In our continuous effort to enhance the quality of Software Bill of Materials (SBOM) content, we are excited to present our monthly SBOM quality report. This report aims to provide insights into the performance of various SBOM tools, shedding light on their capabilities, strengths, and weaknesses. For this edition, we have conducted extensive testing using a diverse set of tools to analyze the SBOM quality, license detection, vulnerability scanning, and pipeline support.
ToolsIn this report, we delve into the world of SBOM generation tools, evaluating their performance in generating accurate and reliable SBOMs. This initiative is part of our ongoing commitment to promoting transparency, security, and the adoption of best practices in software development.
The primary objective of this SBOM quality report is to create a baseline and gain a comprehensive understanding of how various SBOM tools function. Additionally, we aim to assess the accuracy and comparability of their results. For this purpose, we have chosen a popular Maven Java Open Source application, Apache Pulsar, to test the SBOM tools against. Our evaluation goes beyond SBOM generation to include advanced functionality such as license information, vulnerability scanning, and pipeline support.
Findings:
dependency:tree, which may be acceptable in certain cases.For our evaluation, we selected the Apache Pulsar project, available at https://github.com/apache/pulsar. We aimed to establish a baseline using the Maven dependency tree, covering both used and unused but existing dependencies.
The command used to obtain the baseline:
mvn dependency:tree | grep -Eo '[^ ]+:[^ ]+:[^:]+:[^:]+:[^:]+$' | sort | uniq | wc -l
Result: 2585
We assessed SBOM quality using SBOM Quality Score. Important: the quality score measures the overall structure of the SBOM file not the completeness!
We evaluated the following SBOM generation tools:
Integration:
wget and dpkg.Command:
trivy fs . --timeout 5m -f cyclonedx --scanners vuln --output sboms/trivy-sbom.json inside the application directory.Result:
Integration:
pom.xml:<dependency>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-core-java</artifactId>
<version>7.3.2</version>
</dependency>
Command:
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom inside the application.Result:
Integration:
pom.xml:<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<configuration>
<!-- Configuration options -->
</configuration>
</plugin>
</plugins>
Command:
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom inside the application.Result:
Integration:
wget and dpkg.Command:
syft . -o cyclonedx-json > sboms/syft-sbom.json inside the application directory.Result:
Integration:
wget and dpkg.Command:
syft . -o cyclonedx-json > sboms/syft-sbom.json inside the application directory.Result:
Note: Grype and Syft work best in combination, and the Grype result was used.
Integration:
Command:
vcn bom . --experimental --vuln-scan --bom-cdx-json vcnbom.json inside the application directory.Result:
Integration:
Command:
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/sboms/cdxgen-bom.json inside the application directory.Result:
This monthly SBOM quality report has provided valuable insights into the performance of various SBOM generation tools. It is essential to choose the right tool based on your specific requirements, as each tool comes with its own strengths and limitations. That's where Trustcenter comes in with its ability to consume all of the tools we looked into for this report.
We encourage organizations to prioritize SBOM generation and leverage these reports to make informed decisions about tool selection and integration into their software development pipelines.