jambor.pro/docs-onboarding
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docs-onboarding/sbom.md
Christian Fravi 786deb0e7d new: Added possible Webinars.
2025-01-20 12:59:02 +01:00

169 lines
13 KiB
Markdown
Raw Permalink Blame History

# Software Bill of Material (SBOM)
## Work order
### Description
**When:** evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,
**As:** a DevSecOps Engineer Team Lead,
**I want:**
- To conduct a market overview of available SBOM tools.
- Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
- Build and document reusable pipeline templates for SBOM generation and validation.
**This ensures:**
- Compliance with increasing customer demands for SBOM capabilities.
- Streamlined implementation of SBOM generation in our DevOps pipelines.
- Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)
### Acceptance Criteria
1. Market Overview:
- A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
- git repo docs-onboarding, neue sbom.md datei
2. Testing & Evaluation:
- Successful deployment and execution of SBOM tools in our Azure DevOps environment.
- Demos conducted for at least 3 shortlisted SBOM solutions.
3. Pipeline Templates:
- Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
- Inclusion of relevant metadata, such as Licenses, CVEs etc.
- git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner
4. Documentation:
- Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
- Example configurations if possible
5. Training and Adoption:
- Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
- Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn
## Market Overview
Most used from this list: https://spdx.dev/use/spdx-tools/
| Name and Link | Key Features | License | Approx Costs |
| ------------- | ------------ | ------- | ------------ |
| [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | <ul><li>**SBOM Generation**: Scans source folders for dependencies and generates SBOMs.</li><li>**CI/CD Integration**: Seamless integration with GitHub Actions and Azure DevOps.</li><li>**Validation**: Validates SBOMs and redacts sensitive data.</li></ul> | MIT | Open Source |
| [Syft](https://github.com/anchore/syft) | <ul><li>**SBOM Creation**: Builds SBOMs for containers, files, and cloud artifacts.</li><li>**Multiple Formats**: Supports SPDX and CycloneDX.</li><li>**Ecosystem Integration**: Compatible with Anchore's other tools for security analysis.</li></ul> | Apache-2.0 | Open Source |
| [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | <ul><li>**License Detection**: Scans for open-source licenses and copyrights.</li><li>**Component Identification**: Identifies components, vulnerabilities, and origin data.</li><li>**Customizable**: Extensible with plugins and tailored scanning options. | Apache-2.0 | Open Source |
| [SCANOSS](https://www.scanoss.com) | <ul><li>**Real-Time Scanning**: Detects open-source components during development.</li><li>**Comprehensive Detection**: Uses an extensive database for accurate results.</li><li>**APIs for Integration**: Offers APIs for workflow integration.</li></ul> | Proprietary | Free, $35K/year, Custom |
| [Vigilant Ops](https://www.vigilant-ops.com) | <ul><li>**SBOM Management**: Manages and tracks SBOMs for transparency.</li><li>**Vulnerability Analysis**: Identifies risks in software components.</li><li>**Compliance Tools**: Ensures adherence to industry standards.</li></ul> | Proprietary | Unknown |
| [Threatrix](https://threatrix.io) | <ul><li>**SCA Analysis**: Monitors and analyzes software components.</li><li>**Real-Time Updates**: Detects emerging vulnerabilities.</li><li>**Detailed Reporting**: Helps manage security and compliance risks.</li></ul> | Proprietary | Unknown |
| [Black Duck](https://www.blackduck.com) | <ul><li>**Component Insights**: Tracks open-source licenses and vulnerabilities.</li><li>**Policy Automation**: Creates and enforces usage policies.</li><li>**Continuous Monitoring**: Monitors for new threats and compliance issues.</li></ul> | Proprietary | Unknown |
| [OSS Review Toolkit](https://oss-review-toolkit.org) | <ul><li>**Dependency Scanning**: Automates open-source dependency analysis.</li><li>**Policy Evaluation**: Ensures compliance with organizational policies.</li><li>**CI/CD Integration**: Fits into existing pipelines.</li></ul> | Apache-2.0 | Open Source |
| [Manifest](https://www.manifestcyber.com) | <ul><li>**SBOM Tools**: Manages and generates SBOMs for software.</li><li>**Vulnerability Scans**: Identifies risks in the supply chain.</li><li>**Compliance Support**: Helps meet regulatory standards.</li></ul> | Proprietary | Unknown |
| [Lib4SBOM](https://github.com/anthonyharrison/lib4sbom) | <ul><li>**Library for SBOMs**: Simplifies SBOM creation in various formats.</li><li>**Standard Support**: Compatible with SPDX and CycloneDX.</li><li>**Development Friendly**: Easy integration with workflows.</li></ul> | Apache-2.0 | Open Source |
| [GUAC](https://guac.sh) | <ul><li>**SBOM Aggregation**: Consolidates SBOMs into a unified graph.</li><li>**Provenance Tracking**: Tracks the origin of software components.</li><li>**Querying**: Provides deep insights into dependencies.</li></ul> | Apache-2.0 | Open Source |
| [FOSSology](https://www.fossology.org) | <ul><li>**License Scanning**: Detects and analyzes software licenses.</li><li>**Metadata Extraction**: Extracts copyright and component details.</li><li>**Custom Workflows**: Supports flexible compliance processes.</li></ul> | GPL-2.0 / LGPL-2.1 | Open Source |
| [DISTRO2SBOM](https://github.com/anthonyharrison/distro2sbom) | <ul><li>**Distribution Focused**: Creates SBOMs for Linux distributions.</li><li>**Comprehensive Scans**: Analyzes all installed packages.</li><li>**Standards Compatible**: Supports SPDX and CycloneDX formats.</li></ul> | Apache-2.0 | Open Source |
| [CycloneDX](https://github.com/CycloneDX) | <ul><li>**SBOM Standard**: Defines a standardized SBOM format.</li><li>**Extensive Tooling**: Libraries and tools for CycloneDX SBOMs.</li><li>**Broad Adoption**: Industry-standard for supply chain transparency.</li></ul> | Apache-2.0 | Open Source |
| [CAST SBOM Manager](https://www.castsoftware.com/sbommanager) | <ul><li>**Centralized Management**: Manages SBOMs from various tools.</li><li>**Vulnerability Tracking**: Monitors components for security issues.</li><li>**Compliance Features**: Generates reports for regulatory requirements.</li></ul> | Proprietary | Free |
| [Dependency Track](https://dependencytrack.org) | <ul><li>**Continuous Analysis**: Analyzes SBOMs for vulnerabilities.</li><li>**Ecosystem Integration**: Works with CycloneDX SBOMs.</li><li>**Comprehensive Monitoring**: Tracks components for new risks.</li></ul> | Apache-2.0 | Open Source |
| [Trivy](https://trivy.dev) | <ul><li>**Vulnerability Scanning**: Scans containers, dependencies, and code.</li><li>**SBOM Support**: Generates and analyzes SBOMs.</li><li>**Broad Compatibility**: Works across multiple platforms and CI/CD tools.</li></ul> | Apache-2.0 | Open Source |
| [Parlay](https://github.com/snyk/parlay) | <ul><li>**SBOM Enhancements**: Improves and consolidates SBOM data.</li><li>**Integration Ready**: Supports Snyk tools and others.</li><li>**Scalability**: Handles large-scale SBOMs efficiently.</li></ul> | Apache-2.0 | Open Source |
| [Finite State](https://finitestate.io) | <ul><li>**SBOM Automation**: Automates SBOM creation and management.</li><li>**Vulnerability Analysis**: Identifies and mitigates risks.</li><li>**Compliance Features**: Meets regulatory requirements.</li></ul> | Proprietary | Unknown |
| [Checkmarx](https://checkmarx.com/product/sbom/) | <ul><li>**SBOM Creation**: Generates SBOMs with detailed component analysis.</li><li>**Security Focus**: Prioritizes identifying vulnerabilities.</li><li>**Policy Compliance**: Ensures adherence to internal policies.</li></ul> | Proprietary | Unknown |
| [Qwiet](https://qwiet.ai) | <ul><li>**Real-Time Scans**: Monitors open-source components during CI/CD.</li><li>**AI-Driven Analysis**: Leverages AI for threat detection.</li><li>**Comprehensive Reporting**: Details vulnerabilities and compliance.</li></ul> | Proprietary | Unknown |
| [Snyk](https://snyk.io) | <ul><li>**SBOM Support**: Integrates SBOM generation with its security tools.</li><li>**Vulnerability Scans**: Identifies threats in open-source and proprietary code.</li><li>**Policy Compliance**: Assists in maintaining secure supply chains.</li></ul> | Proprietary | Unknown |
| [SBOM Observer](https://sbom.observer) | <ul><li>**Visualization**: Visualizes SBOM data for better understanding.</li><li>**Collaboration**: Designed for team use with access controls.</li><li>**Multi-Tier Plans**: Offers flexible subscription options</li></ul> | Proprietary | €49/user/month, €69/user/month, Custom |
| [SOOS](https://soos.io) | <ul><li>**Affordable Security**: Provides low-cost vulnerability analysis.</li><li>**SBOM Tools**: Creates and manages SBOMs efficiently.</li><li>**Developer Focus**: Tailored for small to medium teams.</li></ul> | Proprietary | $0/month, $90/month, Custom |
## Testing & Evaluation
| Name and Link | Result |
| ------------- | ------ |
| [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) | Simple and easy to install and use. Very good result. Every package recognized including licenses and vulnerabilities information. With [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool) very nice graphical processing what is directly integradted in pipline log. |
| [Syft](https://github.com/anchore/syft) | Simple and easy to install and use. Poor result. Packages not recognized but binaries. Multiple duplicates. Difficult to evaluate the result. No license information. No graphical processing provided. |
| [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | Simple and easy to install and use. Poor result. Packages not recognized but binaries. No licenses and vulnerabilities information. Difficult to evaluate the result. Graphical processing provided with external tool. |
Further tests are therefore carried out with [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool).
## Pipeline Templates
With [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool) a simple call as task with all needed parameters already exists. Therefore no template is required.
## Documentation
### Install Extension
Appropriate permissions or an authorization are required for the installation of [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool).
## Use in pipeline
After installation a task in the pipeline can look like the following example:
```yaml
- task: sbom-tool@1
displayName: 'Generate SBOM Manifest'
inputs:
command: 'generate'
buildSourcePath: '$(Build.SourcesDirectory)'
buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
enableManifestSpreadsheetGeneration: true
enableManifestGraphGeneration: true
enablePackageMetadataParsing: true
fetchLicenseInformation: true
fetchSecurityAdvisories: true
gitHubConnection: 'GitHubForSandbox'
packageSupplier: 'MyOrganisation'
packageName: 'MyPackage'
packageVersion: '$(Build.BuildNumber)'
```
A complete example:
```yaml
jobs:
- job: publish
steps:
- task: DotNetCoreCLI@2
displayName: 'Publish project'
inputs:
command: 'publish'
publishWebProjects: true
arguments: '--output "$(Build.ArtifactStagingDirectory)"'
- task: sbom-tool@1
displayName: 'Generate project SBOM manifest'
inputs:
command: 'generate'
buildSourcePath: '$(Build.SourcesDirectory)'
buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
enableManifestSpreadsheetGeneration: true
enableManifestGraphGeneration: true
enablePackageMetadataParsing: true
fetchLicenseInformation: true
fetchSecurityAdvisories: true
gitHubConnection: 'GitHub Advisory Database Connection'
packageSupplier: 'MyOrganisation'
packageName: 'MyPackage'
packageVersion: '$(Build.BuildNumber)'
- task: PublishBuildArtifacts@1
displayName: 'Publish artifacts'
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'drop'
publishLocation: 'Container'
```
## Training and Adoption
Possible Webinars:
- https://jfrog.com/webinar/creation-of-your-software-bill-of-materials-sbom/
- https://www.mend.io/resources/webinars/sboms-a-critical-tool-for-modern-organizations/
- https://www.medcrypt.com/private/webinars-conferences/i-have-an-sbom-now-what
- https://openchainproject.org/news/2024/10/01/coming-soon-webinar-on-sbom-visualization
- https://www.cybeats.com/blog/5-key-takeaways-from-microsoft-and-googles-webinar-on-sbom
Reference in a new issue View git blame Copy permalink