jambor.pro/docs-onboarding
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docs-onboarding/sbom.md
Christian Fravi eb00298994 update: Further suppliers added.
2025-01-14 14:52:08 +01:00

80 lines
4.2 KiB
Markdown
Raw Blame History

# Software Bill of Material (SBOM)
## Work order
### Description
**When:** evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,
**As:** a DevSecOps Engineer Team Lead,
**I want:**
- To conduct a market overview of available SBOM tools.
- Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
- Build and document reusable pipeline templates for SBOM generation and validation.
**This ensures:**
- Compliance with increasing customer demands for SBOM capabilities.
- Streamlined implementation of SBOM generation in our DevOps pipelines.
- Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)
### Acceptance Criteria
1. Market Overview:
- A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
- git repo docs-onboarding, neue sbom.md datei
2. Testing & Evaluation:
- Successful deployment and execution of SBOM tools in our Azure DevOps environment.
- Demos conducted for at least 3 shortlisted SBOM solutions.
3. Pipeline Templates:
- Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
- Inclusion of relevant metadata, such as Licenses, CVEs etc.
- git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner
4. Documentation:
- Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
- Example configurations if possible
5. Training and Adoption:
- Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
- Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn
## Market Overview
Most used from this list: https://spdx.dev/use/spdx-tools/
| Name and Link | Key Features | License | Approx Costs |
| ------------- | ------------ | ------- | ------------ |
| [Microsofts SBOM Tool](https://github.com/microsoft/sbom-tool) | `tbd` | MIT | Open Source |
| [Syft](https://github.com/anchore/syft) | `tbd` | Apache-2.0 | Open Source |
| [ScanCode toolkit](https://github.com/aboutcode-org/scancode-toolkit) | `tbd` | Apache-2.0 | Open Source |
| [SCANOSS](https://www.scanoss.com) | `tbd` | Proprietary | Free, 35K per Year, Custom |
| [Vigilant Ops](https://www.vigilant-ops.com) | `tbd` | Proprietary | Unknown |
| [Threatrix](https://threatrix.io) | `tbd` | Proprietary | Unknown |
| [Black Duck](https://www.blackduck.com) | `tbd` | Proprietary | Unknown |
| [OSS Review Toolkit](https://oss-review-toolkit.org) | `tbd` | Apache-2.0 | Open Source |
| [Manifest](https://www.manifestcyber.com) | `tbd` | Proprietary | Unknown |
| [Lib4SBOM](https://github.com/anthonyharrison/lib4sbom) | `tbd` | Apache-2.0 | Open Source |
| [GUAC](https://guac.sh) | `tbd` | Apache-2.0 | Open Source |
| [FOSSology](https://www.fossology.org) | `tbd` | GPL-2.0 / LGPL-2.1 | Open Source |
| [DISTRO2SBOM](https://github.com/anthonyharrison/distro2sbom) | `tbd` | Apache-2.0 | Open Source |
| [CycloneDX](https://github.com/CycloneDX) | `tbd` | Apache-2.0 | Open Source |
| [CAST SBOM Manager](https://www.castsoftware.com/sbommanager) | `tbd` | Proprietary | Free |
| [Dependency Track](https://dependencytrack.org) | `tbd` | Apache-2.0 | Open Source |
| [Trivy](https://trivy.dev) | `tbd` | Apache-2.0 | Open Source |
| [Parlay](https://github.com/snyk/parlay) | `tbd` | Apache-2.0 | Open Source |
| [Finite State](https://finitestate.io) | `tbd` | Proprietary | Unknown |
| [Checkmarx](https://checkmarx.com/product/sbom/) | `tbd` | Proprietary | Unknown |
| [Anchore](https://anchore.com) | `tbd` | Proprietary | Unknown |
| [Qwiet](https://qwiet.ai) | `tbd` | Proprietary | Unknown |
| [Snyk](https://snyk.io) | `tbd` | Proprietary | Unknown |
| [SBOM Observer](https://sbom.observer) | `tbd` | Proprietary | 49 EUR/user/month, 69 EUR/user/month, Custom |
| [SOOS](https://soos.io) | `tbd` | Proprietary | $0/month, $90/month, Custom |
Reference in a new issue View git blame Copy permalink