Open-source components, libraries, and frameworks bring undeniable value: Because we don’t have to reinvent the wheel at every step of the development process, we can move faster from idea to product. But open-source solutions aren’t perfect. Each external dependency you add to your code could introduce a security vulnerability. And the more third-party code you use, the harder it gets to keep track of versioning or even what code you included in the first place.
Creating a software bill of materials (SBOM) is a practice that solves this issue. An SBOM lists all the parts that make up your software, including package names and versions. Having a central source of truth for your dependencies means that you and your customers can quickly and efficiently check for potential vulnerabilities and license issues.
Ready to learn more? This article will start with a quick refresher on SBOMs and then list the top SBOM-generation tools available.
Streamline Software Bill of Materials (SBOM) Generation with Wiz's Agentless SBOM
Enhance software security and supply chain risk management with Wiz's agentless scanning technology for effortless SBOM creation
Read more
What is an SBOM?
An SBOM is a machine and human-readable list of all your software inventory. Essentially, an SBOM keeps track of all third-party dependencies that you use when building your applications. It provides key facts including the names, version numbers, release dates, checksums, license and information for every component in your application.
Why do you need an SBOM?
If you’re a software producer, you need an SBOM to assist you in building and maintaining the software you create. Because it informs you about all the third-party components currently in use, you can easily check if you are affected by changes (think code changes or updated licenses) or security vulnerabilities in your dependencies.
If you’re a software operator, you can use SBOMs for asset management. They’ll list all software licenses you use, which is helpful if you want to avoid certain licenses like the GPL. And they let you quickly identify supply chain risks introduced by your dependencies.
Last but not least, President Biden issued an executive order in 2021 that requires U.S.-government contractors to provide an SBOM for their applications. Simply put, SBOMs are now a compliance requirement for anyone working with the U.S. government.
SBOM Security
A Software Bill of Material (SBOM) is a comprehensive inventory that details every software component that makes up an application.
Read moreHow do SBOM tools work?
Many software composition analysis (SCA) tools offer SBOM generators. They scan your application and generate the SBOM automatically. These scanners utilize different scanning methods:
Manifest scanning checks manifest files (e.g., package.json or Cargo.toml) for the dependencies listed.
Binary scanning checks compiled binaries for any third-party code it can trace back to a specific library.
Hybrid scanning methods use a mix of manifest and binary scanning to ensure no dependency slips through.
As previously mentioned, SBOMs come in diverse formats that are both machine and human-readable. This diversity allows you to analyze them automatically and quickly check manually to see if you use a specific library.
Popular SBOM formats are:
SPDX by the Linux Foundation, which has a focus on software licenses.
CycloneDX by OWASP, which focuses on security vulnerabilities.
SWID by NIST, which does not have one particular emphasis.
Wiz’s agentless SBOM allows you to gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots and deploying an agent.
Open-source SBOM tools
Now that we have explored what SBOMs are, how they’re used, and how they work, let’s look at the available open-source tools that generate SBOMs.
General tools:
Language-specific tools:
General SBOM tools
First, let’s delve into the tools that aren’t bound to a specific programming language:
1. Syft
Syft is probably the most popular SBOM tool out there. A CLI that generates SBOMs from container images and filesystems, it supports common container formats like OCI, Docker, and Singularity and automatically detects your Linux distribution. Syft supports SPDX, CycloneDX, and its own format.
2. The SBOM tool
The SBOM tool is an open-source SBOM generator by Microsoft that’s designed to be highly scalable and enterprise-ready. It uses Microsoft’s own component detection library, which supports various package managers like NuGet, Go, npm, pip, and Cargo. The SBOM tool generates SBOMs in the SPDX format at build time.
3. Tern
Tern is an SCA tool that can create SBOMs from container images and Dockerfiles. It focuses on collecting license information, and then Tern lists which image introduced each dependency, layer by layer. Tern is very flexible in terms of output formats. It includes the well-known SPDX and CycloneDX formats and easier-to-digest formats like HTML or YAML.
4. CycloneDX Generator
The CycloneDX Generator (cdxgen) is the official OWASP SBOM tool. It supports a huge variety of programming languages, including popular ones like C/C++, JavaScript, Java, Python, and more obscure languages like Haskell. It comes with a CLI that can scan locally or as part of a CI/CD pipeline and an API server that exposes a /bom endpoint to check the SBOM on demand. As its name implies, the output format is CycloneDX.
5. SPDX SBOM Generator
The SPDX SBOM Generator is a multi-language tool that supports multiple package managers like pip, Cargo, npm, Go, Composer, RubyGems, and many more. This is a great fit if you’re looking for a CLI tool that outputs SPDX files.
6. DISTRO2SBOM
DISTRO2SBOM is an SBOM generator that checks your Linux installation for installed packages. It can automatically detect which Linux distribution you use, and it exports SPDX and CycloneDX files.
Language-specific SBOM tools
Next, we’ll check out popular SBOM tools that specialize in a specific programming language:
7. Retire.js
Retire.js is a JavaScript security vulnerability scanner that can also generate SBOMs. You can use it locally as a CLI (as part of your CI/CD pipeline), but it also offers a Chrome extension that lets you scan websites while browsing them. It generates SBOMs in the CycloneDX format.
8. bom
bom is part of the Kubernetes (k8s) project and lets you generate SBOMs for your Go dependencies in k8s cluster definitions. bom generates SPDX files and can identify over 400 licenses.
9. Jake
A CLI tool that checks Python environments for vulnerabilities and generates SBOMs in the CycloneDX format, Jake uses the Sonatype server (both the commercial and the open-source version).
10. rebar3_sbom
As an SBOM generator for Erlang, this solution uses Erlang’s build tool (Rebar) to generate SBOMs in the CycloneDX format.
11. sbom-rs
sbom-rs is a collection of SBOM tools for the Rust programming language. It supports the SPDX and CycloneDX formats and comes with a vulnerability scanner based on the Open Source Vulnerabilities (OSV) database.
Summary
SBOMs are always an important part of enterprise software development, and in light of President Biden’s 2021 executive order, they are now mandatory when working with the U.S. government. Besides compliance requirements, SBOMs have inherent value. With SBOMs’ invaluable inventories software producers know exactly what they’re selling to customers, and operators know if they might be impacted by changes in the third-party packages they use. SBOMs let you know at a glance what licenses are part of your software, and this knowledge can save you from legal battles in the future.
The open-source tools we’ve covered here give you a cost-efficient way to secure your software. Many of the most popular tools are maintained by heavy hitters like OWASP, Microsoft, and Google, who also use them on their own software.
Still, if you’re looking to really streamline the process of SBOM generation, Wiz’s agentless SBOM solution provides all the benefits of SBOMs automatically. Wiz keeps a list of all your components and can export them in standard formats like CycloneDX or SPDX to S3 buckets to ensure supply chain security. Ready to learn more about our industry-leading unified platform? Book a demo today.
Gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots.
