Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

The Top 11 Open-Source SBOM tools

This article will start with a quick refresher on SBOMs and then list the top SBOM-generation tools available.

5 min read

Open-source components, libraries, and frameworks bring undeniable value: Because we don’t have to reinvent the wheel at every step of the development process, we can move faster from idea to product. But open-source solutions aren’t perfect. Each external dependency you add to your code could introduce a security vulnerability. And the more third-party code you use, the harder it gets to keep track of versioning or even what code you included in the first place.

Creating a software bill of materials (SBOM) is a practice that solves this issue. An SBOM lists all the parts that make up your software, including package names and versions. Having a central source of truth for your dependencies means that you and your customers can quickly and efficiently check for potential vulnerabilities and license issues.

Ready to learn more? This article will start with a quick refresher on SBOMs and then list the top SBOM-generation tools available.

What is an SBOM?

An SBOM is a machine and human-readable list of all your software inventory. Essentially, an SBOM keeps track of all third-party dependencies that you use when building your applications. It provides key facts including the names, version numbers, release dates, checksums, license and information for every component in your application.

Why do you need an SBOM?

If you’re a software producer, you need an SBOM to assist you in building and maintaining the software you create. Because it informs you about all the third-party components currently in use, you can easily check if you are affected by changes (think code changes or updated licenses) or security vulnerabilities in your dependencies.

If you’re a software operator, you can use SBOMs for asset management. They’ll list all software licenses you use, which is helpful if you want to avoid certain licenses like the GPL. And they let you quickly identify supply chain risks introduced by your dependencies.

Last but not least, President Biden issued an executive order in 2021 that requires U.S.-government contractors to provide an SBOM for their applications. Simply put, SBOMs are now a compliance requirement for anyone working with the U.S. government. 

How do SBOM tools work?

Many software composition analysis (SCA) tools offer SBOM generators. They scan your application and generate the SBOM automatically. These scanners utilize different scanning methods:

  • Manifest scanning checks manifest files (e.g., package.json or Cargo.toml) for the dependencies listed.

  • Binary scanning checks compiled binaries for any third-party code it can trace back to a specific library.

  • Hybrid scanning methods use a mix of manifest and binary scanning to ensure no dependency slips through.

As previously mentioned, SBOMs come in diverse formats that are both machine and human-readable. This diversity allows you to analyze them automatically and quickly check manually to see if you use a specific library.

Popular SBOM formats are:

Pro tip

Wiz’s agentless SBOM allows you to gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots and deploying an agent.

Open-source SBOM tools

Now that we have explored what SBOMs are, how they’re used, and how they work, let’s look at the available open-source tools that generate SBOMs.

General tools:

Language-specific tools:

General SBOM tools

First, let’s delve into the tools that aren’t bound to a specific programming language: 

1. Syft

Syft is probably the most popular SBOM tool out there. A CLI that generates SBOMs from container images and filesystems, it supports common container formats like OCI, Docker, and Singularity and automatically detects your Linux distribution. Syft supports SPDX, CycloneDX, and its own format.

2. The SBOM tool

The SBOM tool is an open-source SBOM generator by Microsoft that’s designed to be highly scalable and enterprise-ready. It uses Microsoft’s own component detection library, which supports various package managers like NuGet, Go, npm, pip, and Cargo. The SBOM tool generates SBOMs in the SPDX format at build time.

3. Tern

Tern is an SCA tool that can create SBOMs from container images and Dockerfiles. It focuses on collecting license information, and then Tern lists which image introduced each dependency, layer by layer. Tern is very flexible in terms of output formats. It includes the well-known SPDX and CycloneDX formats and easier-to-digest formats like HTML or YAML.

4. CycloneDX Generator

The CycloneDX Generator (cdxgen) is the official OWASP SBOM tool. It supports a huge variety of programming languages, including popular ones like C/C++, JavaScript, Java, Python, and more obscure languages like Haskell. It comes with a CLI that can scan locally or as part of a CI/CD pipeline and an API server that exposes a /bom endpoint to check the SBOM on demand. As its name implies, the output format is CycloneDX. 

5. SPDX SBOM Generator

The SPDX SBOM Generator is a multi-language tool that supports multiple package managers like pip, Cargo, npm, Go, Composer, RubyGems, and many more. This is a great fit if you’re looking for a CLI tool that outputs SPDX files.

6. DISTRO2SBOM

DISTRO2SBOM is an SBOM generator that checks your Linux installation for installed packages. It can automatically detect which Linux distribution you use, and it exports SPDX and CycloneDX files.

Language-specific SBOM tools

Next, we’ll check out popular SBOM tools that specialize in a specific programming language:

7. Retire.js 

Retire.js is a JavaScript security vulnerability scanner that can also generate SBOMs. You can use it locally as a CLI (as part of your CI/CD pipeline), but it also offers a Chrome extension that lets you scan websites while browsing them. It generates SBOMs in the CycloneDX format.

8. bom

bom is part of the Kubernetes (k8s) project and lets you generate SBOMs for your Go dependencies in k8s cluster definitions. bom generates SPDX files and can identify over 400 licenses. 

9. Jake

A CLI tool that checks Python environments for vulnerabilities and generates SBOMs in the CycloneDX format, Jake uses the Sonatype server (both the commercial and the open-source version).

10. rebar3_sbom

As an SBOM generator for Erlang, this solution uses Erlang’s build tool (Rebar) to generate SBOMs in the CycloneDX format.

11. sbom-rs

sbom-rs is a collection of SBOM tools for the Rust programming language. It supports the SPDX and CycloneDX formats and comes with a vulnerability scanner based on the Open Source Vulnerabilities (OSV) database.

Summary

SBOMs are always an important part of enterprise software development, and in light of President Biden’s 2021 executive order, they are now mandatory when working with the U.S. government. Besides compliance requirements, SBOMs have inherent value. With SBOMs’ invaluable inventories software producers know exactly what they’re selling to customers, and operators know if they might be impacted by changes in the third-party packages they use. SBOMs let you know at a glance what licenses are part of your software, and this knowledge can save you from legal battles in the future.

The open-source tools we’ve covered here give you a cost-efficient way to secure your software. Many of the most popular tools are maintained by heavy hitters like OWASP, Microsoft, and Google, who also use them on their own software.

Configure scheduled SBOM reports for multi-resources

Still, if you’re looking to really streamline the process of SBOM generation, Wiz’s agentless SBOM solution provides all the benefits of SBOMs automatically. Wiz keeps a list of all your components and can export them in standard formats like CycloneDX or SPDX to S3 buckets to ensure supply chain security. Ready to learn more about our industry-leading unified platform? Book a demo today.

Agentless SBOM Generation

Gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots.

Get a demo

Continue reading

Top Docker Alternatives

Wiz Experts Team

In this guide, we'll look at a variety of Docker alternatives that provide different benefits for your workloads—such as daemonless operation, a simplified management experience, improved container security, and enhanced scalability and orchestration for production environments.

What is DevSecOps?

DevSecOps, which stands for Development, Security, and Operations, is a software development practice that emphasizes integrating security considerations throughout the entire development lifecycle, from initial design to deployment and ongoing maintenance.

Kubernetes Alternatives for Container Orchestration

Wiz Experts Team

This blog post explores the world of container orchestration tools beyond Kubernetes, highlighting cloud provider tools and open-source alternatives that promise to redefine how we deploy and manage applications.

What is a Reverse Shell Attack?

Wiz Experts Team

A reverse shell attack is a type of cyberattack where a threat actor establishes a connection from a target machine (the victim's) to their machine.

What is Cloud Encryption?

Cloud encryption is the process of transforming data into a secure format that's unreadable to anyone who doesn't have the key to decode it.

Microservices Security Best Practices

Microservices security is the practice of protecting individual microservices and their communication channels from unauthorized access, data breaches, and other threats, ensuring a secure overall architecture despite its distributed nature.