPL-2.0 / LGPL-2.1 | Open Source |
| [DISTRO2SBOM](https://github.com/anthonyharrison/distro2sbom) | <ul><li>**Distribution Focused**: Creates SBOMs for Linux distributions.</li><li>**Comprehensive Scans**: Analyzes all installed packages.</li><li>**Standards Compatible**: Supports SPDX and CycloneDX formats.</li></ul> | Apache-2.0 | Open Source |
| [CycloneDX](https://github.com/CycloneDX) | <ul><li>**SBOM Standard**: Defines a standardized SBOM format.</li><li>**Extensive Tooling**: Libraries and tools for CycloneDX SBOMs.</li><li>**Broad Adoption**: Industry-standard for supply chain transparency.</li></ul> | Apache-2.0 | Open Source |
| [CAST SBOM Manager](https://www.castsoftware.com/sbommanager) | <ul><li>**Centralized Management**: Manages SBOMs from various tools.</li><li>**Vulnerability Tracking**: Monitors components for security issues.</li><li>**Compliance Features**: Generates reports for regulatory requirements.</li></ul> | Proprietary | Free |
| [Dependency Track](https://dependencytrack.org) | <ul><li>**Continuous Analysis**: Analyzes SBOMs for vulnerabilities.</li><li>**Ecosystem Integration**: Works with CycloneDX SBOMs.</li><li>**Comprehensive Monitoring**: Tracks components for new risks.</li></ul> | Apache-2.0 | Open Source |
| [Trivy](https://trivy.dev) | <ul><li>**Vulnerability Scanning**: Scans containers, dependencies, and code.</li><li>**SBOM Support**: Generates and analyzes SBOMs.</li><li>**Broad Compatibility**: Works across multiple platforms and CI/CD tools.</li></ul> | Apache-2.0 | Open Source |
| [Parlay](https://github.com/snyk/parlay) | <ul><li>**SBOM Enhancements**: Improves and consolidates SBOM data.</li><li>**Integration Ready**: Supports Snyk tools and others.</li><li>**Scalability**: Handles large-scale SBOMs efficiently.</li></ul> | Apache-2.0 | Open Source |
| [Finite State](https://finitestate.io) | <ul><li>**SBOM Automation**: Automates SBOM creation and management.</li><li>**Vulnerability Analysis**: Identifies and mitigates risks.</li><li>**Compliance Features**: Meets regulatory requirements.</li></ul> | Proprietary | Unknown |
| [Checkmarx](https://checkmarx.com/product/sbom/) | <ul><li>**SBOM Creation**: Generates SBOMs with detailed component analysis.</li><li>**Security Focus**: Prioritizes identifying vulnerabilities.</li><li>**Policy Compliance**: Ensures adherence to internal policies.</li></ul> | Proprietary | Unknown |
| [Qwiet](https://qwiet.ai) | <ul><li>**Real-Time Scans**: Monitors open-source components during CI/CD.</li><li>**AI-Driven Analysis**: Leverages AI for threat detection.</li><li>**Comprehensive Reporting**: Details vulnerabilities and compliance.</li></ul> | Proprietary | Unknown |
| [Snyk](https://snyk.io) | <ul><li>**SBOM Support**: Integrates SBOM generation with its security tools.</li><li>**Vulnerability Scans**: Identifies threats in open-source and proprietary code.</li><li>**Policy Compliance**: Assists in maintaining secure supply chains.</li></ul> | Proprietary | Unknown |
| [SBOM Observer](https://sbom.observer) | <ul><li>**Visualization**: Visualizes SBOM data for better understanding.</li><li>**Collaboration**: Designed for team use with access controls.</li><li>**Multi-Tier Plans**: Offers flexible subscription options</li></ul> | Proprietary | €49/user/month, €69/user/month, Custom |
| [SOOS](https://soos.io) | <ul><li>**Affordable Security**: Provides low-cost vulnerability analysis.</li><li>**SBOM Tools**: Creates and manages SBOMs efficiently.</li><li>**Developer Focus**: Tailored for small to medium teams.</li></ul> | Proprietary | $0/month, $90/month, Custom |

## Testing & Evaluation

| Name and Link | Result |
| ------------- | ------ |
| [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | Simple and easy to install and use. Very good result. Every package recognized including licenses and vulnerabilities information. With [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool) very nice graphical processing what is directly integradted in pipline log. |
| [Syft](https://github.com/anchore/syft) | Simple and easy to install and use. Poor result. Packages not recognized but binaries. Multiple duplicates. Difficult to evaluate the result. No license information. No graphical processing provided. |
| [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | Simple and easy to install and use. Poor result. Packages not recognized but binaries. No licenses and vulnerabilities information. Difficult to evaluate the result. Graphical processing provided with external tool. |

Further tests are therefore carried out with [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool).

## Pipeline Templates

With [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool) a simple call as task with all needed parameters already exists. Therefore no template is required.

## Documentation

### Install Extension

Appropriate permissions or an authorization are required for the installation of [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool).

## Use in pipeline

After installation a task in the pipeline can look like the following example:

```yaml
- task: sbom-tool@1
  displayName: 'Generate SBOM Manifest'
  inputs:
    command: 'generate'
    buildSourcePath: '$(Build.SourcesDirectory)'
    buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
    enableManifestSpreadsheetGeneration: true
    enableManifestGraphGeneration: true
    enablePackageMetadataParsing: true
    fetchLicenseInformation: true
    fetchSecurityAdvisories: true
    gitHubConnection: 'GitHubForSandbox'
    packageSupplier: 'MyOrganisation'
    packageName: 'MyPackage'
    packageVersion: '$(Build.BuildNumber)'
```

A complete example:

```yaml
jobs:
  - job: publish
    steps:
      - task: DotNetCoreCLI@2
        displayName: 'Publish project'
        inputs:
          command: 'publish'
          publishWebProjects: true
          arguments: '--output "$(Build.ArtifactStagingDirectory)"'

      - task: sbom-tool@1
        displayName: 'Generate project SBOM manifest'
        inputs:
          command: 'generate'
          buildSourcePath: '$(Build.SourcesDirectory)'
          buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
          enableManifestSpreadsheetGeneration: true
          enableManifestGraphGeneration: true
          enablePackageMetadataParsing: true
          fetchLicenseInformation: true
          fetchSecurityAdvisories: true
          gitHubConnection: 'GitHub Advisory Database Connection'
          packageSupplier: 'MyOrganisation'
          packageName: 'MyPackage'
          packageVersion: '$(Build.BuildNumber)'

      - task: PublishBuildArtifacts@1
        displayName: 'Publish artifacts'
        inputs:
          PathtoPublish: '$(Build.ArtifactStagingDirectory)'
          ArtifactName: 'drop'
          publishLocation: 'Container'
```

## Training and Adoption

Possible Webinars:

- https://jfrog.com/webinar/creation-of-your-software-bill-of-materials-sbom/
- https://www.mend.io/resources/webinars/sboms-a-critical-tool-for-modern-organizations/
- https://www.medcrypt.com/private/webinars-conferences/i-have-an-sbom-now-what
- https://openchainproject.org/news/2024/10/01/coming-soon-webinar-on-sbom-visualization
- https://www.cybeats.com/blog/5-key-takeaways-from-microsoft-and-googles-webinar-on-sbom