In software development, maintaining transparency and security is of paramount importance. Software Bill of Materials (SBOM) has emerged as a crucial component in achieving these goals. To simplify the process of sharing SBOMs while ensuring ease of use and security, we present to you the innovative and free service - SBOM.sh.
SBOM.sh is a service designed to streamline the sharing and retrieval of SBOM. It allows developers, teams, and organizations to effortlessly upload local SBOM JSON files and receive a unique URL. This URL can be accessed anytime, either through curl
commands or directly from a web browser, to retrieve the SBOM data.
Using SBOM.sh is a breeze. The process involves two simple steps:
1. Upload SBOM JSON File: Begin by uploading your SBOM JSON file using the following curl command:
curl -d "@someSBOM.json" https://sbom.sh
You will receive:{"documentid":"unique-identifier","message":"SBOM stored successfully","url":"https://sbom.sh/unique-identifier"}
2. Retrieve SBOM Data: Once uploaded, you will receive a unique URL. You can use curl or your web browser to access the SBOM data:
Using curl:
curl https://sbom.sh/unique-identifier
Using your browser:
https://sbom.sh/unique-identifier
SBOM.sh is designed with simplicity in mind. The only requirement is having curl or a similar tool installed. You can easily check if curl is installed by typing curl
in your terminal. To ensure compatibility, make sure your SBOM files are in the CycloneDX JSON format.
To enhance your experience and reduce typing, you can create an alias for uploading SBOMs. For Linux users, add the following line to your .bashrc
file:echo 'alias sbu="curl --data-binary @- https://sbom.sh"' >> ~/.bashrc && source ~/.bashrc
For Mac OS X users, update your .bash_profile
with the following line:echo 'alias sbu="curl --data-binary @- https://sbom.sh"' >> ~/.bash_profile && source ~/.bash_profile
Remember to reset your terminal session after making these changes.
You can also use other open source tools like trivy, syft, CycloneDX own tools, or Codenotary Trustcenter to produce SBOM files in JSON format.
Let's use trivy to produce an SBOM file including vulnerabilities for Node Version 14:trivy image --format cyclonedx --scanners vuln --output node14-vuln.json node:14
then upload the produced file to SBOM.sh
curl -d "@node14-vuln.json" https://sbom.sh
{"documentid":"78649620-7436-41c0-b5ed-9e9ee6246070","message":"SBOM stored successfully","url":"https://sbom.sh/78649620-7436-41c0-b5ed-9e9ee6246070"}
The output shows also the unique URL you can use in the future to access that SBOM.
Btw. you can also view the SBOM file online using your favorite browser:
Enhance your software development workflow by embracing the simplicity and security offered by SBOM.sh. Simplify SBOM sharing, optimize transparency, and ensure security - all with a single free service. Try SBOM.sh today!