Skip to content
Codenotary
All posts

SBOM.sh Latest Release: Updates and New Features

The latest release of SBOM.sh is live, which includes several updates to open-source components and introduces a brand-new analytics page. These updates aim to enhance the platform's performance, security scanning capabilities, and user experience. Below is a summary of the major changes in this release.

The currently used Open Source scanner and the Analytics page can be found in the footer.

Updated Open-Source Components

In this release, we've updated all major open-source components that power SBOM.sh, ensuring better performance, more comprehensive vulnerability scanning, and improved support for Software Bill of Materials (SBOM) generation. Here’s a quick overview of the updated components:

  • OWASP dep-scan
    A robust vulnerability scanning tool that now supports CycloneDX 1.6, providing enhanced detection capabilities for open-source vulnerabilities.
    Version: 5.4.1

  • Trivy
    Trivy continues to be one of the most versatile tools in SBOM.sh for both SBOM generation and vulnerability scanning. The latest version ensures faster scans and more accurate results.
    Version: 0.55.0

  • Grype
    Another critical component in our vulnerability detection toolkit, Grype supports both SBOM generation and scanning. This update enhances its scanning algorithms for better performance and accuracy.
    Version: 0.79.6

  • sbomqs
    This tool provides a quality score for SBOMs, helping users understand the completeness and usefulness of their generated SBOMs. The latest version comes with additional metrics for better score accuracy.
    Version: 0.1.8

These updates improve the overall security scanning process on SBOM.sh and ensure the platform stays current with the latest vulnerabilities and SBOM standards.

New Analytics Page

A notable addition in this release is our all-new analytics page, designed to offer deeper insights into the most common vulnerabilities and components detected on SBOM.sh across all CycloneDX projects (SPDX will follow). The page highlights the Top 15 Vulnerabilities and their associated components, providing descriptions and links to more detailed information on mitre.org.

This new feature aims to make it easier for users to track vulnerabilities trends. Of course the more SBOMs are analyzed, the more precise the analytics will be. Each vulnerability listed on the analytics page includes a detailed description and a direct link to the MITRE database for further exploration, helping security teams and developers make informed decisions.

Clicking on Read more open the full description that also includes the link to the Mitre CVE website:

Next Steps: SBOM Dashboard Redesign

Looking ahead, we're excited to announce that the current SBOM dashboard will be receiving a full redesign. This update will include new panels similar to the Top 15 lists seen in the analytics page. The goal is to provide users with real-time, actionable insights directly within their dashboard, allowing for easier tracking of the most critical vulnerabilities and components in their projects. The redesigned dashboard will enhance the user experience by making it more intuitive and informative, helping you stay on top of security risks more effectively.

We hope these improvements will enhance your experience with SBOM.sh and provide the tools necessary to better manage and secure your software supply chain.

Be sure to check out the new analytics page and stay tuned for the upcoming dashboard redesign!