Introduction to SBOM
SBOM (Software Bill of Materials) is a listing of all software components (proprietary and open source code), open source licenses and dependencies in a given product. It provides visibility into the software supply chain and any license compliance, security and quality risks that may exist.
SBOM can help organizations quickly identify and remediate potential security gaps, meet licensing requirements, and apply version control best practices.
SBOM should include:
- Open Source Libraries for Applications
- Plug-ins, extensions and other add-ons to programs
- Custom source code written in-house by developers
- Information about the version, license status, and patch status of these components
- Automatic component cryptographic signing and verification
- Automated scanning to generate SBOM s as part of a continuous integration/continuous deployment (CI/CD) pipeline
SBOMs should use a consistent format, and popular SBOM formats include Software Package Data Exchange (SPDX), Software Identification (SWID) notation, and OWASP CycloneDX. While these are standards, the 2021 White House Executive Order does not mandate a specific SBOM format. So far, none of the three has become a de facto industry standard.
Value of SBOM:
- Software producers use SBOM to assist in building and maintaining the software they provide.
- Software buyers use the SBOM to inform pre-order guarantees, negotiate discounts, and plan implementation strategies.
- Software operators use SBOM to inform vulnerability management and asset management, manage licensing and compliance, and quickly identify software and component dependencies and supply chain risks.
example:
{ "artifacts": [ { "id": "56038ff78afaea17", "name": "aopalliance-repackaged", "version": "2.5.0-b36", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:aopalliance-repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:aopalliance-repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:aopalliance_repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:aopalliance_repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:aopalliance:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:aopalliance:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:external:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:external:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.5.0-b36", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:aopalliance-repackaged", "pomProperties": { "path": "META-INF/maven/org.glassfish.hk2.external/aopalliance-repackaged/pom.properties", "name": "", "groupId": "org.glassfish.hk2.external", "artifactId": "aopalliance-repackaged", "version": "2.5.0-b36" } } }, { "id": "a5067ebc30eb2e85", "name": "glassfish-corba-internal-api", "version": "4.1.1-b001", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:glassfish-corba-internal-api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba-internal-api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_internal_api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_internal_api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba-internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba-internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.corba/glassfish-corba-internal-api@4.1.1-b001", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-internal-api", "pomProperties": { "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-internal-api/pom.properties", "name": "", "groupId": "org.glassfish.corba", "artifactId": "glassfish-corba-internal-api", "version": "4.1.1-b001" } } }, { "id": "6de5dbcc6bd3df79", "name": "glassfish-corba-omgapi", "version": "4.1.1-b001", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:glassfish-corba-omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba-omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.corba/glassfish-corba-omgapi@4.1.1-b001", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-omgapi", "pomProperties": { "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-omgapi/pom.properties", "name": "", "groupId": "org.glassfish.corba", "artifactId": "glassfish-corba-omgapi", "version": "4.1.1-b001" } } }, { "id": "cc00fead3a5f49e3", "name": "glassfish-corba-orb", "version": "4.1.1-b001", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:glassfish-corba-orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba-orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba_orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish-corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish_corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.corba/glassfish-corba-orb@4.1.1-b001", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-orb", "pomProperties": { "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-orb/pom.properties", "name": "", "groupId": "org.glassfish.corba", "artifactId": "glassfish-corba-orb", "version": "4.1.1-b001" } } }, { "id": "8d099ec8d7ff6ed0", "name": "hk2-api", "version": "2.5.0-b36", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:glassfish:hk2-api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:hk2_api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-api:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2-api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2_api:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_api:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.hk2/hk2-api@2.5.0-b36", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-api", "pomProperties": { "path": "META-INF/maven/org.glassfish.hk2/hk2-api/pom.properties", "name": "", "groupId": "org.glassfish.hk2", "artifactId": "hk2-api", "version": "2.5.0-b36" } } }, { "id": "6e0a2624f7ad3862", "name": "hk2-locator", "version": "2.5.0-b36", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:hk2-locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-locator:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_locator:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.hk2/hk2-locator@2.5.0-b36", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-locator", "pomProperties": { "path": "META-INF/maven/org.glassfish.hk2/hk2-locator/pom.properties", "name": "", "groupId": "org.glassfish.hk2", "artifactId": "hk2-locator", "version": "2.5.0-b36" } } }, { "id": "be549b709625535c", "name": "hk2-utils", "version": "2.5.0-b36", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:glassfish:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2-utils:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2_utils:hk2:2.5.0-b36:*:*:*:*:*:*:*", "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.hk2/hk2-utils@2.5.0-b36", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-utils", "pomProperties": { "path": "META-INF/maven/org.glassfish.hk2/hk2-utils/pom.properties", "name": "", "groupId": "org.glassfish.hk2", "artifactId": "hk2-utils", "version": "2.5.0-b36" } } }, { "id": "f52d88b064a16b59", "name": "pfl-asm", "version": "4.0.1-b001", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:glassfish:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl-asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl-asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl_asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl_asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:glassfish:pfl:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl-asm:pfl:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl_asm:pfl:4.0.1-b001:*:*:*:*:*:*:*", "cpe:2.3:a:pfl:pfl:4.0.1-b001:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.glassfish.pfl/pfl-asm@4.0.1-b001", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:pfl-asm", "pomProperties": { "path": "META-INF/maven/org.glassfish.pfl/pfl-asm/pom.properties", "name": "", "groupId": "org.glassfish.pfl", "artifactId": "pfl-asm", "version": "4.0.1-b001" } } }, { "id": "4207385428509458", "name": "tiger-types", "version": "1.4", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:tiger-types:tiger-types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:tiger-types:tiger_types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:tiger_types:tiger-types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:tiger_types:tiger_types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:jvnet:tiger-types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:jvnet:tiger_types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:tiger:tiger-types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:tiger:tiger_types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:java:tiger-types:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:java:tiger_types:1.4:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.jvnet/tiger-types@1.4", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:tiger-types", "pomProperties": { "path": "META-INF/maven/org.jvnet/tiger-types/pom.properties", "name": "", "groupId": "org.jvnet", "artifactId": "tiger-types", "version": "1.4" }, "pomProject": { "path": "META-INF/maven/org.jvnet/tiger-types/pom.xml", "parent": { "groupId": "net.java", "artifactId": "jvnet-parent", "version": "1" }, "groupId": "org.jvnet", "artifactId": "tiger-types", "version": "1.4", "name": "Type arithmetic library for Java5" } } }, { "id": "26d5946744f05e2a", "name": "wlclient", "version": "12.2.1.3.0", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:wlclient:wlclient:12.2.1.3.0:*:*:*:*:*:*:*" ], "purl": "pkg:maven/wlclient/wlclient@12.2.1.3.0", "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar", "manifest": { "main": { "Created-By": "1.8.0_321 (Oracle Corporation)", "DynamicImport-Package": "*", "Fragment-Host": "system.bundle; extension:=framework", "Implementation-Title": "wls_sharedLibraries", "Implementation-Version": "12.2.1.3.0", "Library-Version": "12.2.1.3.0", "Main-Class": "javassist.CtClass", "Manifest-Version": "1.0", "Multi-Release": "true", "Originally-Created-By": "Apache Maven", "Specification-Title": "wlclient", "Specification-Version": "12.2.1", "service": "foo" } }, "digest": [ { "algorithm": "sha1", "value": "7b81b31164ee07337ebd81ce404163bcc9934e1f" } ] } } ], "artifactRelationships": [ { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "26d5946744f05e2a", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "4207385428509458", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "56038ff78afaea17", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "6de5dbcc6bd3df79", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "6e0a2624f7ad3862", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "8d099ec8d7ff6ed0", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "a5067ebc30eb2e85", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "be549b709625535c", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "cc00fead3a5f49e3", "type": "contains" }, { "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "child": "f52d88b064a16b59", "type": "contains" } ], "source": { "id": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686", "type": "file", "target": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar" }, "distro": {}, "descriptor": { "name": "syft", "version": "0.69.0", "configuration": { "configPath": "", "verbosity": 0, "quiet": false, "output": [ "syft-json=sbom.syft.json" ], "output-template-path": "", "file": "", "check-for-app-update": true, "dev": { "profile-cpu": false, "profile-mem": false }, "log": { "structured": false, "level": "warn", "file-location": "" }, "catalogers": null, "package": { "cataloger": { "enabled": true, "scope": "Squashed" }, "search-unindexed-archives": false, "search-indexed-archives": true }, "attest": { "key": "", "password": "" }, "file-metadata": { "cataloger": { "enabled": false, "scope": "Squashed" }, "digests": [ "sha256" ] }, "file-classification": { "cataloger": { "enabled": false, "scope": "Squashed" } }, "file-contents": { "cataloger": { "enabled": false, "scope": "Squashed" }, "skip-files-above-size": 1048576, "globs": [] }, "secrets": { "cataloger": { "enabled": false, "scope": "AllLayers" }, "additional-patterns": {}, "exclude-pattern-names": [], "reveal-values": false, "skip-files-above-size": 1048576 }, "registry": { "insecure-skip-tls-verify": false, "insecure-use-http": false, "auth": [] }, "exclude": [], "platform": "", "name": "", "parallelism": 1 } }, "schema": { "version": "6.2.0", "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json" } }
tool
syft
syft is a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.
The following images are supported:
- Alpine (apk)
- C (conan)
- C++ (conan)
- Dart (pubs)
- Debian (dpkg)
- Dotnet (deps.json)
- Objective-C (cocoapods)
- Elixir (mix)
- Erlang (rebar3)
- Go (go.mod, Go binaries)
- Haskell (cabal, stack)
- Java (jar, ear, war, par, sar, native-image)
- JavaScript (npm, yarn)
- Jenkins Plugins (jpi, hpi)
- PHP (composer)
- Python (wheel, egg, poetry, requirements.txt)
- Red Hat (rpm)
- Ruby (gem)
- Rust (cargo.lock)
- Swift (cocoapods)
For example, you can use the following command to output sbom:
syft /weblogic/wls12213/wlserver/server/lib/wlclient.jar -o syft-json=sbom.syft.json
See the example in Chapter 1 for the output
grype
grype is a vulnerability scanner for container images and filesystems.
Supports discovery of major operating system vulnerabilities:
- Alpine
- Amazon Linux
- BusyBox
- CentOS
- Debian
- Distroless
- Oracle Linux
- Red Hat (RHEL)
- Ubuntu
Support for finding vulnerabilities for specific language packs - Ruby (Gems)
- Java (JAR, WAR, EAR, JPI, HPI)
- JavaScript (NPM, Yarn)
- Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
- Dotnet (deps.json)
- Golang (go.mod)
- PHP (Composer)
- Rust (Cargo)
Supports Docker and OCI image formats
Support for finding vulnerabilities through sbom files
grype sbom:./sbom.syft.json
refer to:
https://baijiahao.baidu.com/s?id=1738298541287787037&wfr=spider&for=pc
https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650546781&idx=2&sn=54e5b3a7de985c94b4b11ec9bfa318b5&chksm=83bd47b9b4caceafbd1177ec3c17472212f93309ebd7d8da24e9217ccb579ef09b1e80c2f99c&scene=27