Software Bill of Material (SBOM)

Work order

Description

When: evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,

As: a DevSecOps Engineer Team Lead,

I want:

To conduct a market overview of available SBOM tools.
Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
Build and document reusable pipeline templates for SBOM generation and validation.

This ensures:

Compliance with increasing customer demands for SBOM capabilities.
Streamlined implementation of SBOM generation in our DevOps pipelines.
Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)

Acceptance Criteria

Market Overview:
- A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
- git repo docs-onboarding, neue sbom.md datei
Testing & Evaluation:
- Successful deployment and execution of SBOM tools in our Azure DevOps environment.
- Demos conducted for at least 3 shortlisted SBOM solutions.
Pipeline Templates:
- Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
- Inclusion of relevant metadata, such as Licenses, CVEs etc.
- git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner
Documentation:
- Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
- Example configurations if possible
Training and Adoption:
- Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
- Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn

Market Overview

Most used from this list: https://spdx.dev/use/spdx-tools/

Name and Link	Key Features	License	Approx Costs
Microsoft's SBOM Tool	SBOM Generation: Scans source folders for dependencies and generates SBOMs. CI/CD Integration: Seamless integration with GitHub Actions and Azure DevOps. Validation: Validates SBOMs and redacts sensitive data.	MIT	Open Source
Syft	SBOM Creation: Builds SBOMs for containers, files, and cloud artifacts. Multiple Formats: Supports SPDX and CycloneDX. Ecosystem Integration: Compatible with Anchore's other tools for security analysis.	Apache-2.0	Open Source
ScanCode Toolkit	License Detection: Scans for open-source licenses and copyrights. Component Identification: Identifies components, vulnerabilities, and origin data. Customizable: Extensible with plugins and tailored scanning options.	Apache-2.0	Open Source
SCANOSS	Real-Time Scanning: Detects open-source components during development. Comprehensive Detection: Uses an extensive database for accurate results. APIs for Integration: Offers APIs for workflow integration.	Proprietary	Free, $35K/year, Custom
Vigilant Ops	SBOM Management: Manages and tracks SBOMs for transparency. Vulnerability Analysis: Identifies risks in software components. Compliance Tools: Ensures adherence to industry standards.	Proprietary	Unknown
Threatrix	SCA Analysis: Monitors and analyzes software components. Real-Time Updates: Detects emerging vulnerabilities. Detailed Reporting: Helps manage security and compliance risks.	Proprietary	Unknown
Black Duck	Component Insights: Tracks open-source licenses and vulnerabilities. Policy Automation: Creates and enforces usage policies. Continuous Monitoring: Monitors for new threats and compliance issues.	Proprietary	Unknown
OSS Review Toolkit	Dependency Scanning: Automates open-source dependency analysis. Policy Evaluation: Ensures compliance with organizational policies. CI/CD Integration: Fits into existing pipelines.	Apache-2.0	Open Source
Manifest	SBOM Tools: Manages and generates SBOMs for software. Vulnerability Scans: Identifies risks in the supply chain. Compliance Support: Helps meet regulatory standards.	Proprietary	Unknown
Lib4SBOM	Library for SBOMs: Simplifies SBOM creation in various formats. Standard Support: Compatible with SPDX and CycloneDX. Development Friendly: Easy integration with workflows.	Apache-2.0	Open Source
GUAC	SBOM Aggregation: Consolidates SBOMs into a unified graph. Provenance Tracking: Tracks the origin of software components. Querying: Provides deep insights into dependencies.	Apache-2.0	Open Source
FOSSology	License Scanning: Detects and analyzes software licenses. Metadata Extraction: Extracts copyright and component details. Custom Workflows: Supports flexible compliance processes.	GPL-2.0 / LGPL-2.1	Open Source
DISTRO2SBOM	Distribution Focused: Creates SBOMs for Linux distributions. Comprehensive Scans: Analyzes all installed packages. Standards Compatible: Supports SPDX and CycloneDX formats.	Apache-2.0	Open Source
CycloneDX	SBOM Standard: Defines a standardized SBOM format. Extensive Tooling: Libraries and tools for CycloneDX SBOMs. Broad Adoption: Industry-standard for supply chain transparency.	Apache-2.0	Open Source
CAST SBOM Manager	Centralized Management: Manages SBOMs from various tools. Vulnerability Tracking: Monitors components for security issues. Compliance Features: Generates reports for regulatory requirements.	Proprietary	Free
Dependency Track	Continuous Analysis: Analyzes SBOMs for vulnerabilities. Ecosystem Integration: Works with CycloneDX SBOMs. Comprehensive Monitoring: Tracks components for new risks.	Apache-2.0	Open Source
Trivy	Vulnerability Scanning: Scans containers, dependencies, and code. SBOM Support: Generates and analyzes SBOMs. Broad Compatibility: Works across multiple platforms and CI/CD tools.	Apache-2.0	Open Source
Parlay	SBOM Enhancements: Improves and consolidates SBOM data. Integration Ready: Supports Snyk tools and others. Scalability: Handles large-scale SBOMs efficiently.	Apache-2.0	Open Source
Finite State	SBOM Automation: Automates SBOM creation and management. Vulnerability Analysis: Identifies and mitigates risks. Compliance Features: Meets regulatory requirements.	Proprietary	Unknown
Checkmarx	SBOM Creation: Generates SBOMs with detailed component analysis. Security Focus: Prioritizes identifying vulnerabilities. Policy Compliance: Ensures adherence to internal policies.	Proprietary	Unknown
Qwiet	Real-Time Scans: Monitors open-source components during CI/CD. AI-Driven Analysis: Leverages AI for threat detection. Comprehensive Reporting: Details vulnerabilities and compliance.	Proprietary	Unknown
Snyk	SBOM Support: Integrates SBOM generation with its security tools. Vulnerability Scans: Identifies threats in open-source and proprietary code. Policy Compliance: Assists in maintaining secure supply chains.	Proprietary	Unknown
SBOM Observer	Visualization: Visualizes SBOM data for better understanding. Collaboration: Designed for team use with access controls. Multi-Tier Plans: Offers flexible subscription options	Proprietary	€49/user/month, €69/user/month, Custom
SOOS	Affordable Security: Provides low-cost vulnerability analysis. SBOM Tools: Creates and manages SBOMs efficiently. Developer Focus: Tailored for small to medium teams.	Proprietary	$0/month, $90/month, Custom

Testing & Evaluation

Name and Link	Result
Microsoft's SBOM Tool	Simple and easy to install and use. Very good result. Every package recognized including licenses and vulnerabilities information. With SBOM Tool Azure DevOps Extension very nice graphical processing what is directly integradted in pipline log.
Syft	Simple and easy to install and use. Poor result. Packages not recognized but binaries. Multiple duplicates. Difficult to evaluate the result. No license information. No graphical processing provided.
ScanCode Toolkit	Simple and easy to install and use. Poor result. Packages not recognized but binaries. No licenses and vulnerabilities information. Difficult to evaluate the result. Graphical processing provided with external tool.

Further tests are therefore carried out with Microsoft's SBOM Tool.

Pipeline Templates

With SBOM Tool Azure DevOps Extension a simple call as task with all needed parameters already exists. Therefore no template is required.

Documentation

Install Extension

Appropriate permissions or an authorization are required for the installation of SBOM Tool Azure DevOps Extension.

Use in pipeline

After installation a task in the pipeline can look like the following example:

- task: sbom-tool@1
  displayName: 'Generate SBOM Manifest'
  inputs:
    command: 'generate'
    buildSourcePath: '$(Build.SourcesDirectory)'
    buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
    enableManifestSpreadsheetGeneration: true
    enableManifestGraphGeneration: true
    enablePackageMetadataParsing: true
    fetchLicenseInformation: true
    fetchSecurityAdvisories: true
    gitHubConnection: 'GitHubForSandbox'
    packageSupplier: 'MyOrganisation'
    packageName: 'MyPackage'
    packageVersion: '$(Build.BuildNumber)'

A complete example:

jobs:
  - job: publish
    steps:
      - task: DotNetCoreCLI@2
        displayName: 'Publish project'
        inputs:
          command: 'publish'
          publishWebProjects: true
          arguments: '--output "$(Build.ArtifactStagingDirectory)"'

      - task: sbom-tool@1
        displayName: 'Generate project SBOM manifest'
        inputs:
          command: 'generate'
          buildSourcePath: '$(Build.SourcesDirectory)'
          buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
          enableManifestSpreadsheetGeneration: true
          enableManifestGraphGeneration: true
          enablePackageMetadataParsing: true
          fetchLicenseInformation: true
          fetchSecurityAdvisories: true
          gitHubConnection: 'GitHub Advisory Database Connection'
          packageSupplier: 'MyOrganisation'
          packageName: 'MyPackage'
          packageVersion: '$(Build.BuildNumber)'

      - task: PublishBuildArtifacts@1
        displayName: 'Publish artifacts'
        inputs:
          PathtoPublish: '$(Build.ArtifactStagingDirectory)'
          ArtifactName: 'drop'
          publishLocation: 'Container'

Training and Adoption

Possible Webinars:

13 KiB Raw Permalink Blame History