Top Tools for Automating SBOMs

We’ve talked a lot about why software bills of materials (SBOMs) are important and how they communicate the value of your organization, so we won’t continue those lectures here. We’re all good on the why so today we’ll talk about the how – the best (and free!) tools to help you create SBOMs automatically. Creating an SBOM manually is arduous and error-prone so why not avoid it altogether?

If you haven’t thought about SBOMs in a minute, you may want a quick refresher on SBOM standards before reading on.

Creating an SBOM with your SCA tool

If you have one, your commercial software composition analysis (SCA) tool is a great resource for SBOM generation. This isn’t a free solution, per se, but if you’re already paying for an SCA, generating SBOMs doesn’t cost you anything extra.

If you’re using Mend SCA, you can generate an SPDX or CycloneDX SBOM in a variety of formats easily from the Reports menu of the application menu bar. Additionally, you can execute the SBOM Generator Tool via CLI or as a Docker container.

This short video shows how easy it is to generate an SBOM from the Mend UI.

If you don’t use an SCA (you should though…), your SCA doesn’t generate SBOMs, or you simply want to try another tool, here are some widely used free and open source tools. Choosing the right one for your project will depend a lot on your language and architecture. For the purposes of keeping this blog post clean and short, we’ll skip the step-by-step for setting up each tool, but we’ll provide links to helpful documentation.

SBOM tools for containers

1. Create container images and SBOMs in one go with Paketo Buildpacks and Pack CLI. You can generate SBOMs in Syft, SPDX, or CycloneDX standards in a JSON file. A full how-to can be found here.

2. A multifunctional tool that scans container images, filesystems, Kubernetes workloads, and more, Trivy can generate SBOMs in both SPDX and CycloneDX standards in JSON format.

SBOM tools for CI/CD

1. Mentioned above, Trivy is also great for continuous integration/continuous delivery (CI/CD) and integrates with a number of CI ecosystems, including GitHub Actions, Azure DevOps, and Semaphore.

2. A great tool for Java projects, the CycloneDX Maven plugin runs at the build stage of your CI/CD pipeline to create CycloneDX SBOMs in XML or JSON format. This plugin can create SBOMs for single modules or an aggregate SBOM that starts at build root. If you’re not a Maven expert, it can be a little difficult to set up using the developer-provided documentation. This Medium post gives a good step-by-step breakdown on how to do it.

3. Microsoft’s sbom-tool is a command line tool that creates SPDX SBOMs for a wide variety of artifacts and integrates with GitHub Actions and Azure DevOps.

General SBOM tools that support multiple languages

1. The Microsoft sbom-tool also works as a standalone tool. It uses Component Detection libraries so check there to see if your language is covered.

2. One of the most popular open source tools for SBOM generation, Syft supports a wide number of languages including Java, Ruby, Rust, Go, PHP, Python, C++ (Conan), and more. With this tool you can create SBOMs in CycloneDX, SPDX, and Syft’s own standard. 

3. The SPDX SBOM Generator has slightly more limited language coverage compared to Syft but covers a few package managers that Syft does not.

SBOM Tools For C/C++

Although they’re two of the most widely used languages, finding an open source SBOM generator for C and C++ can be tricky. Due to the lack of an official or even dominating package manager for C/C++, the work for scanning a project and recognizing dependencies is not trivial and therefore generally beyond the abilities of free software.

There are a few package managers for C/C++ out there, though, and developers who use Conan are in luck. Conan includes extensions to help you create an SBOM and Syft and Trivy also support C/C++ SBOMs via Conan.

If you’re using a different package manager or none at all, sorry to say, but at this point in time there’s no great automated solution outside of commercial SCA products.

Going beyond generating SBOMs – other useful tools

The grass is always greener, eh? If you need to convert SPDX to CycloneDX (or vice versa), the organizations behind both standards have tools to help you do that. The CycloneDX CLI tool can be found here and an SPDX prototype conversion tool can be found here.

KubeClarity does not generate SBOMs on its own (although it does run Trivy and Syft on your behalf) but rather merges multiple SBOMs and performs multi-stage CI/CD SBOM analysis, overlaying analysis from different build stages for comprehensive insights. It can be installed locally, via Docker, or on a Kubernetes cluster-based system.

Parting words

The era of SBOMs has only just begun. More tools are sure to pop up and existing tools are sure to get better. At the moment, many tools, both commercial and free and open source, are likely to have some limitations. Some work great with one language and less great with others. Some struggle to show dependency trees and produce very flat SBOMs. Our advice to you is to try out as many tools as you can and compare the outputs.