Codenotary Trustcenter Blog

Introducing SBOM.sh: Effortless SBOM Sharing

Written by Mahrukh | Sep 4, 2023 6:18:28 AM

In software development, maintaining transparency and security is of paramount importance. Software Bill of Materials (SBOM) has emerged as a crucial component in achieving these goals. To simplify the process of sharing SBOMs while ensuring ease of use and security, we present to you the innovative and free service - SBOM.sh.

What is SBOM.sh?

SBOM.sh is a service designed to streamline the sharing and retrieval of SBOM. It allows developers, teams, and organizations to effortlessly upload local SBOM JSON files and receive a unique URL. This URL can be accessed anytime, either through curl commands or directly from a web browser, to retrieve the SBOM data.

How it Works

Using SBOM.sh is a breeze. The process involves two simple steps:

1. Upload SBOM JSON File: Begin by uploading your SBOM JSON file using the following curl command:
   
 curl -d "@someSBOM.json" https://sbom.sh

You will receive:
{"documentid":"unique-identifier","message":"SBOM stored successfully","url":"https://sbom.sh/unique-identifier"}

2. Retrieve SBOM Data: Once uploaded, you will receive a unique URL. You can use curl or your web browser to access the SBOM data:
   
Using curl:

curl https://sbom.sh/unique-identifier
   
Using your browser:

https://sbom.sh/unique-identifier

User-Friendly Requirements

SBOM.sh is designed with simplicity in mind. The only requirement is having curl or a similar tool installed. You can easily check if curl is installed by typing curl in your terminal. To ensure compatibility, make sure your SBOM files are in the CycloneDX JSON format.

Optimize Your Workflow with an Alias

To enhance your experience and reduce typing, you can create an alias for uploading SBOMs. For Linux users, add the following line to your .bashrc file:

echo 'alias sbu="curl --data-binary @- https://sbom.sh"' >> ~/.bashrc && source ~/.bashrc

For Mac OS X users, update your .bash_profile with the following line:

echo 'alias sbu="curl --data-binary @- https://sbom.sh"' >> ~/.bash_profile && source ~/.bash_profile

Remember to reset your terminal session after making these changes.

Combining SBOM tools with SBOM.sh

You can also use other open source tools like trivy, syft, CycloneDX own tools, or Codenotary Trustcenter to produce SBOM files in JSON format. 

Let's use trivy to produce an SBOM file including vulnerabilities for Node Version 14:
trivy image --format cyclonedx --scanners vuln --output node14-vuln.json node:14

then upload the produced file to SBOM.sh

curl -d "@node14-vuln.json" https://sbom.sh

{"documentid":"78649620-7436-41c0-b5ed-9e9ee6246070","message":"SBOM stored successfully","url":"https://sbom.sh/78649620-7436-41c0-b5ed-9e9ee6246070"}

The output shows also the unique URL you can use in the future to access that SBOM.

Btw. you can also view the SBOM file online using your favorite browser:

Conclusion

Enhance your software development workflow by embracing the simplicity and security offered by SBOM.sh. Simplify SBOM sharing, optimize transparency, and ensure security - all with a single free service. Try SBOM.sh today!