jambor.pro/docs-onboarding
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docs-onboarding/sbom.md
Christian Fravi eb00298994 update: Further suppliers added.
2025-01-14 14:52:08 +01:00

4.2 KiB
Raw Blame History

Software Bill of Material (SBOM)

Work order

Description

When: evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,

As: a DevSecOps Engineer Team Lead,

I want:

  • To conduct a market overview of available SBOM tools.
  • Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
  • Build and document reusable pipeline templates for SBOM generation and validation.

This ensures:

  • Compliance with increasing customer demands for SBOM capabilities.
  • Streamlined implementation of SBOM generation in our DevOps pipelines.
  • Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)

Acceptance Criteria

  1. Market Overview:

    • A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
    • git repo docs-onboarding, neue sbom.md datei

  2. Testing & Evaluation:

    • Successful deployment and execution of SBOM tools in our Azure DevOps environment.
    • Demos conducted for at least 3 shortlisted SBOM solutions.

  3. Pipeline Templates:

    • Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
    • Inclusion of relevant metadata, such as Licenses, CVEs etc.
    • git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner

  4. Documentation:

    • Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
    • Example configurations if possible

  5. Training and Adoption:

    • Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
    • Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn

Market Overview

Most used from this list: https://spdx.dev/use/spdx-tools/

Name and Link Key Features License Approx Costs
Microsofts SBOM Tool tbd MIT Open Source
Syft tbd Apache-2.0 Open Source
ScanCode toolkit tbd Apache-2.0 Open Source
SCANOSS tbd Proprietary Free, 35K per Year, Custom
Vigilant Ops tbd Proprietary Unknown
Threatrix tbd Proprietary Unknown
Black Duck tbd Proprietary Unknown
OSS Review Toolkit tbd Apache-2.0 Open Source
Manifest tbd Proprietary Unknown
Lib4SBOM tbd Apache-2.0 Open Source
GUAC tbd Apache-2.0 Open Source
FOSSology tbd GPL-2.0 / LGPL-2.1 Open Source
DISTRO2SBOM tbd Apache-2.0 Open Source
CycloneDX tbd Apache-2.0 Open Source
CAST SBOM Manager tbd Proprietary Free
Dependency Track tbd Apache-2.0 Open Source
Trivy tbd Apache-2.0 Open Source
Parlay tbd Apache-2.0 Open Source
Finite State tbd Proprietary Unknown
Checkmarx tbd Proprietary Unknown
Anchore tbd Proprietary Unknown
Qwiet tbd Proprietary Unknown
Snyk tbd Proprietary Unknown
SBOM Observer tbd Proprietary 49 EUR/user/month, 69 EUR/user/month, Custom
SOOS tbd Proprietary $0/month, $90/month, Custom