Open-source SBOM generation tools?

Question

One of the compliance requirements of the recent Cybersecurity EO order is to track software bill of materials (SBOM). Curious to know what open-source tools exist to generate SBOM and how accurate they are.

derkoe · Accepted Answer

Currently the best one I know of is https://github.com/anchore/syft. It finds most dependencies even within built artifacts.You can also check out the comments in https://news.ycombinator.com/item?id=32104805 - the release announcement of Salus (Microsoft)

jupenur · Answer

We weren't happy with what was already out there, so we built our own -- https://github.com/mattermost/gobom

jasonrojas · Answer

We use this - https://dependencytrack.org/

chintler · Answer

This[0] was posted a few days ago here.[0] https://devblogs.microsoft.com/engineering-at-microsoft/micr...

Open-source SBOM generation tools?

One of the compliance requirements of the recent Cybersecurity EO order is to track software bill of materials (SBOM). Curious to know what open-source tools exist to generate SBOM and how accurate they are.

Currently the best one I know of is https://github.com/anchore/syft. It finds most dependencies even within built artifacts.
You can also check out the comments in https://news.ycombinator.com/item?id=32104805 - the release announcement of Salus (Microsoft)

We weren't happy with what was already out there, so we built our own -- https://github.com/mattermost/gobom

We use this - https://dependencytrack.org/

This[0] was posted a few days ago here.
[0] https://devblogs.microsoft.com/engineering-at-microsoft/micr...