Open Source SBOM Creator Tools with Highest Average Quality Score (last 90 days)
Strictly based on the quality scores of SBOMs generated from top container images and repositories
Quality score for a public repository of SBOM samples built with Open Source tools
SBOM | Target | Quality Score | Type | Format | Creator |
---|
Part of the Interlynk Open Source Toolset
Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
A crucial aspect of software security and supply chain risk management is the emergence of a "Software Bill Of Materials" (SBOM).
An SBOM is essentially a nested inventory or list of ingredients that constitute software components.
SBOM can be generated for any programmable product or compopnent such as IoT devices, operating systems and web, mobile or infrastructure applications, software components, including open source libraries, container images, and executables.
NTIA recommends building SBOM in one of the three specifications - CycloneDX, SPDX and SWID. These specifications support a variety of file formats: Tag-Value, XML, JSON and YAML among others.
Once created, SBOM provides an multi-faceted artifact that can be used for tracking componet and license inventory to manage compliance risks, tracking known and new vulnerabilities to manage security risks, independent validation of included components to manage software supply chain security risks and can be combined with other artifacts (VEX, attestations) to communicate state of the software in an automated fashion.
The Vulnerability Exploitability eXchange (VEX) is an essential companion to the Software Bill of Materials (SBOM) in managing software security and supply chain risks.
A VEX document provides context around known vulnerabilities, specifically whether or not they affect a particular software component in a given deployment. While an SBOM lists the components in software, VEX clarifies if any reported vulnerabilities are actually exploitable within those components.
CISA has published a document describing Vulnerability Exploitability eXchange (VEX) – Use Cases.
The adoption of a Software Bill of Materials (SBOM) is increasingly becoming a regulatory requirement across various industries to enhance cybersecurity and manage software supply chain risks.
These mandates collectively underline SBOM’s importance as a key artifact for compliance, risk management, and software transparency.
To encourage widespread adoption of SBOM, it is essential to maintain high-quality tools for generating and utilizing SBOMs.
To this end, CISA has released "The Minimum Elements for a Software Bill of Materials (SBOM)" document, while OWASP is developing Software Component Verification Standard (SCVS) BOM Maturity Model, to provide guidelines for improving SBOM quality.
Today, the SBOM generation is getting easier by the day. However the quality of the generated SBOM continue to have room for improvement.
Interlynk's SBOM Quality Score Star is a customizable checklist for the content of the SBOM and a Golang (go) application for applying that checklist.
It is open source and incorporates the best known guideliness to help improve the quality and therefore effectiveness of SBOM.
SBOM Quality Score can be used proactively to assess and make informed decisions about what to include in an SBOM as well as while accepting SBOM from external parties.
SBOM Quality Scoring is built on a set of SBOM Quality Checks that are applied to the SBOM.
The Quality Checks are categorized in five categories: Structural, Semantic, NTIA-Minimum-Elements, Quality and Sharing.
Learn more about the list of checks, scoring criteria, and remediation for each check in the detailed documentation Discuss.
SBOM Benchmark is a collection of sbom examples in CycloneDX and SPDX formats. These examples are generated for common open source repositories and container images using open-source SBOM tools.
Additionally, the examples included above have been evaluated against the SBOM Quality Score. You can use these SBOM samples to improve your understanding of how SBOMs work in practice and common pitfalls with SBOM.
You can also use SBOM Benchmark to host result of your SBOM Quality Score without uploading SBOM anywhere by using the `share` command in sbomqs - SBOM Quality Scoring Tool Star.
The Interlynk SBOM Automation Platform’s Free Tier offers an accessible and feature-rich solution for individual developers and small teams to manage SBOMs efficiently.
This free version simplifies key processes such as SBOM storage, monitoring, and policy enforcement. With centralized storage, users can securely manage SBOMs in multiple formats like CycloneDX and SPDX, making them easily retrievable and interchangeable. Additionally, the platform supports integrated vulnerability scanning and VEX compatibility, providing real-time security insights and automating policy enforcement to ensure compliance with industry standards.
This tier serves as a robust entry point into automated SBOM management while offering optional paid tiers with advanced features for larger organizations or more complex needs.
If you want to get involved in the project or have ideas you'd like to chat about, we'd love to connect Follow @interlynk-io.