Giters

SoftwareDesignLab / SBOM-in-a-Box

SBOM-in-a-Box is a unified platform to promote the production, consumption, and utilization of Software Bills of Materials.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

comparison-toolcyclonedxdocker-composeguisbomsbom-generatorsbom-qualitysbom-toolspdxvexvulnerability-exploitability-exchange

SBOM-in-a-Box

The SBOM-in-a-Box is a unified platform to generate the high fidelity SBOM data. It automated the production, consumption, and utilization of Software Bills of Materials (SBOMs). This includes conversion between schemas, generation, comparision and evaluation of SBOM quality.

Purpose of SBOM-in-a-Box

SBOM-in-a-box is a plug-and-play environments that supports adding any form of SBOM tools into the box. This would allow generation of SBOMs using multiple tools that allow for a more a complete SBOM to be created. There is also a feature within metrics, where the tool provides suggestions if there is potentially a better way to showcase the attributes. There is also the ability to convert between SPDX and CycloneDX SBOM schemas, and to gain insight into vulnerabilities of software through SBOMs. These features allow for developers to create an SBOM that is the most relevant and suits their needs.

Latest Release: [v9.2.1-alpha] - (1/07/2024)

System Requirements

  • Java 17.X.X
  • Gradle 7.5.X
  • Docker 24.X.X

Quick Start

Launch the API

  1. docker compose up

Note: To launch the backend it will take at least 10 minutes, due to there being over 10 open source tools included.

Launch the GUI

  1. Clone the GUI repo and follow the quickstart

If making changes to any source code, the Docker image(s) will need to be rebuilt. See Building the Image for detailed instructions. See SBOM-in-a-Box API for detailed API usage.

Features

SBOM-in-a-Box has a number of unique features to support:

  • Open Source Integrated SBOM Generation: Makes use of open source SBOM Generator Tools to generate SBOMs
  • SBOM Generation: Custom SBOM generation via source file and package manager file analysis
  • Vulnerability Exploitability eXchange (VEX) Generation: Generate VEX documents from SBOMs
  • SBOM Metrics: Grade SBOMs using a series of metric tests
  • SBOM Comparison: Compare SBOMs to identify key differences between them
  • SBOM Merging: Merge SBOMs into a single unified document

Currently, SBOM-in-a-Box Supports the following SBOM Types

Schema JSON XML Tag:Value
SPDX 2.3
CyloneDX 1.4 CycloneDX does not support Tag:Value

Contributors

Project Lead: Mehdi Tarrit Mirakhorli

Project Manager: Chris Enoch

Developer Team Lead: Derek Garcia

Developer Team

  • Schuyler Dillon
  • Tyler Drake
  • Ian Dunn
  • Kevin Laporte
  • Matt London
  • Dylan Mulligan
  • Amanda Nitta
  • Brian Baumann
  • Asa Horn
  • Justin Jantzi
  • Henry Keena
  • Hubert Liang
  • Henry Lu
  • Matthew Morrison
  • Ethan Numan
  • Henry Orsagh
  • Juan Francisco Patino
  • Max Stein
  • Tom Roman
  • Liam Wilkins
  • Jordan Wong

About

SBOM-in-a-Box is a unified platform to promote the production, consumption, and utilization of Software Bills of Materials.

comparison-toolcyclonedxdocker-composeguisbomsbom-generatorsbom-qualitysbom-toolspdxvexvulnerability-exploitability-exchange

License:MIT License

Languages

Language:Java 97.8%Language:Python 1.0%Language:Shell 0.4%Language:JavaScript 0.4%Language:Ruby 0.1%Language:Perl 0.1%Language:Dockerfile 0.1%Language:Go 0.1%Language:Rust 0.1%Language:Scala 0.0%Language:C# 0.0%