docs-onboarding/sbom.md

Software Bill of Material (SBOM)

Work order

Description

When: evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,

As: a DevSecOps Engineer Team Lead,

I want:

• To conduct a market overview of available SBOM tools.
• Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
• Build and document reusable pipeline templates for SBOM generation and validation.

This ensures:

• Compliance with increasing customer demands for SBOM capabilities.
• Streamlined implementation of SBOM generation in our DevOps pipelines.
• Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)

Acceptance Criteria

1. Market Overview:

   • A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
   • git repo docs-onboarding, neue sbom.md datei

2. Testing & Evaluation:

   • Successful deployment and execution of SBOM tools in our Azure DevOps environment.
   • Demos conducted for at least 3 shortlisted SBOM solutions.

3. Pipeline Templates:

   • Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
   • Inclusion of relevant metadata, such as Licenses, CVEs etc.
   • git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner

4. Documentation:

   • Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
   • Example configurations if possible

5. Training and Adoption:

   • Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
   • Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn

Market Overview

Most used from this list: https://spdx.dev/use/spdx-tools/

Name and Link	Key Features	License	Approx Costs
Microsoft's SBOM Tool	SBOM Generation: Scans source folders for dependencies and generates SBOMs. CI/CD Integration: Seamless integration with GitHub Actions and Azure DevOps. Validation: Validates SBOMs and redacts sensitive data.	MIT	Open Source
Syft	SBOM Creation: Builds SBOMs for containers, files, and cloud artifacts. Multiple Formats: Supports SPDX and CycloneDX. Ecosystem Integration: Compatible with Anchore's other tools for security analysis.	Apache-2.0	Open Source
ScanCode Toolkit	License Detection: Scans for open-source licenses and copyrights. Component Identification: Identifies components, vulnerabilities, and origin data. Customizable: Extensible with plugins and tailored scanning options.	Apache-2.0	Open Source
SCANOSS	Real-Time Scanning: Detects open-source components during development. Comprehensive Detection: Uses an extensive database for accurate results. APIs for Integration: Offers APIs for workflow integration.	Proprietary	Free, $35K/year, Custom
Vigilant Ops	SBOM Management: Manages and tracks SBOMs for transparency. Vulnerability Analysis: Identifies risks in software components. Compliance Tools: Ensures adherence to industry standards.	Proprietary	Unknown
Threatrix	SCA Analysis: Monitors and analyzes software components. Real-Time Updates: Detects emerging vulnerabilities. Detailed Reporting: Helps manage security and compliance risks.	Proprietary	Unknown
Black Duck	Component Insights: Tracks open-source licenses and vulnerabilities. Policy Automation: Creates and enforces usage policies. Continuous Monitoring: Monitors for new threats and compliance issues.	Proprietary	Unknown
OSS Review Toolkit	Dependency Scanning: Automates open-source dependency analysis. Policy Evaluation: Ensures compliance with organizational policies. CI/CD Integration: Fits into existing pipelines.	Apache-2.0	Open Source
Manifest	SBOM Tools: Manages and generates SBOMs for software. Vulnerability Scans: Identifies risks in the supply chain. Compliance Support: Helps meet regulatory standards.	Proprietary	Unknown
Lib4SBOM	Library for SBOMs: Simplifies SBOM creation in various formats. Standard Support: Compatible with SPDX and CycloneDX. Development Friendly: Easy integration with workflows.	Apache-2.0	Open Source
GUAC	SBOM Aggregation: Consolidates SBOMs into a unified graph. Provenance Tracking: Tracks the origin of software components. Querying: Provides deep insights into dependencies.	Apache-2.0	Open Source
FOSSology	License Scanning: Detects and analyzes software licenses. Metadata Extraction: Extracts copyright and component details. Custom Workflows: Supports flexible compliance processes.	GPL-2.0 / LGPL-2.1	Open Source
DISTRO2SBOM	Distribution Focused: Creates SBOMs for Linux distributions. Comprehensive Scans: Analyzes all installed packages. Standards Compatible: Supports SPDX and CycloneDX formats.	Apache-2.0	Open Source
CycloneDX	SBOM Standard: Defines a standardized SBOM format. Extensive Tooling: Libraries and tools for CycloneDX SBOMs. Broad Adoption: Industry-standard for supply chain transparency.	Apache-2.0	Open Source
CAST SBOM Manager	Centralized Management: Manages SBOMs from various tools. Vulnerability Tracking: Monitors components for security issues. Compliance Features: Generates reports for regulatory requirements.	Proprietary	Free
Dependency Track	Continuous Analysis: Analyzes SBOMs for vulnerabilities. Ecosystem Integration: Works with CycloneDX SBOMs. Comprehensive Monitoring: Tracks components for new risks.	Apache-2.0	Open Source
Trivy	Vulnerability Scanning: Scans containers, dependencies, and code. SBOM Support: Generates and analyzes SBOMs. Broad Compatibility: Works across multiple platforms and CI/CD tools.	Apache-2.0	Open Source
Parlay	SBOM Enhancements: Improves and consolidates SBOM data. Integration Ready: Supports Snyk tools and others. Scalability: Handles large-scale SBOMs efficiently.	Apache-2.0	Open Source
Finite State	SBOM Automation: Automates SBOM creation and management. Vulnerability Analysis: Identifies and mitigates risks. Compliance Features: Meets regulatory requirements.	Proprietary	Unknown
Checkmarx	SBOM Creation: Generates SBOMs with detailed component analysis. Security Focus: Prioritizes identifying vulnerabilities. Policy Compliance: Ensures adherence to internal policies.	Proprietary	Unknown
Qwiet	Real-Time Scans: Monitors open-source components during CI/CD. AI-Driven Analysis: Leverages AI for threat detection. Comprehensive Reporting: Details vulnerabilities and compliance.	Proprietary	Unknown
Snyk	SBOM Support: Integrates SBOM generation with its security tools. Vulnerability Scans: Identifies threats in open-source and proprietary code. Policy Compliance: Assists in maintaining secure supply chains.	Proprietary	Unknown
SBOM Observer	Visualization: Visualizes SBOM data for better understanding. Collaboration: Designed for team use with access controls. Multi-Tier Plans: Offers flexible subscription options	Proprietary	€49/user/month, €69/user/month, Custom
SOOS	Affordable Security: Provides low-cost vulnerability analysis. SBOM Tools: Creates and manages SBOMs efficiently. Developer Focus: Tailored for small to medium teams.	Proprietary	$0/month, $90/month, Custom