SBOM Consumption Tools¶
Bomber¶
Bomber is an application that scans SBOMs for security vulnerabilities. Works with CycloneDX JSON and XML, as well as SPDX and Syft JSON.
DaggerBoard¶
DaggerBoard is a vulnerability scanning tool, based on ingesting SBOM files (CycloneDX,SPDX), that outputs results in a human-readable format.
Dependency-Track¶
Dependency-Track <https://github.com/DependencyTrack/dependency-track> `_ uses :ref:`CycloneDX <cdx> SBOMs to monitor component usage across all versions of the application in its portfolio, in order to identify and reduce risk in the software supply chain.
FOSSology¶
FOSSology is a compliance scanner tool for license, copyright and export control. Documentation can be found on the official web site.
Grype¶
Grype is a vulnerability scanner for container images and file systems. If scans for vulnerabilities for both operating system and language-specific packages. Supports Docker, OCI and Singularity image formats, as well as consumes SBOM attestations.
Hoppr Cop¶
Hoppr Cop generates vulnerability information from CycloneDX SBOMs. It’s available both as a CLI and a python library.
KubeClarity¶
KubeClarity detects and manages SBOMs and vulnerabilities of container images and file systems. It can also scan K8s runtime to detect vulnerabilities discovered post-deployment. It uses Grype and Dependency-Track for vulnerability scanning. More detail can be found in the KubeClarity documentation.
K8s BOM¶
K8s BOM offers drawing a structure of an SPDX document and serves for verification.
OSS Review Toolkit¶
The OSS Review Toolkit provides a list of tools, including Analyzer for dependencies of projects and their metadata, Downloader for fetching source code and dependencies, Scanner for detecting license / copyright findings from source code, Advisor for retrieving security advisories for used dependencies, and others.
SBOM Diff Action¶
SBOM Diff Action is a GitHub integration tool that creates diffs for SBOMs from PR changes.
SBOM Operator¶
The SBOM Operator allows checks for changed images and pods within a cluster. Provides vulnerability scans via the Vulnerability Operator. For more detail, please refer to the SBOM Operators Analysis-Trigger section.
SBOM Scorecard¶
SBOM Scorecard is a tool for providing metrics for SBOM quality, including spec compliance, generation information and package ids, licensed and version.
SBOM Utility¶
SBOM Utility is a CycloneDX and SPDX SBOM validation tool.
SBOM Quality Scoring¶
sbomqs provides comprehensive quality scoring for your sboms. It provide a quick compliance check of your sboms with NTIA minimum elements. It uses license, spec compliance, data quality to help generate an accurate score for your sbom generator. Supports all SPDX, CycloneDX and SWID spec formats.
ScanCode.io¶
ScanCode.io is a CLI, web UI and REST API that can read and write SPDX and CycloneDX. It embeds scancode-toolkit and can scan for origin, vulnerabilities and license a large range of codebase including first class support for Linux containers and docker images, VM Images, Windows containers, Windows VM images as well as packages and codebase with pre-defined configurable pipelines. It detects all archives, installed and embedded formats for packages from Maven, Pypi, Ruby, Rust cargo, Go, NuGet, Alpine, Debian and derivative, RPM distributions, Windows, npm and yarn, Bower, Chef, Cocoapods, conda, cran, haxe, MSI, opam, pubspec. Both ScanCode toolkit and ScanCode.io are extensively based on and use Package URL.
Trivy¶
Trivy scans container images, file systems, Git repositories, and Kubernetes clusters or resources for open source packages and dependencies, CVEs, IaC misconfigurations, and sensitive information. It generates SBOMs in the scanning process. Trivy also allows signing and verifying SBOM attestations.
Vulnerability Operator¶
The vulnerability-operator uses Grype for scanning SBOMs and exports all found vulnerabilities into a JSON format.