Open-source components, libraries, and frameworks bring undeniable value: Because we don’t have to reinvent the wheel at every step of the development process, we can move faster from idea to product. But open-source solutions aren’t perfect. Each external dependency you add to your code could introduce a security vulnerability. And the more third-party code you use, the harder it gets to keep track of versioning or even what code you included in the first place.
Creating a software bill of materials (SBOM) is a practice that solves this issue. An SBOM lists all the parts that make up your software, including package names and versions. Having a central source of truth for your dependencies means that you and your customers can quickly and efficiently check for potential vulnerabilities and license issues.
Ready to learn more? This article will start with a quick refresher on SBOMs and then list the top SBOM-generation tools available.
An SBOM is a machine and human-readable list of all your software inventory. Essentially, an SBOM keeps track of all third-party dependencies that you use when building your applications. It provides key facts including the names, version numbers, release dates, checksums, license and information for every component in your application.
Why do you need an SBOM?
If you’re a software producer, you need an SBOM to assist you in building and maintaining the software you create. Because it informs you about all the third-party components currently in use, you can easily check if you are affected by changes (think code changes or updated licenses) or security vulnerabilities in your dependencies.
If you’re a software operator, you can use SBOMs for asset management. They’ll list all software licenses you use, which is helpful if you want to avoid certain licenses like the GPL. And they let you quickly identify supply chain risks introduced by your dependencies.
Last but not least, President Biden issued an executive order in 2021 that requires U.S.-government contractors to provide an SBOM for their applications. Simply put, SBOMs are now a compliance requirement for anyone working with the U.S. government.
Many software composition analysis (SCA) tools offer SBOM generators. They scan your application and generate the SBOM automatically. These scanners utilize different scanning methods:
Manifest scanning checks manifest files (e.g., package.json or Cargo.toml) for the dependencies listed.
Binary scanning checks compiled binaries for any third-party code it can trace back to a specific library.
Hybrid scanning methods use a mix of manifest and binary scanning to ensure no dependency slips through.
As previously mentioned, SBOMs come in diverse formats that are both machine and human-readable. This diversity allows you to analyze them automatically and quickly check manually to see if you use a specific library.
Wiz’s agentless SBOM allows you to gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots and deploying an agent.
Open-source SBOM tools
Now that we have explored what SBOMs are, how they’re used, and how they work, let’s look at the available open-source tools that generate SBOMs.
First, let’s delve into the tools that aren’t bound to a specific programming language:
Syft is probably the most popular SBOM tool out there. A CLI that generates SBOMs from container images and filesystems, it supports common container formats like OCI, Docker, and Singularity and automatically detects your Linux distribution. Syft supports SPDX, CycloneDX, and its own format.
2. The SBOM tool
The SBOM tool is an open-source SBOM generator by Microsoft that’s designed to be highly scalable and enterprise-ready. It uses Microsoft’s own component detection library, which supports various package managers like NuGet, Go, npm, pip, and Cargo. The SBOM tool generates SBOMs in the SPDX format at build time.
Tern is an SCA tool that can create SBOMs from container images and Dockerfiles. It focuses on collecting license information, and then Tern lists which image introduced each dependency, layer by layer. Tern is very flexible in terms of output formats. It includes the well-known SPDX and CycloneDX formats and easier-to-digest formats like HTML or YAML.
4. CycloneDX Generator
5. SPDX SBOM Generator
The SPDX SBOM Generator is a multi-language tool that supports multiple package managers like pip, Cargo, npm, Go, Composer, RubyGems, and many more. This is a great fit if you’re looking for a CLI tool that outputs SPDX files.
DISTRO2SBOM is an SBOM generator that checks your Linux installation for installed packages. It can automatically detect which Linux distribution you use, and it exports SPDX and CycloneDX files.
Next, we’ll check out popular SBOM tools that specialize in a specific programming language:
bom is part of the Kubernetes (k8s) project and lets you generate SBOMs for your Go dependencies in k8s cluster definitions. bom generates SPDX files and can identify over 400 licenses.
A CLI tool that checks Python environments for vulnerabilities and generates SBOMs in the CycloneDX format, Jake uses the Sonatype server (both the commercial and the open-source version).
sbom-rs is a collection of SBOM tools for the Rust programming language. It supports the SPDX and CycloneDX formats and comes with a vulnerability scanner based on the Open Source Vulnerabilities (OSV) database.
SBOMs are always an important part of enterprise software development, and in light of President Biden’s 2021 executive order, they are now mandatory when working with the U.S. government. Besides compliance requirements, SBOMs have inherent value. With SBOMs’ invaluable inventories software producers know exactly what they’re selling to customers, and operators know if they might be impacted by changes in the third-party packages they use. SBOMs let you know at a glance what licenses are part of your software, and this knowledge can save you from legal battles in the future.
The open-source tools we’ve covered here give you a cost-efficient way to secure your software. Many of the most popular tools are maintained by heavy hitters like OWASP, Microsoft, and Google, who also use them on their own software.
Still, if you’re looking to really streamline the process of SBOM generation, Wiz’s agentless SBOM solution provides all the benefits of SBOMs automatically. Wiz keeps a list of all your components and can export them in standard formats like CycloneDX or SPDX to S3 buckets to ensure supply chain security. Ready to learn more about our industry-leading unified platform? Book a demo today.
Agentless SBOM Generation
Gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots.
In this guide, we'll look at a variety of Docker alternatives that provide different benefits for your workloads—such as daemonless operation, a simplified management experience, improved container security, and enhanced scalability and orchestration for production environments.
DevSecOps, which stands for Development, Security, and Operations, is a software development practice that emphasizes integrating security considerations throughout the entire development lifecycle, from initial design to deployment and ongoing maintenance.
This blog post explores the world of container orchestration tools beyond Kubernetes, highlighting cloud provider tools and open-source alternatives that promise to redefine how we deploy and manage applications.
Microservices security is the practice of protecting individual microservices and their communication channels from unauthorized access, data breaches, and other threats, ensuring a secure overall architecture despite its distributed nature.