Creating an SBOM (Software Bill of Materials) is simple and can be done in several ways. There are both free open source tools and commercial alternatives. Many large companies already use the free tools, as they have become so good.
Start by choosing a tool that suits your needs. Here are some popular open source alternatives that can generate SBOMs from source code or containers:
- Observer:
- Trivy:
- Syft:
- cdxgen:
- osv-scanner:
Most tools can be run via the command line, making it easy to run yourself on your computer or preferably as part of the development and build process.
Free tools for analyzing an SBOM
Many talk about the first step, creating SBOMs and sending SBOMs, but equally important is reviewing and using the result, i.e. the created SBOMs.
The tools used to create SBOMs can often be used to do a basic analysis of the content of an SBOM, e.g. to see vulnerabilities. In an organization, you probably need a more systematic way to manage SBOMs and their content.
The web-based tool SBOM Analyzer can be used to get a quick overview of the content of an SBOM.
The information shown includes:
- Number of components
- Whether the SBOM meets the requirements for SBOM Minimum Elements
- Number of known vulnerabilities
- Number of licenses
The tool is completely free.
