jambor.pro/docs-onboarding
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docs-onboarding/sbom.md
Christian Fravi 7f46aa2a70 update: Key features added.
2025-01-14 16:36:28 +01:00

12 KiB
Raw Blame History

Software Bill of Material (SBOM)

Work order

Description

When: evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,

As: a DevSecOps Engineer Team Lead,

I want:

  • To conduct a market overview of available SBOM tools.
  • Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
  • Build and document reusable pipeline templates for SBOM generation and validation.

This ensures:

  • Compliance with increasing customer demands for SBOM capabilities.
  • Streamlined implementation of SBOM generation in our DevOps pipelines.
  • Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)

Acceptance Criteria

  1. Market Overview:

    • A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
    • git repo docs-onboarding, neue sbom.md datei

  2. Testing & Evaluation:

    • Successful deployment and execution of SBOM tools in our Azure DevOps environment.
    • Demos conducted for at least 3 shortlisted SBOM solutions.

  3. Pipeline Templates:

    • Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
    • Inclusion of relevant metadata, such as Licenses, CVEs etc.
    • git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner

  4. Documentation:

    • Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
    • Example configurations if possible

  5. Training and Adoption:

    • Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
    • Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn

Market Overview

Most used from this list: https://spdx.dev/use/spdx-tools/

Name and Link Key Features License Approx Costs
Microsofts SBOM Tool tbd MIT Open Source
Syft tbd Apache-2.0 Open Source
ScanCode toolkit tbd Apache-2.0 Open Source
SCANOSS tbd Proprietary Free, 35K per Year, Custom
Vigilant Ops tbd Proprietary Unknown
Threatrix tbd Proprietary Unknown
Black Duck tbd Proprietary Unknown
OSS Review Toolkit tbd Apache-2.0 Open Source
Manifest tbd Proprietary Unknown
Lib4SBOM tbd Apache-2.0 Open Source
GUAC tbd Apache-2.0 Open Source
FOSSology tbd GPL-2.0 / LGPL-2.1 Open Source
DISTRO2SBOM tbd Apache-2.0 Open Source
CycloneDX tbd Apache-2.0 Open Source
CAST SBOM Manager tbd Proprietary Free
Dependency Track tbd Apache-2.0 Open Source
Trivy tbd Apache-2.0 Open Source
Parlay tbd Apache-2.0 Open Source
Finite State tbd Proprietary Unknown
Checkmarx tbd Proprietary Unknown
Anchore tbd Proprietary Unknown
Qwiet tbd Proprietary Unknown
Snyk tbd Proprietary Unknown
SBOM Observer tbd Proprietary 49 EUR/user/month, 69 EUR/user/month, Custom
SOOS tbd Proprietary $0/month, $90/month, Custom
Name and Link Key Features License Approx Costs
Microsoft's SBOM Tool
  • SBOM Generation: Scans source folders for dependencies and generates SBOMs.
  • CI/CD Integration: Seamless integration with GitHub Actions and Azure DevOps.
  • Validation: Validates SBOMs and redacts sensitive data.
 MIT Open Source
Syft
  • SBOM Creation: Builds SBOMs for containers, files, and cloud artifacts.
  • Multiple Formats: Supports SPDX and CycloneDX.
  • Ecosystem Integration: Compatible with Anchore's other tools for security analysis.
 Apache-2.0 Open Source
ScanCode Toolkit
  • License Detection: Scans for open-source licenses and copyrights.
  • Component Identification: Identifies components, vulnerabilities, and origin data.
  • Customizable: Extensible with plugins and tailored scanning options.
 Apache-2.0 Open Source
SCANOSS
  • Real-Time Scanning: Detects open-source components during development.
  • Comprehensive Detection: Uses an extensive database for accurate results.
  • APIs for Integration: Offers APIs for workflow integration.
 Proprietary Free, $35K/year, Custom
Vigilant Ops
  • SBOM Management: Manages and tracks SBOMs for transparency.
  • Vulnerability Analysis: Identifies risks in software components.
  • Compliance Tools: Ensures adherence to industry standards.
 Proprietary Unknown
Threatrix
  • SCA Analysis: Monitors and analyzes software components.
  • Real-Time Updates: Detects emerging vulnerabilities.
  • Detailed Reporting: Helps manage security and compliance risks.
 Proprietary Unknown
Black Duck
  • Component Insights: Tracks open-source licenses and vulnerabilities.
  • Policy Automation: Creates and enforces usage policies.
  • Continuous Monitoring: Monitors for new threats and compliance issues.
 Proprietary Unknown
OSS Review Toolkit
  • Dependency Scanning: Automates open-source dependency analysis.
  • Policy Evaluation: Ensures compliance with organizational policies.
  • CI/CD Integration: Fits into existing pipelines.
 Apache-2.0 Open Source
Manifest
  • SBOM Tools: Manages and generates SBOMs for software.
  • Vulnerability Scans: Identifies risks in the supply chain.
  • Compliance Support: Helps meet regulatory standards.
 Proprietary Unknown
Lib4SBOM
  • Library for SBOMs: Simplifies SBOM creation in various formats.
  • Standard Support: Compatible with SPDX and CycloneDX.
  • Development Friendly: Easy integration with workflows.
 Apache-2.0 Open Source
GUAC
  • SBOM Aggregation: Consolidates SBOMs into a unified graph.
  • Provenance Tracking: Tracks the origin of software components.
  • Querying: Provides deep insights into dependencies.
 Apache-2.0 Open Source
FOSSology
  • License Scanning: Detects and analyzes software licenses.
  • Metadata Extraction: Extracts copyright and component details.
  • Custom Workflows: Supports flexible compliance processes.
 GPL-2.0 / LGPL-2.1 Open Source
DISTRO2SBOM
  • Distribution Focused: Creates SBOMs for Linux distributions.
  • Comprehensive Scans: Analyzes all installed packages.
  • Standards Compatible: Supports SPDX and CycloneDX formats.
 Apache-2.0 Open Source
CycloneDX
  • SBOM Standard: Defines a standardized SBOM format.
  • Extensive Tooling: Libraries and tools for CycloneDX SBOMs.
  • Broad Adoption: Industry-standard for supply chain transparency.
 Apache-2.0 Open Source
CAST SBOM Manager
  • Centralized Management: Manages SBOMs from various tools.
  • Vulnerability Tracking: Monitors components for security issues.
  • Compliance Features: Generates reports for regulatory requirements.
 Proprietary Free
Dependency Track
  • Continuous Analysis: Analyzes SBOMs for vulnerabilities.
  • Ecosystem Integration: Works with CycloneDX SBOMs.
  • Comprehensive Monitoring: Tracks components for new risks.
 Apache-2.0 Open Source
Trivy
  • Vulnerability Scanning: Scans containers, dependencies, and code.
  • SBOM Support: Generates and analyzes SBOMs.
  • Broad Compatibility: Works across multiple platforms and CI/CD tools.
 Apache-2.0 Open Source
Parlay
  • SBOM Enhancements: Improves and consolidates SBOM data.
  • Integration Ready: Supports Snyk tools and others.
  • Scalability: Handles large-scale SBOMs efficiently.
 Apache-2.0 Open Source
Finite State
  • SBOM Automation: Automates SBOM creation and management.
  • Vulnerability Analysis: Identifies and mitigates risks.
  • Compliance Features: Meets regulatory requirements.
 Proprietary Unknown
Checkmarx
  • SBOM Creation: Generates SBOMs with detailed component analysis.
  • Security Focus: Prioritizes identifying vulnerabilities.
  • Policy Compliance: Ensures adherence to internal policies.
 Proprietary Unknown
Qwiet
  • Real-Time Scans: Monitors open-source components during CI/CD.
  • AI-Driven Analysis: Leverages AI for threat detection.
  • Comprehensive Reporting: Details vulnerabilities and compliance.
 Proprietary Unknown
Snyk
  • SBOM Support: Integrates SBOM generation with its security tools.
  • Vulnerability Scans: Identifies threats in open-source and proprietary code.
  • Policy Compliance: Assists in maintaining secure supply chains.
 Proprietary Unknown
SBOM Observer
  • Visualization: Visualizes SBOM data for better understanding.
  • Collaboration: Designed for team use with access controls.
  • Multi-Tier Plans: Offers flexible subscription options
 Proprietary €49/user/month, €69/user/month, Custom
SOOS
  • Affordable Security: Provides low-cost vulnerability analysis.
  • SBOM Tools: Creates and manages SBOMs efficiently.
  • Developer Focus: Tailored for small to medium teams.
 Proprietary $0/month, $90/month, Custom