jambor.pro/docs-onboarding
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docs-onboarding/sbom.md
Christian Fravi 0e57c789fa update: Test results, template and documentation.
2025-01-17 15:51:23 +01:00

10 KiB
Raw Blame History

Software Bill of Material (SBOM)

Work order

Description

When: evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,

As: a DevSecOps Engineer Team Lead,

I want:

  • To conduct a market overview of available SBOM tools.
  • Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
  • Build and document reusable pipeline templates for SBOM generation and validation.

This ensures:

  • Compliance with increasing customer demands for SBOM capabilities.
  • Streamlined implementation of SBOM generation in our DevOps pipelines.
  • Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)

Acceptance Criteria

  1. Market Overview:

    • A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
    • git repo docs-onboarding, neue sbom.md datei

  2. Testing & Evaluation:

    • Successful deployment and execution of SBOM tools in our Azure DevOps environment.
    • Demos conducted for at least 3 shortlisted SBOM solutions.

  3. Pipeline Templates:

    • Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
    • Inclusion of relevant metadata, such as Licenses, CVEs etc.
    • git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner

  4. Documentation:

    • Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
    • Example configurations if possible

  5. Training and Adoption:

    • Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
    • Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn

Market Overview

Most used from this list: https://spdx.dev/use/spdx-tools/

Name and Link Key Features License Approx Costs
Microsoft's SBOM Tool
  • SBOM Generation: Scans source folders for dependencies and generates SBOMs.
  • CI/CD Integration: Seamless integration with GitHub Actions and Azure DevOps.
  • Validation: Validates SBOMs and redacts sensitive data.
 MIT Open Source
Syft
  • SBOM Creation: Builds SBOMs for containers, files, and cloud artifacts.
  • Multiple Formats: Supports SPDX and CycloneDX.
  • Ecosystem Integration: Compatible with Anchore's other tools for security analysis.
 Apache-2.0 Open Source
ScanCode Toolkit
  • License Detection: Scans for open-source licenses and copyrights.
  • Component Identification: Identifies components, vulnerabilities, and origin data.
  • Customizable: Extensible with plugins and tailored scanning options.
 Apache-2.0 Open Source
SCANOSS
  • Real-Time Scanning: Detects open-source components during development.
  • Comprehensive Detection: Uses an extensive database for accurate results.
  • APIs for Integration: Offers APIs for workflow integration.
 Proprietary Free, $35K/year, Custom
Vigilant Ops
  • SBOM Management: Manages and tracks SBOMs for transparency.
  • Vulnerability Analysis: Identifies risks in software components.
  • Compliance Tools: Ensures adherence to industry standards.
 Proprietary Unknown
Threatrix
  • SCA Analysis: Monitors and analyzes software components.
  • Real-Time Updates: Detects emerging vulnerabilities.
  • Detailed Reporting: Helps manage security and compliance risks.
 Proprietary Unknown
Black Duck
  • Component Insights: Tracks open-source licenses and vulnerabilities.
  • Policy Automation: Creates and enforces usage policies.
  • Continuous Monitoring: Monitors for new threats and compliance issues.
 Proprietary Unknown
OSS Review Toolkit
  • Dependency Scanning: Automates open-source dependency analysis.
  • Policy Evaluation: Ensures compliance with organizational policies.
  • CI/CD Integration: Fits into existing pipelines.
 Apache-2.0 Open Source
Manifest
  • SBOM Tools: Manages and generates SBOMs for software.
  • Vulnerability Scans: Identifies risks in the supply chain.
  • Compliance Support: Helps meet regulatory standards.
 Proprietary Unknown
Lib4SBOM
  • Library for SBOMs: Simplifies SBOM creation in various formats.
  • Standard Support: Compatible with SPDX and CycloneDX.
  • Development Friendly: Easy integration with workflows.
 Apache-2.0 Open Source
GUAC
  • SBOM Aggregation: Consolidates SBOMs into a unified graph.
  • Provenance Tracking: Tracks the origin of software components.
  • Querying: Provides deep insights into dependencies.
 Apache-2.0 Open Source
FOSSology
  • License Scanning: Detects and analyzes software licenses.
  • Metadata Extraction: Extracts copyright and component details.
  • Custom Workflows: Supports flexible compliance processes.
 GPL-2.0 / LGPL-2.1 Open Source
DISTRO2SBOM
  • Distribution Focused: Creates SBOMs for Linux distributions.
  • Comprehensive Scans: Analyzes all installed packages.
  • Standards Compatible: Supports SPDX and CycloneDX formats.
 Apache-2.0 Open Source
CycloneDX
  • SBOM Standard: Defines a standardized SBOM format.
  • Extensive Tooling: Libraries and tools for CycloneDX SBOMs.
  • Broad Adoption: Industry-standard for supply chain transparency.
 Apache-2.0 Open Source
CAST SBOM Manager
  • Centralized Management: Manages SBOMs from various tools.
  • Vulnerability Tracking: Monitors components for security issues.
  • Compliance Features: Generates reports for regulatory requirements.
 Proprietary Free
Dependency Track
  • Continuous Analysis: Analyzes SBOMs for vulnerabilities.
  • Ecosystem Integration: Works with CycloneDX SBOMs.
  • Comprehensive Monitoring: Tracks components for new risks.
 Apache-2.0 Open Source
Trivy
  • Vulnerability Scanning: Scans containers, dependencies, and code.
  • SBOM Support: Generates and analyzes SBOMs.
  • Broad Compatibility: Works across multiple platforms and CI/CD tools.
 Apache-2.0 Open Source
Parlay
  • SBOM Enhancements: Improves and consolidates SBOM data.
  • Integration Ready: Supports Snyk tools and others.
  • Scalability: Handles large-scale SBOMs efficiently.
 Apache-2.0 Open Source
Finite State
  • SBOM Automation: Automates SBOM creation and management.
  • Vulnerability Analysis: Identifies and mitigates risks.
  • Compliance Features: Meets regulatory requirements.
 Proprietary Unknown
Checkmarx
  • SBOM Creation: Generates SBOMs with detailed component analysis.
  • Security Focus: Prioritizes identifying vulnerabilities.
  • Policy Compliance: Ensures adherence to internal policies.
 Proprietary Unknown
Qwiet
  • Real-Time Scans: Monitors open-source components during CI/CD.
  • AI-Driven Analysis: Leverages AI for threat detection.
  • Comprehensive Reporting: Details vulnerabilities and compliance.
 Proprietary Unknown
Snyk
  • SBOM Support: Integrates SBOM generation with its security tools.
  • Vulnerability Scans: Identifies threats in open-source and proprietary code.
  • Policy Compliance: Assists in maintaining secure supply chains.
 Proprietary Unknown
SBOM Observer
  • Visualization: Visualizes SBOM data for better understanding.
  • Collaboration: Designed for team use with access controls.
  • Multi-Tier Plans: Offers flexible subscription options
 Proprietary €49/user/month, €69/user/month, Custom
SOOS
  • Affordable Security: Provides low-cost vulnerability analysis.
  • SBOM Tools: Creates and manages SBOMs efficiently.
  • Developer Focus: Tailored for small to medium teams.
 Proprietary $0/month, $90/month, Custom

Testing & Evaluation

Name and Link Result
Microsoft's SBOM Tool Simple and easy to install and use. Very good result. Every package recognized including licenses and vulnerabilities information. With SBOM Tool Azure DevOps Extension very nice graphical processing what is directly integradted in pipline log.
Syft Simple and easy to install and use. Poor result. Packages not recognized but binaries. Multiple duplicates. Difficult to evaluate the result. No license information. No graphical processing provided.
ScanCode Toolkit Simple and easy to install and use. Poor result. Packages not recognized but binaries. No licenses and vulnerabilities information. Difficult to evaluate the result. Graphical processing provided with external tool.

Further tests are therefore carried out with Microsoft's SBOM Tool.