diff --git a/SBOM-Catalog/contribute.md b/SBOM-Catalog/contribute.md index 9e6457c..0d6a7bd 100644 --- a/SBOM-Catalog/contribute.md +++ b/SBOM-Catalog/contribute.md @@ -2,6 +2,20 @@ If you are interested in adding entries to the catalog, or modifying functionality of the catalog, please review this guide. +## How to request changes + +If you notice any issues with the catalog or have suggestions for improvements, there are two ways to contribute: + +1. **Open an Issue**: If you find a bug, have a feature request, or want to suggest improvements, please open an issue on GitHub. This helps us track and discuss potential changes before implementation. + +2. **Submit a Pull Request**: If you'd like to contribute code changes directly: + - Fork the repository + - Create a new branch for your changes + - Make your changes following the guidelines above + - Submit a pull request with a clear description of the changes + +For both issues and pull requests, please provide as much context as possible to help us understand your request. + ## How to run the tool locally Run the comamnds diff --git a/SBOM-Catalog/package-lock.json b/SBOM-Catalog/package-lock.json index 3bf1f4e..240cc57 100644 --- a/SBOM-Catalog/package-lock.json +++ b/SBOM-Catalog/package-lock.json @@ -14,6 +14,7 @@ "js-yaml": "^4.1.0", "marked": "^12.0.1", "marked-highlight": "^2.1.1", + "pinia": "^3.0.1", "primeflex": "^3.3.1", "primeicons": "^6.0.1", "primevue": "^3.50.0", @@ -38,30 +39,30 @@ } }, "node_modules/@babel/helper-string-parser": { - "version": "7.24.8", - "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.24.8.tgz", - "integrity": "sha512-pO9KhhRcuUyGnJWwyEgnRJTSIZHiT+vMD0kPeD+so0l7mxkMT19g3pjY9GTnHySck/hDzq+dtW/4VgnMkippsQ==", + "version": "7.25.9", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.25.9.tgz", + "integrity": "sha512-4A/SCr/2KLd5jrtOMFzaKjVtAei3+2r/NChoBNoZ3EyP/+GlhoaEGoWOZUmFmoITP7zOJyHIMm+DYRd8o3PvHA==", "license": "MIT", "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-validator-identifier": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.24.7.tgz", - "integrity": "sha512-rR+PBcQ1SMQDDyF6X0wxtG8QyLCgUB0eRAGguqRLfkCA87l7yAP7ehq8SNj96OOGTO8OBV70KhuFYcIkHXOg0w==", + "version": "7.25.9", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.25.9.tgz", + "integrity": "sha512-Ed61U6XJc3CVRfkERJWDz4dJwKe7iLmmJsbOGu9wSloNSFttHV0I8g6UAgb7qnK5ly5bGLPd4oXZlxCdANBOWQ==", "license": "MIT", "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/parser": { - "version": "7.25.3", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.25.3.tgz", - "integrity": "sha512-iLTJKDbJ4hMvFPgQwwsVoxtHyWpKKPBrxkANrSYewDPaPpT5py5yeVkgPIJ7XYXhndxJpaA3PyALSXQ7u8e/Dw==", + "version": "7.26.9", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.26.9.tgz", + "integrity": "sha512-81NWa1njQblgZbQHxWHpxxCzNsa3ZwvFqpUg7P+NNUU6f3UU2jBEg4OlF/J6rl8+PQGh1q6/zWScd001YwcA5A==", "license": "MIT", "dependencies": { - "@babel/types": "^7.25.2" + "@babel/types": "^7.26.9" }, "bin": { "parser": "bin/babel-parser.js" @@ -71,14 +72,13 @@ } }, "node_modules/@babel/types": { - "version": "7.25.2", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.25.2.tgz", - "integrity": "sha512-YTnYtra7W9e6/oAZEHj0bJehPRUlLH9/fbpT5LfB0NhQXyALCRkRs3zH9v07IYhkgpqX6Z78FnuccZr/l4Fs4Q==", + "version": "7.26.9", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.26.9.tgz", + "integrity": "sha512-Y3IR1cRnOxOCDvMmNiym7XpXQ93iGDDPHx+Zj+NM+rg0fBaShfQLkg+hKPaZCEvg5N/LeCo4+Rj/i3FuJsIQaw==", "license": "MIT", "dependencies": { - "@babel/helper-string-parser": "^7.24.8", - "@babel/helper-validator-identifier": "^7.24.7", - "to-fast-properties": "^2.0.0" + "@babel/helper-string-parser": "^7.25.9", + "@babel/helper-validator-identifier": "^7.25.9" }, "engines": { "node": ">=6.9.0" @@ -1151,53 +1151,53 @@ } }, "node_modules/@vue/compiler-core": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.4.37.tgz", - "integrity": "sha512-ZDDT/KiLKuCRXyzWecNzC5vTcubGz4LECAtfGPENpo0nrmqJHwuWtRLxk/Sb9RAKtR9iFflFycbkjkY+W/PZUQ==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.13.tgz", + "integrity": "sha512-oOdAkwqUfW1WqpwSYJce06wvt6HljgY3fGeM9NcVA1HaYOij3mZG9Rkysn0OHuyUAGMbEbARIpsG+LPVlBJ5/Q==", "license": "MIT", "dependencies": { - "@babel/parser": "^7.24.7", - "@vue/shared": "3.4.37", - "entities": "^5.0.0", + "@babel/parser": "^7.25.3", + "@vue/shared": "3.5.13", + "entities": "^4.5.0", "estree-walker": "^2.0.2", "source-map-js": "^1.2.0" } }, "node_modules/@vue/compiler-dom": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.4.37.tgz", - "integrity": "sha512-rIiSmL3YrntvgYV84rekAtU/xfogMUJIclUMeIKEtVBFngOL3IeZHhsH3UaFEgB5iFGpj6IW+8YuM/2Up+vVag==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.13.tgz", + "integrity": "sha512-ZOJ46sMOKUjO3e94wPdCzQ6P1Lx/vhp2RSvfaab88Ajexs0AHeV0uasYhi99WPaogmBlRHNRuly8xV75cNTMDA==", "license": "MIT", "dependencies": { - "@vue/compiler-core": "3.4.37", - "@vue/shared": "3.4.37" + "@vue/compiler-core": "3.5.13", + "@vue/shared": "3.5.13" } }, "node_modules/@vue/compiler-sfc": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.4.37.tgz", - "integrity": "sha512-vCfetdas40Wk9aK/WWf8XcVESffsbNkBQwS5t13Y/PcfqKfIwJX2gF+82th6dOpnpbptNMlMjAny80li7TaCIg==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.13.tgz", + "integrity": "sha512-6VdaljMpD82w6c2749Zhf5T9u5uLBWKnVue6XWxprDobftnletJ8+oel7sexFfM3qIxNmVE7LSFGTpv6obNyaQ==", "license": "MIT", "dependencies": { - "@babel/parser": "^7.24.7", - "@vue/compiler-core": "3.4.37", - "@vue/compiler-dom": "3.4.37", - "@vue/compiler-ssr": "3.4.37", - "@vue/shared": "3.4.37", + "@babel/parser": "^7.25.3", + "@vue/compiler-core": "3.5.13", + "@vue/compiler-dom": "3.5.13", + "@vue/compiler-ssr": "3.5.13", + "@vue/shared": "3.5.13", "estree-walker": "^2.0.2", - "magic-string": "^0.30.10", - "postcss": "^8.4.40", + "magic-string": "^0.30.11", + "postcss": "^8.4.48", "source-map-js": "^1.2.0" } }, "node_modules/@vue/compiler-ssr": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.4.37.tgz", - "integrity": "sha512-TyAgYBWrHlFrt4qpdACh8e9Ms6C/AZQ6A6xLJaWrCL8GCX5DxMzxyeFAEMfU/VFr4tylHm+a2NpfJpcd7+20XA==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.13.tgz", + "integrity": "sha512-wMH6vrYHxQl/IybKJagqbquvxpWCuVYpoUJfCqFZwa/JY1GdATAQ+TgVtgrwwMZ0D07QhA99rs/EAAWfvG6KpA==", "license": "MIT", "dependencies": { - "@vue/compiler-dom": "3.4.37", - "@vue/shared": "3.4.37" + "@vue/compiler-dom": "3.5.13", + "@vue/shared": "3.5.13" } }, "node_modules/@vue/compiler-vue2": { @@ -1217,6 +1217,30 @@ "integrity": "sha512-0MiMsFma/HqA6g3KLKn+AGpL1kgKhFWszC9U29NfpWK5LE7bjeXxySWJrOJ77hBz+TBrBQ7o4QJqbPbqbs8rJw==", "license": "MIT" }, + "node_modules/@vue/devtools-kit": { + "version": "7.7.2", + "resolved": "https://registry.npmjs.org/@vue/devtools-kit/-/devtools-kit-7.7.2.tgz", + "integrity": "sha512-CY0I1JH3Z8PECbn6k3TqM1Bk9ASWxeMtTCvZr7vb+CHi+X/QwQm5F1/fPagraamKMAHVfuuCbdcnNg1A4CYVWQ==", + "license": "MIT", + "dependencies": { + "@vue/devtools-shared": "^7.7.2", + "birpc": "^0.2.19", + "hookable": "^5.5.3", + "mitt": "^3.0.1", + "perfect-debounce": "^1.0.0", + "speakingurl": "^14.0.1", + "superjson": "^2.2.1" + } + }, + "node_modules/@vue/devtools-shared": { + "version": "7.7.2", + "resolved": "https://registry.npmjs.org/@vue/devtools-shared/-/devtools-shared-7.7.2.tgz", + "integrity": "sha512-uBFxnp8gwW2vD6FrJB8JZLUzVb6PNRG0B0jBnHsOH8uKyva2qINY8PTF5Te4QlTbMDqU5K6qtJDr6cNsKWhbOA==", + "license": "MIT", + "dependencies": { + "rfdc": "^1.4.1" + } + }, "node_modules/@vue/eslint-config-prettier": { "version": "9.0.0", "resolved": "https://registry.npmjs.org/@vue/eslint-config-prettier/-/eslint-config-prettier-9.0.0.tgz", @@ -1283,53 +1307,53 @@ } }, "node_modules/@vue/reactivity": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.4.37.tgz", - "integrity": "sha512-UmdKXGx0BZ5kkxPqQr3PK3tElz6adTey4307NzZ3whZu19i5VavYal7u2FfOmAzlcDVgE8+X0HZ2LxLb/jgbYw==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.13.tgz", + "integrity": "sha512-NaCwtw8o48B9I6L1zl2p41OHo/2Z4wqYGGIK1Khu5T7yxrn+ATOixn/Udn2m+6kZKB/J7cuT9DbWWhRxqixACg==", "license": "MIT", "dependencies": { - "@vue/shared": "3.4.37" + "@vue/shared": "3.5.13" } }, "node_modules/@vue/runtime-core": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.4.37.tgz", - "integrity": "sha512-MNjrVoLV/sirHZoD7QAilU1Ifs7m/KJv4/84QVbE6nyAZGQNVOa1HGxaOzp9YqCG+GpLt1hNDC4RbH+KtanV7w==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.13.tgz", + "integrity": "sha512-Fj4YRQ3Az0WTZw1sFe+QDb0aXCerigEpw418pw1HBUKFtnQHWzwojaukAs2X/c9DQz4MQ4bsXTGlcpGxU/RCIw==", "license": "MIT", "dependencies": { - "@vue/reactivity": "3.4.37", - "@vue/shared": "3.4.37" + "@vue/reactivity": "3.5.13", + "@vue/shared": "3.5.13" } }, "node_modules/@vue/runtime-dom": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.4.37.tgz", - "integrity": "sha512-Mg2EwgGZqtwKrqdL/FKMF2NEaOHuH+Ks9TQn3DHKyX//hQTYOun+7Tqp1eo0P4Ds+SjltZshOSRq6VsU0baaNg==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.13.tgz", + "integrity": "sha512-dLaj94s93NYLqjLiyFzVs9X6dWhTdAlEAciC3Moq7gzAc13VJUdCnjjRurNM6uTLFATRHexHCTu/Xp3eW6yoog==", "license": "MIT", "dependencies": { - "@vue/reactivity": "3.4.37", - "@vue/runtime-core": "3.4.37", - "@vue/shared": "3.4.37", + "@vue/reactivity": "3.5.13", + "@vue/runtime-core": "3.5.13", + "@vue/shared": "3.5.13", "csstype": "^3.1.3" } }, "node_modules/@vue/server-renderer": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.4.37.tgz", - "integrity": "sha512-jZ5FAHDR2KBq2FsRUJW6GKDOAG9lUTX8aBEGq4Vf6B/35I9fPce66BornuwmqmKgfiSlecwuOb6oeoamYMohkg==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.13.tgz", + "integrity": "sha512-wAi4IRJV/2SAW3htkTlB+dHeRmpTiVIK1OGLWV1yeStVSebSQQOwGwIq0D3ZIoBj2C2qpgz5+vX9iEBkTdk5YA==", "license": "MIT", "dependencies": { - "@vue/compiler-ssr": "3.4.37", - "@vue/shared": "3.4.37" + "@vue/compiler-ssr": "3.5.13", + "@vue/shared": "3.5.13" }, "peerDependencies": { - "vue": "3.4.37" + "vue": "3.5.13" } }, "node_modules/@vue/shared": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.4.37.tgz", - "integrity": "sha512-nIh8P2fc3DflG8+5Uw8PT/1i17ccFn0xxN/5oE9RfV5SVnd7G0XEFRwakrnNFE/jlS95fpGXDVG5zDETS26nmg==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.13.tgz", + "integrity": "sha512-/hnE/qP5ZoGpol0a5mDi45bOd7t3tjYJBjsgCsivow7D48cJeV5l05RD82lPqi7gRiphZM37rnhW1l6ZoCNNnQ==", "license": "MIT" }, "node_modules/acorn": { @@ -1455,6 +1479,15 @@ "dev": true, "license": "MIT" }, + "node_modules/birpc": { + "version": "0.2.19", + "resolved": "https://registry.npmjs.org/birpc/-/birpc-0.2.19.tgz", + "integrity": "sha512-5WeXXAvTmitV1RqJFppT5QtUiz2p1mRSYU000Jkft5ZUCLJIk4uQriYNO50HknxKwM6jd8utNc66K1qGIwwWBQ==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/antfu" + } + }, "node_modules/boolbase": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz", @@ -1574,10 +1607,25 @@ "dev": true, "license": "MIT" }, + "node_modules/copy-anything": { + "version": "3.0.5", + "resolved": "https://registry.npmjs.org/copy-anything/-/copy-anything-3.0.5.tgz", + "integrity": "sha512-yCEafptTtb4bk7GLEQoM8KVJpxAfdBJYaXyzQEgQQQgYrZiDp8SJmGKlYza6CYjEDNstAdNdKA3UuoULlEbS6w==", + "license": "MIT", + "dependencies": { + "is-what": "^4.1.8" + }, + "engines": { + "node": ">=12.13" + }, + "funding": { + "url": "https://github.com/sponsors/mesqueeb" + } + }, "node_modules/cross-spawn": { - "version": "7.0.3", - "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", - "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", "dev": true, "license": "MIT", "dependencies": { @@ -2093,9 +2141,9 @@ "license": "MIT" }, "node_modules/entities": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/entities/-/entities-5.0.0.tgz", - "integrity": "sha512-BeJFvFRJddxobhvEdm5GqHzRV/X+ACeuw0/BuuxsCh1EUZcAIz8+kYmBp/LrQuloy6K1f3a0M7+IhmZ7QnkISA==", + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz", + "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==", "license": "BSD-2-Clause", "engines": { "node": ">=0.12" @@ -2885,6 +2933,12 @@ "node": ">=12.0.0" } }, + "node_modules/hookable": { + "version": "5.5.3", + "resolved": "https://registry.npmjs.org/hookable/-/hookable-5.5.3.tgz", + "integrity": "sha512-Yc+BQe8SvoXH1643Qez1zqLRmbA5rCL+sSmk6TVos0LWVfNIB7PGncdlId77WzLGSIB5KaWgTaNTs2lNVEI6VQ==", + "license": "MIT" + }, "node_modules/iconv-lite": { "version": "0.6.3", "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", @@ -3005,6 +3059,18 @@ "node": ">=8" } }, + "node_modules/is-what": { + "version": "4.1.16", + "resolved": "https://registry.npmjs.org/is-what/-/is-what-4.1.16.tgz", + "integrity": "sha512-ZhMwEosbFJkA0YhFnNDgTM4ZxDRsS6HqTo7qsZM08fehyRYIYa0yHu5R6mgo1n/8MgaPBXiPimPD77baVFYg+A==", + "license": "MIT", + "engines": { + "node": ">=12.13" + }, + "funding": { + "url": "https://github.com/sponsors/mesqueeb" + } + }, "node_modules/isexe": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", @@ -3113,9 +3179,9 @@ "license": "MIT" }, "node_modules/magic-string": { - "version": "0.30.11", - "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.11.tgz", - "integrity": "sha512-+Wri9p0QHMy+545hKww7YAu5NyzF8iomPL/RQazugQ9+Ez4Ic3mERMd8ZTX5rfK944j+560ZJi8iAwgak1Ac7A==", + "version": "0.30.17", + "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.17.tgz", + "integrity": "sha512-sNPKHvyjVf7gyjwS4xGTaW/mCnF8wnjtifKBEhxfZ7E/S8tQ0rssrwGNn6q8JH/ohItJfSQp9mBtQYuTlH5QnA==", "license": "MIT", "dependencies": { "@jridgewell/sourcemap-codec": "^1.5.0" @@ -3229,6 +3295,12 @@ "url": "https://github.com/sponsors/isaacs" } }, + "node_modules/mitt": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mitt/-/mitt-3.0.1.tgz", + "integrity": "sha512-vKivATfr97l2/QBCYAkXYDbrIWPM2IIKEl7YPhjCvKlG3kE2gm+uBo6nEXK3M5/Ffh/FLpKExzOQ3JJoJGFKBw==", + "license": "MIT" + }, "node_modules/ms": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", @@ -3244,9 +3316,9 @@ "license": "MIT" }, "node_modules/nanoid": { - "version": "3.3.7", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz", - "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==", + "version": "3.3.8", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz", + "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==", "funding": [ { "type": "github", @@ -3421,10 +3493,17 @@ "node": ">=8" } }, + "node_modules/perfect-debounce": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/perfect-debounce/-/perfect-debounce-1.0.0.tgz", + "integrity": "sha512-xCy9V055GLEqoFaHoC1SoLIaLmWctgCUaBaWxDZ7/Zx4CTyX7cJQLJOok/orfjZAh9kEYpjJa4d0KcJmCbctZA==", + "license": "MIT" + }, "node_modules/picocolors": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.0.tgz", - "integrity": "sha512-TQ92mBOW0l3LeMeyLV6mzy/kWr8lkd/hp3mTg7wYK7zJhuBStmGMBG0BdeDZS/dZx1IukaX6Bk11zcln25o1Aw==" + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", + "license": "ISC" }, "node_modules/picomatch": { "version": "2.3.1", @@ -3449,6 +3528,36 @@ "node": ">=0.10.0" } }, + "node_modules/pinia": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/pinia/-/pinia-3.0.1.tgz", + "integrity": "sha512-WXglsDzztOTH6IfcJ99ltYZin2mY8XZCXujkYWVIJlBjqsP6ST7zw+Aarh63E1cDVYeyUcPCxPHzJpEOmzB6Wg==", + "license": "MIT", + "dependencies": { + "@vue/devtools-api": "^7.7.2" + }, + "funding": { + "url": "https://github.com/sponsors/posva" + }, + "peerDependencies": { + "typescript": ">=4.4.4", + "vue": "^2.7.0 || ^3.5.11" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/pinia/node_modules/@vue/devtools-api": { + "version": "7.7.2", + "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-7.7.2.tgz", + "integrity": "sha512-1syn558KhyN+chO5SjlZIwJ8bV/bQ1nOVTG66t2RbG66ZGekyiYNmRO7X9BJCXQqPsFHlnksqvPhce2qpzxFnA==", + "license": "MIT", + "dependencies": { + "@vue/devtools-kit": "^7.7.2" + } + }, "node_modules/pinkie": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/pinkie/-/pinkie-2.0.4.tgz", @@ -3542,9 +3651,9 @@ } }, "node_modules/postcss": { - "version": "8.4.47", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.47.tgz", - "integrity": "sha512-56rxCq7G/XfB4EkXq9Egn5GCqugWvDFjafDOThIdMBsI15iqPqR5r15TfSr1YPYeEI19YeaXMCbY6u88Y76GLQ==", + "version": "8.5.3", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.3.tgz", + "integrity": "sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==", "funding": [ { "type": "opencollective", @@ -3559,9 +3668,10 @@ "url": "https://github.com/sponsors/ai" } ], + "license": "MIT", "dependencies": { - "nanoid": "^3.3.7", - "picocolors": "^1.1.0", + "nanoid": "^3.3.8", + "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, "engines": { @@ -3701,6 +3811,12 @@ "node": ">=0.10.0" } }, + "node_modules/rfdc": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/rfdc/-/rfdc-1.4.1.tgz", + "integrity": "sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==", + "license": "MIT" + }, "node_modules/rimraf": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", @@ -3855,6 +3971,15 @@ "node": ">=0.10.0" } }, + "node_modules/speakingurl": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/speakingurl/-/speakingurl-14.0.1.tgz", + "integrity": "sha512-1POYv7uv2gXoyGFpBCmpDVSNV74IfsWlDW216UPjbWufNf+bSU6GdbDsxdcxtfwb4xlI3yxzOTKClUosxARYrQ==", + "license": "BSD-3-Clause", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", @@ -3904,6 +4029,18 @@ "node": ">=0.8.0" } }, + "node_modules/superjson": { + "version": "2.2.2", + "resolved": "https://registry.npmjs.org/superjson/-/superjson-2.2.2.tgz", + "integrity": "sha512-5JRxVqC8I8NuOUjzBbvVJAKNM8qoVuH0O77h4WInc/qC2q5IreqKxYwgkga3PfA22OayK2ikceb/B26dztPl+Q==", + "license": "MIT", + "dependencies": { + "copy-anything": "^3.0.2" + }, + "engines": { + "node": ">=16" + } + }, "node_modules/supports-color": { "version": "7.2.0", "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz", @@ -3941,15 +4078,6 @@ "dev": true, "license": "MIT" }, - "node_modules/to-fast-properties": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-2.0.0.tgz", - "integrity": "sha512-/OaKK0xYrs3DmxRYqL/yDc+FxFUVYhDlXMhRmv3z915w2HF1tnN1omB354j8VUGO/hbRzyD6Y3sA7v7GS/ceog==", - "license": "MIT", - "engines": { - "node": ">=4" - } - }, "node_modules/to-regex-range": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", @@ -4074,10 +4202,11 @@ "license": "MIT" }, "node_modules/vite": { - "version": "5.4.6", - "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.6.tgz", - "integrity": "sha512-IeL5f8OO5nylsgzd9tq4qD2QqI0k2CQLGrWD0rCN0EQJZpBK5vJAx0I+GDkMOXxQX/OfFHMuLIx6ddAxGX/k+Q==", + "version": "5.4.14", + "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.14.tgz", + "integrity": "sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==", "dev": true, + "license": "MIT", "dependencies": { "esbuild": "^0.21.3", "postcss": "^8.4.43", @@ -4570,16 +4699,16 @@ "license": "MIT" }, "node_modules/vue": { - "version": "3.4.37", - "resolved": "https://registry.npmjs.org/vue/-/vue-3.4.37.tgz", - "integrity": "sha512-3vXvNfkKTBsSJ7JP+LyR7GBuwQuckbWvuwAid3xbqK9ppsKt/DUvfqgZ48fgOLEfpy1IacL5f8QhUVl77RaI7A==", + "version": "3.5.13", + "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.13.tgz", + "integrity": "sha512-wmeiSMxkZCSc+PM2w2VRsOYAZC8GdipNFRTsLSfodVqI9mbejKeXEGr8SckuLnrQPGe3oJN5c3K0vpoU9q/wCQ==", "license": "MIT", "dependencies": { - "@vue/compiler-dom": "3.4.37", - "@vue/compiler-sfc": "3.4.37", - "@vue/runtime-dom": "3.4.37", - "@vue/server-renderer": "3.4.37", - "@vue/shared": "3.4.37" + "@vue/compiler-dom": "3.5.13", + "@vue/compiler-sfc": "3.5.13", + "@vue/runtime-dom": "3.5.13", + "@vue/server-renderer": "3.5.13", + "@vue/shared": "3.5.13" }, "peerDependencies": { "typescript": "*" diff --git a/SBOM-Catalog/package.json b/SBOM-Catalog/package.json index a4a741a..438898c 100644 --- a/SBOM-Catalog/package.json +++ b/SBOM-Catalog/package.json @@ -19,6 +19,7 @@ "js-yaml": "^4.1.0", "marked": "^12.0.1", "marked-highlight": "^2.1.1", + "pinia": "^3.0.1", "primeflex": "^3.3.1", "primeicons": "^6.0.1", "primevue": "^3.50.0", @@ -41,4 +42,4 @@ "vite": "^5.4.6", "vue-tsc": "^2.0.7" } -} \ No newline at end of file +} diff --git a/SBOM-Catalog/public/data.yaml b/SBOM-Catalog/public/data.yaml index ea2ce04..2e77e5b 100644 --- a/SBOM-Catalog/public/data.yaml +++ b/SBOM-Catalog/public/data.yaml @@ -1,751 +1,7107 @@ ---- -- Name: Syft - Link: https://github.com/anchore/syft - Publisher: Anchore - License: OpenSource - Standards: - - CycloneDX - - SPDX - Abilities: - - Generate +- Abilities: - Convert - Types: - - Source - - Container + - Generate Languages: - - Gem - - Pypi + - Apk + - Autotools + - C + - "C++" + - Cargo - Composer - - Golang - - Npm - - Maven - - Rpm + - Conan + - Dart - Deb - - Cran - - Alpm + - Dotnet + - Elixir + - Erlang + - Gem - Generic + - Go + - Haskell + - Haxe + - Java + - JavaSkript + - Nix + - Npm - Nuget - - Apk - - Hex - - Hackage - - Cargo - -- Name: Grype - Link: https://github.com/anchore/grype + - Objective_C + - Ppkg + - Pypi + - Rpm + - Swift + - Terraform + - Wordpress + License: Apache-2.0 + Link: https://github.com/anchore/syft + Name: Syft Publisher: Anchore - License: OpenSource + Source: AI & human reviewed Standards: - - CycloneDX - SPDX - Abilities: - - Consume + - CycloneDX + Summary: 'Syft is an open-source CLI tool and Go library for generating Software + Bill of Materials (SBOM) from container images and filesystems. The tool supports + multiple SBOM formats including CycloneDX, SPDX, and its native format. Syft can + analyze container images, filesystems, and archives to discover packages and dependencies + across numerous programming language ecosystems. + + + Key Features: + + - Generates SBOMs for OCI, Docker, and Singularity container images + + - Supports multiple output formats (CycloneDX, SPDX, GitHub dependency snapshots) + + - Linux distribution identification + + - Package detection for over 20 ecosystems including Java, Python, Go, and Node.js + + - Integration with Grype vulnerability scanner + + - SBOM attestation capabilities using in-toto specification + + - Format conversion between different SBOM standards + + + The tool provides comprehensive software composition analysis with support for + both system-level packages and programming language-specific dependencies. Syft + can analyze all image layers or focus on the final container image state, making + it suitable for various security and compliance use cases.' Types: - - Source + - Build - Container +- Abilities: + - Convert + - Validate Languages: - - Gem - - Pypi - - Composer - - Golang - - Npm + - Java - Maven - - Rpm - - Deb - - Cran - - Alpm - - Generic - - Nuget - - Apk - - Hex - - Hackage - - Cargo - -- Name: Trivy - Link: https://github.com/aquasecurity/trivy - Publisher: Aquasecurity - License: OpenSource + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-core-java + Name: CycloneDX-core-java + Publisher: CycloneDX + Source: AI & human reviewed Standards: - CycloneDX - - SPDX - Abilities: - - Generate + Summary: 'CycloneDX Core (Java) is a library providing essential functionality for + handling Software Bill of Materials (SBOM) in the CycloneDX format. The tool offers + model representation, creation, validation, and parsing capabilities for SBOMs. + It supports CycloneDX schema versions up to 1.6.1 with both XML and JSON output + formats. The core module is implemented in Java and is available through Maven + Central repository. The library serves as a fundamental component for implementing + CycloneDX SBOM functionality in Java-based applications and tools, supporting + OWASP''s full-stack BOM standard for supply chain risk management. + + + Key Features: + + - SBOM model representation + + - Creation and parsing utilities + + - Schema validation + + - XML and JSON format support + + - Compatible with CycloneDX v1.0 through v1.6.1 + + - Maven integration' Types: - - Source - - Container + - Build +- Abilities: + - Generate Languages: - - Gem - - Pypi - - Composer - - Golang - - Npm - - Maven - - Rpm - - Deb + - Elixir - Nuget - - Hex - - Hackage - -- Name: Tern - Link: https://github.com/tern-tools/tern - Publisher: Tern - License: OpenSource + - Dotnet + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-dotnet + Name: CycloneDX-dotnet + Publisher: CycloneDX + Source: AI & human reviewed Standards: - CycloneDX - - SPDX - Abilities: - - Generate + Summary: 'CycloneDX .NET Module - SBOM Generation Tool + + + The CycloneDX module for .NET is a command-line tool that generates Software Bill + of Materials (SBOM) in CycloneDX format. The tool supports both XML and JSON output + formats compliant with the CycloneDX specification. It runs on .NET 8.0 and 9.0. + + + Key Features: + + - Analyzes .NET solution files (.sln), project files (.csproj, .fsproj, .vbproj, + .xsproj), and packages.config + + - Generates SBOMs including project dependencies and package references + + - Supports recursive project reference scanning + + - Provides GitHub license resolution capabilities + + - Enables customization of BOM metadata through templates + + - Allows exclusion of development and test dependencies + + - Supports custom NuGet repository configurations + + + The tool is available as a NuGet package and Docker container, offering flexibility + in deployment and integration into various development environments and CI/CD + pipelines. It generates lightweight, human-readable BOM documents that are easy + to parse and process.' Types: - - Container + - Source + - Build +- Abilities: + - Convert + - Consume Languages: - - Gem - - Pypi - - Npm - - Rpm - - Deb - - Alpm - - Apk - -- Name: Microsoft-SBOM-Tool - Link: https://github.com/microsoft/sbom-tool - Publisher: Microsoft - License: OpenSource + - Dotnet + - Elixir + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-dotnet-library + Name: CycloneDX-dotnet-library + Publisher: CycloneDX + Source: AI & human reviewed Standards: - SPDX - Abilities: - - Generate + - CycloneDX + Summary: 'CycloneDX .NET Library is a software component that enables programmatic + creation and consumption of CycloneDX Software Bill of Materials (SBOM). The library + is compatible with .NET Standard 2.0 and provides functionality for generating + and processing lightweight, human-readable BOMs. + + + Key Features: + + - SBOM generation and parsing in CycloneDX format + + - SPDX format interoperability (v2.2 JSON) + + - Support for component identification via CPE and Package URL + + - Hash algorithm support including SHA3 and BLAKE variants + + - Component type specification capabilities + + - Device and hardware component documentation + + + The library includes conversion capabilities between CycloneDX and SPDX formats, + though some features such as relationship information, snippet data, and non-SPDX + licenses have implementation limitations. The tool is maintained under Apache + 2.0 license and is actively developed with community contribution support.' Types: - Source - - Container + - Build +- Abilities: + - Convert + - Validate Languages: - - Rpm - - Swid - - Deb - - Gem - - Pypi - - Golang + - JavaScript - Npm - - Maven - - Nuget - - Cargo - -- Name: Github-Dependency-Graph - Link: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph - Publisher: Github - License: OpenSource + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-javascript-library + Name: CycloneDX-javascript-library + Publisher: CycloneDX + Source: AI & human reviewed Standards: - - SPDX - Abilities: - - Generate + - CycloneDX + Summary: 'CycloneDX JavaScript Library is a core implementation of CycloneDX for + JavaScript environments (Node.js and WebBrowsers), focused on SBOM generation + and manipulation. The library provides comprehensive data models and utilities + for creating, managing, and validating Software Bill of Materials (SBOM) in both + JSON and XML formats. + + + Key SBOM-related features: + + - Supports CycloneDX specifications versions 1.2 through 1.6 + + - Provides data models for components, metadata, licenses, and vulnerabilities + + - Implements JSON and XML serialization with configurable reproducible output + + - Includes formal validators for both JSON and XML formats + + - Offers builders and factories for creating SBOM components from package data + + - Supports component relationship tracking through BOM references + + - Enables vulnerability reporting and analysis through dedicated data models + + + The library is available via npm, with optional dependencies for XML serialization + and validation capabilities. It includes TypeScript definitions and comprehensive + API documentation.' Types: - Source +- Abilities: + - Generate Languages: - - Github - - Gem - - Pypi - - Composer - - Golang - Npm - - Maven - - Nuget - - Hex - - Pub - - Hackage - - Cargo - -- Name: Scancode - Link: https://github.com/nexB/scancode-toolkit - Publisher: NexB - License: OpenSource + - Yarn + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-node-module + Name: CycloneDX-node-module + Publisher: CycloneDX + Source: AI-Generated Standards: - CycloneDX - - SPDX - Abilities: - - Generate + Summary: 'CycloneDX BOM is a meta-package designed for generating Software Bill + of Materials (SBOM) in CycloneDX format for Node.js-based projects. The package + serves as a collection of ecosystem-specific tools supporting npm, pnpm, and yarn + package managers. Each tool is maintained as a separate package, allowing users + to select the appropriate implementation for their specific package management + system. + + + Key Features: + + - Supports multiple Node.js package management ecosystems + + - Generates CycloneDX-compliant SBOMs + + - Provides separate implementations for npm (@cyclonedx/cyclonedx-npm), pnpm (in + development), and yarn (@cyclonedx/yarn-plugin-cyclonedx) + + - Complements other CycloneDX tools for various build systems like webpack, Rollup, + and Vite + + - Integrates with the CycloneDX library (@cyclonedx/cyclonedx-library) for advanced + SBOM manipulation + + + The tool is maintained under the Apache 2.0 license by the OWASP Foundation and + is part of the broader CycloneDX specification ecosystem.' Types: - Source +- Abilities: + - Generate + - Validate Languages: - - Gem - - Pypi - - Composer - - Golang - Npm - - Maven - - Deb - - Nuget - - Cargo - - Bazel - - Haxe - - Opam - - Jar - - Hale - - Bower - - Autotools - - Dart - - Osgi - - Alpine - - Conan - -- Name: CdxGen - Link: https://github.com/CycloneDX/cdxgen + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-node-npm + Name: CycloneDX-node-npm Publisher: CycloneDX - License: OpenSource + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Generate + Summary: 'CycloneDX SBOM for npm is a command-line tool designed to generate Software + Bill of Materials (SBOM) for Node.js NPM projects. The tool produces SBOM documents + that comply with CycloneDX specifications and standards, achieving almost Level-2 + compliance according to OWASP Software Component Verification Standard. + + + Key Features: + + - Supports CycloneDX specification versions 1.2 through 1.6 + + - Outputs in JSON and XML formats + + - Offers license text gathering capabilities + + - Provides component flattening options + + - Supports PackageURL (PURL) generation + + - Includes validation functionality + + - Compatible with npm versions 6-11 and Node.js version 14 or higher + + + The tool utilizes npm to collect package evidence and can be installed globally + or as a project dependency. It supports various configuration options for dependency + handling, including the ability to omit specific dependency types and process + package-lock files independently of node_modules.' Types: - Source - - Container +- Abilities: + - Generate Languages: - - Clojars - - Github - - Gem - - Pypi - - Composer - - Golang - - Npm - - Maven - - Rpm - - Nuget + - Yarn + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-node-yarn + Name: CycloneDX-node-yarn + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX SBOM for Yarn is a tool that generates Software Bill of Materials + (SBOM) in CycloneDX format for Yarn package manager projects. The tool supports + Yarn version 3 (berry) and requires Node.js 18 or higher. It can be installed + as a zero-install package, CLI wrapper, or Yarn plugin. + + + Key Features: + + - Generates CycloneDX SBOMs in JSON or XML format + + - Supports CycloneDX specification versions 1.2 through 1.6 + + - Options for excluding development dependencies + + - Configurable main component type (application, library, firmware) + + - Support for PackageURL (PURL) optimization + + - Experimental license text gathering capability + + - Reproducible output generation option + + + The tool leverages the CycloneDX library for SBOM generation and can be integrated + into existing workflows through command-line interface or programmatic execution. + It operates under the Apache 2.0 license and is maintained as part of the CycloneDX + tooling ecosystem.' + Types: + - Source + - Build +- Abilities: + - Generate + - Validate + Languages: + - Npm + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-webpack-plugin + Name: CycloneDX-Webpack-Plugin + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'The CycloneDX webpack plugin is a tool that generates CycloneDX Software + Bill of Materials (SBOM) for webpack-based projects. The plugin analyzes the dependency + graph after tree-shaking to include only actually used dependencies in the SBOM. + + + Key Features: + + - Supports CycloneDX specification versions 1.2 through 1.6 + + - Generates reproducible SBOM output + + - Validates BOM results + + - Supports IETF /.well-known/sbom standard + + - Provides root component autodetection + + - Integrates with Angular and React projects + + - Collects optional license evidence + + - Configurable output locations and formats + + + The plugin requires Node.js >= 14 and webpack ^5, with legacy support for older + versions. It leverages the CycloneDX JavaScript library for SBOM generation and + can be installed via npm or yarn package managers.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Maven + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-maven-plugin + Name: CycloneDX-maven-plugin + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Maven Plugin: SBOM Generation Tool + + + The CycloneDX Maven Plugin is a Software Bill of Materials (SBOM) generation tool + that creates CycloneDX-compliant SBOMs for Maven projects. The plugin analyzes + direct and transitive dependencies, supporting both single-module and multi-module + Maven projects. + + + Key Features: + + - Generates SBOMs in XML and JSON formats + + - Supports CycloneDX schema versions up to 1.6 + + - Creates individual BOMs per module or aggregate BOMs for entire projects + + - Configurable dependency scope inclusion + + - Customizable output formats and locations + + - Optional license text inclusion + + - Project type specification capabilities + + - Selective module exclusion options + + + The plugin integrates into the Maven build lifecycle and can attach generated + SBOMs as build artifacts. It supports various configuration options for tailoring + the SBOM generation process to specific project requirements.' + Types: + - Source + - Build +- Abilities: + - Consume + - Generate + Languages: + - Golang + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-go + Name: CycloneDX-go + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX-go is a Go library for creating and processing CycloneDX Software + Bill of Materials (SBOM). The library supports reading and writing BOMs conforming + to CycloneDX specifications versions 1.0 through 1.6. Compatible with Go 1.20+, + it provides a programmatic interface for SBOM manipulation in Go applications. + The library offers comprehensive support for all CycloneDX specification features + and can be integrated as a dependency in Go projects. For direct generation of + SBOMs from Go modules, users should consider cyclonedx-gomod instead. + + + Key Features: + + - Full support for CycloneDX specifications v1.0-1.6 + + - BOM reading and writing capabilities + + - Programmatic SBOM manipulation + + - Comprehensive API documentation + + - Apache 2.0 licensed' + Types: + - Source +- Abilities: + - Generate + Languages: + - Clojars + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-gomod + Name: CycloneDX-gomod + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX GoMod is a tool for generating Software Bill of Materials (SBOM) + in CycloneDX format for Go modules. The tool offers three main functionalities + through distinct commands: ''app'' for application-specific SBOMs considering + build constraints, ''mod'' for comprehensive module-level SBOMs, and ''bin'' for + SBOM generation from compiled Go binaries. It supports CycloneDX specification + up to version 1.6 and can output in both XML and JSON formats. Key features include + license detection, package inclusion, file-level component tracking, and build + constraint awareness. The tool can be integrated into CI/CD workflows via GitHub + Actions and supports various deployment methods including pre-built binaries, + Homebrew installation, and Docker containers.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Conan + - Gem + - Maven + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-gradle-plugin + Name: CycloneDX-gradle-plugin + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Gradle Plugin + + + A Gradle plugin that generates Software Bill of Materials (SBOM) in CycloneDX + format for Java/Gradle projects. The plugin creates a comprehensive inventory + of all direct and transitive dependencies. + + + Key Features: + + - Generates SBOMs in both XML and JSON formats (CycloneDX v1.6) + + - Configurable component inclusion based on Gradle configurations + + - Support for multi-project builds + + - Customizable metadata including manufacturer information and licenses + + - VCS integration for repository information + + - Configurable output formats and locations + + - Component version and name override capabilities + + - Optional inclusion of license texts and build system information + + + The plugin integrates into the Gradle build process and provides detailed configuration + options for SBOM generation through the build.gradle file. Output can be customized + through various parameters including project type, schema version, and output + format specifications.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + - Validate + Languages: + - Composer + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-php-composer + Name: CycloneDX-PHP-Composer + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX PHP Composer Plugin is a Composer plugin that generates Software + Bill of Materials (SBOM) in CycloneDX format for PHP projects. The tool integrates + with Composer''s dependency management system to analyze project dependencies + and create standardized SBOM documentation. + + + Key Features: + + - Generates SBOM documents compliant with CycloneDX specifications up to version + 1.6 + + - Supports both JSON and XML output formats + + - Provides options to exclude development and plugin dependencies + + - Capable of producing reproducible output + + - Includes formal SBOM validation + + - Supports OWASP SCVS Level-2 criteria (excluding signing) + + + The plugin requires PHP 8.1+ and Composer 2.3+, though older versions are available + for legacy environments. It can be installed either globally or as a project development + dependency through Composer. The tool utilizes Composer''s native functionality + to collect dependency information and leverages the CycloneDX PHP library for + SBOM generation and validation.' + Types: + - Source + - Build +- Abilities: + - Convert + - Validate + Languages: + - Composer + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-php-library + Name: CycloneDX-PHP-library + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: CycloneDX PHP Library is a comprehensive implementation of the CycloneDX + specification for PHP applications, focusing on Software Bill of Materials (SBOM) + generation and manipulation. The library provides data models, serialization capabilities, + and validation functions for CycloneDX documents in both JSON and XML formats. + It supports multiple CycloneDX specification versions (1.1 through 1.6) and includes + features for component management, license handling, and external reference tracking. + The tool is particularly useful for developers and organizations requiring SBOM + generation and manipulation capabilities within PHP environments. Key functionalities + include BOM creation, component tracking, license management, and validation against + CycloneDX specifications. The library is available through Composer and provides + comprehensive documentation through phpDoc3 annotations. + Types: + - Design +- Abilities: + - Generate + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-python + Name: CycloneDX-Python + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Python SBOM Generation Tool is a command-line utility that creates + Software Bill of Materials (SBOM) documents in CycloneDX format from Python projects. + The tool supports multiple Python package management systems including virtual + environments, Poetry, Pipenv, and requirements.txt files. It generates SBOM documents + that nearly achieve OWASP SCVS Level-2 compliance, requiring only external signing. + + + Key Features: + + - Multiple input source support (Python environments, Poetry, Pipenv, requirements.txt) + + - Compliance with CycloneDX specifications and standards + + - Support for CDX namespace taxonomies (Python, Pipenv, Poetry) + + - XML and JSON output formats + + - Python 3.8+ compatibility + + - Installation via standard Python package managers + + - Command-line interface with multiple subcommands for different package management + systems + + + The tool is maintained by the OWASP Foundation under Apache 2.0 license and integrates + with the CycloneDX Python library for SBOM generation, serialization, and validation.' + Types: + - Source + - Build +- Abilities: + - Convert + - Validate + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-python-lib + Name: CycloneDX-Python-lib + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Python Library is a software library that provides essential + components for working with CycloneDX bill of materials (BOM) documents. The library + implements data models and validators for the CycloneDX specification, enabling + developers to programmatically create, read, and validate CycloneDX documents. + While not a standalone SBOM generation tool, it serves as a foundation for other + tools like CycloneDX Python and Jake that generate Software Bill of Materials + (SBOM). The library supports all actively maintained Python versions and is licensed + under Apache 2.0. + + + Key Features: + + - Data models for CycloneDX document creation + + - Document validation capabilities + + - Support for reading CycloneDX documents + + - Integration capabilities for SBOM tooling + + - Comprehensive API documentation + + - Full compatibility with the CycloneDX specification' + Types: + - Source +- Abilities: + - Generate + Languages: + - Gem + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-ruby-gem + Name: CycloneDX-Ruby-Gem + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Ruby Gem is a command-line tool for generating Software Bill + of Materials (SBOM) in CycloneDX format for Ruby projects. The tool analyzes project + dependencies and produces SBOM files in XML or JSON format compliant with the + CycloneDX specification. + + + Key Features: + + - Generates CycloneDX-compliant SBOMs + + - Supports both XML and JSON output formats + + - Analyzes Ruby project dependencies + + - Command-line interface with path specification and verbosity options + + - Available through RubyGems package manager or source build + + - Licensed under Apache 2.0 + + + The tool integrates into Ruby development workflows and provides standardized + dependency documentation for security and compliance purposes.' + Types: + - Source +- Abilities: + - Generate + Languages: + - Cargo + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-rust-cargo + Name: CycloneDX-Rust-Cargo + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Rust (Cargo) Plugin is a tool for generating CycloneDX Software + Bill of Materials (SBOM) for Rust projects managed with Cargo. The tool consists + of two components: a library (cyclonedx-bom) for handling CycloneDX SBOM data + structures, and a command-line application (cargo-cyclonedx) for SBOM generation. + + + Key Features: + + - Generates CycloneDX-compliant SBOMs + + - Captures all project dependencies + + - Integrates with Cargo ecosystem + + - Available as a Cargo subcommand + + - Supports SBOM reading and writing through the library component + + + The tool can be installed via Cargo''s package manager and executed either as + a standalone binary or through the Cargo command interface. It adheres to the + OWASP CycloneDX specification, providing comprehensive supply chain documentation + capabilities.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Maven + License: MIT + Link: https://github.com/siculo/sbt-bom + Name: sbt-bom + Publisher: siculo + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'sbt-sbom is a Software Bill of Materials (SBOM) generation plugin for + sbt build tool. The plugin generates CycloneDX BOM files in both XML and JSON + formats, supporting schema versions up to 1.6. + + + Key Features: + + - Generates CycloneDX-compliant SBOM for sbt projects + + - Supports multiple dependency scopes (Compile, Test, IntegrationTest) + + - Configurable output format (XML/JSON) + + - Optional inclusion of serial numbers, timestamps, hashes, and dependency trees + + - Compatible with Software Composition Analysis tools like Dependency Track + + - Supports SHA3 hashes (Java 9+) + + + The plugin requires sbt version 1.5.2 or higher and is available through the Central + Repository. Configuration options allow customization of file naming, content + inclusion, and format specifications. The generated SBOM includes comprehensive + dependency information suitable for security analysis and compliance documentation.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Hex + License: BSD-3-Clause + Link: https://github.com/voltone/sbom + Name: Voltone_SBOM + Publisher: voltone + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'SBoM (Software Bill of Materials Generator for Mix Projects) + + + A command-line tool designed to generate Software Bill of Materials (SBOM) for + Elixir Mix projects in CycloneDX format. The tool analyzes project dependencies + from Hex, GitHub, and BitBucket repositories managed through Mix. + + + Key Features: + + - Generates CycloneDX-compliant SBOM documentation + + - Supports selective dependency inclusion (production-only or all environments) + + - Customizable output file naming + + - Integration capability with other SBOM generators via CycloneDX format + + + The tool can be installed globally or as a project dependency. While it focuses + on Mix-managed dependencies, it can be combined with other SBOM generators through + CycloneDX merge functionality for comprehensive dependency documentation of complex + projects. + + + Limitations: + + - Scope limited to Mix-managed dependencies + + - Does not directly handle NPM packages or system dependencies' + Types: + - Build +- Abilities: + - Generate + - Convert + Languages: + - Composer + License: BSD-3-Clause + Link: https://github.com/voltone/rebar3_sbom + Name: rebar3_sbom + Publisher: voltone + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'rebar3_sbom is a Rebar3 plugin that generates Software Bill of Materials + (SBOM) documentation for Erlang/OTP projects in CycloneDX format. The tool analyzes + project dependencies and produces detailed dependency information in a standardized + XML format. + + + Key Features: + + - Generates CycloneDX-compliant SBOM files + + - Configurable output file location + + - Support for multiple Rebar3 profiles + + - Force overwrite option for existing files + + - Default profile dependency scanning + + - Optional development environment dependency inclusion + + + The plugin integrates with Rebar3''s build system and can be configured globally + or per project. Output is generated as XML files containing comprehensive dependency + information suitable for security analysis and compliance documentation.' + Types: + - Source +- Abilities: + - Generate + Languages: + - Clojars + License: GPL-3.0 + Link: https://github.com/ozonru/cyclonedx-go + Name: CycloneDX-go + Publisher: ozonru + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'cyclonedx-go is a command-line tool for generating CycloneDX Software + Bill of Materials (SBOM) from Go projects using modules. The tool produces XML-formatted + BOMs compliant with the CycloneDX 1.1 specification. It automatically extracts + dependency information from Go module files and generates component entries with + name, version, and Package URL (PURL) identifiers. The tool requires Go 1.11 or + higher and functions exclusively with projects utilizing Go modules. Output can + be directed to stdout or written to a specified file. cyclonedx-go is available + under the GPL-3 license. + + + Key Features: + + - Generates CycloneDX 1.1 compliant SBOMs + + - Automatic dependency detection through Go modules + + - Package URL (PURL) support for component identification + + - File output specification option + + - XML format output' + Types: + - Source + - Build +- Abilities: + - Generate + - Merge + Languages: + - Bazel + License: Apache-2.0 + Link: https://github.com/hanstdam/cdx-bower-bom + Name: cdx-bower-bom + Publisher: hanstdam + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Bower SBOM Generator + + --------------------- + + + A specialized tool for generating Software Bill of Materials (SBOM) for Bower-managed + dependencies in the CycloneDX format. The generator creates a comprehensive inventory + of project dependencies that is both human and machine-readable. The tool outputs + SBOM documents that comply with the CycloneDX specification. + + + Key Features: + + - Generates CycloneDX-compliant SBOM for Bower dependencies + + - Supports merging additional modules from other scanners + + - Configurable output to file or stdout + + - Optional BOM serial number generation + + - Compatible with Node.js v8.0.0 and higher + + + The tool serves as a complementary solution to the CycloneDX Node.js Module, specifically + targeting Bower package management ecosystems. It requires a prior execution of + ''bower install'' in the target repository to function properly.' + Types: + - Source +- Abilities: + - Generate + - Validate + - Convert + - Sign + Languages: + - Maven + - Pypi + - Npm + - Gem + - Cargo + - Nuget + - Autotools + - Clojars + - Composer + - Elixir + - Generic + - Dotnet + - Hale + - Pub + - Apk + License: Apache-2.0 + Link: https://github.com/CycloneDX/cdxgen + Name: CdxGen + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Generator (cdxgen) is a versatile tool for generating Software + Bill of Materials (SBOM) in CycloneDX format. The tool supports multiple BOM types + including Software (SBOM), Cryptography (CBOM), Operations (OBOM), and Software-as-a-Service + (SaaSBOM). + + + Key Features: + + - Polyglot SBOM generation supporting multiple programming languages and platforms + + - Deep inspection capabilities for precise dependency analysis + + - Automatic dependency detection and scope determination + + - Container image and OCI support + + - Evidence-based component identification + + - Support for CycloneDX specification versions 1.4 - 1.6 + + - Available as CLI tool, library, REPL, and server + + - SBOM signing capabilities using JSON Web Signatures + + - Automatic services detection from YAML manifests + + - Integration options as library for Node.js and Deno + + + The tool can be installed via npm, Homebrew, Winget or used as a container image. + It emphasizes explainability, precision, and comprehensive analysis over simple + manifest parsing, making it suitable for enterprise environments and compliance + requirements.' + Types: + - Source + - Build + - Analyze + - Container +- Abilities: + - Generate + Languages: + - Maven + - Pypi + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-buildroot + Name: CycloneDX-buildroot + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Buildroot is a Python application designed to generate CycloneDX + Software Bill of Materials (SBOM) for Buildroot-generated projects. The tool processes + Buildroot''s legal-info target output, specifically the manifest.csv file, to + create comprehensive SBOMs in JSON or XML format compliant with CycloneDX schema + version 1.4. + + + Key features: + + - Generates SBOMs from Buildroot''s manifest.csv + + - Supports project metadata inclusion (name, version, manufacturer) + + - CPE integration capabilities + + - Command-line interface with configurable input/output paths + + - Compatible with CycloneDX v1.4 schema + + - Output formats in both JSON and XML + + + The tool serves as a bridge between Buildroot''s build system and modern SBOM + requirements, enabling software supply chain transparency and security analysis + for embedded Linux systems built with Buildroot.' + Types: + - Build +- Abilities: + - Generate + - Validate + Languages: + - Clojars + - Elixir + - Npm + License: NOASSERTION + Link: https://github.com/eclipse/antenna + Name: antenna + Publisher: eclipse + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Eclipse SW360 Antenna - SBOM Generation and License Compliance Tool (Archived) + + + Eclipse SW360 Antenna is a software composition analysis tool designed to generate + Software Bill of Materials (SBOM) and ensure license compliance. The tool scans + project artifacts, analyzes dependencies, and produces comprehensive documentation + including third-party attribution documents, source code archives, and processing + reports. + + + Key SBOM Features: + + - Dependency scanning and analysis + + - Source code download and validation + + - License identification and compliance checking + + - Generation of third-party attribution documents + + - Creation of source code archives + + - Support for Maven and Gradle build environments + + - Integration with SW360 for component management + + + The tool supports Java-based projects and can be implemented as a Maven plugin, + Gradle plugin, or standalone executable. While the project is now archived, it + represents a significant contribution to open-source SBOM generation tools. + + + Note: This project has been archived and is no longer actively maintained.' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Npm + - Yarn + License: Apache-2.0 + Link: https://github.com/CycloneDX/gh-node-module-generatebom + Name: gh-node-module-generatebom + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Summary: CycloneDX SBOM Generator for Node.js (Deprecated GitHub Action) + + + A GitHub Action for generating CycloneDX Software Bill-of-Materials (SBOM) for + Node.js projects. The tool creates machine-readable SBOM documentation in XML + format, capturing all project dependencies. The action requires a populated node_modules + directory and supports customizable input/output paths. + + + Key Features: + + - Generates CycloneDX-compliant SBOM + + - Supports NPM-based Node.js projects + + - Configurable project path and output location + + - XML output format + + + Current Status: Deprecated in favor of dedicated tools: + + - @yclonedx/cyclonedx-npm for NPM projects + + - @cyclonedx/yarn-plugin-cyclonedx for Yarn projects + + + The action utilizes @cyclonedx/bom@<4 as its core engine for SBOM generation.' + Types: + - Source +- Abilities: + - Generate + - Convert + Languages: + - Dotnet + License: Apache-2.0 + Link: https://github.com/CycloneDX/gh-dotnet-generate-sbom + Name: gh-dotnet-generate-sbom + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX GitHub Action for .NET SBOM Generation + + -------------------------------------------------- + + + A GitHub Action that generates Software Bill of Materials (SBOM) for .NET projects + using the CycloneDX specification. The tool supports analysis of .NET solution + files (.sln), project files (.csproj, .vbproj), and packages.config files. It + produces SBOM output in both XML and JSON formats. + + + Key Features: + + - Recursive analysis of project directories + + - Support for multiple .NET project file formats + + - Optional GitHub token integration for license resolution + + - Configurable output directory + + - XML and JSON output format options + + + The action integrates with GitHub workflows and supports automated SBOM generation + as part of continuous integration pipelines.' + Types: + - Build +- Abilities: + - Generate + Languages: + - Composer + License: Apache-2.0 + Link: https://github.com/CycloneDX/gh-php-composer-generate-sbom + Name: gh-php-composer-generate-sbom + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX SBOM Generator for PHP Composer Projects (Deprecated) + + + A GitHub Action that generates Software Bill of Materials (SBOM) for PHP Composer + projects using the CycloneDX specification. The action leverages the cyclonedx/cyclonedx-php-composer + package to create standardized SBOM documentation. While the GitHub Action is + deprecated, the underlying tool remains actively maintained and can be directly + integrated into workflows using Composer''s plugin system. The tool supports CycloneDX + format up to version 4 and integrates seamlessly with PHP development environments. + + + Key Features: + + - Generates CycloneDX-compliant SBOM + + - Compatible with PHP Composer projects + + - Direct integration with Composer''s plugin system + + - Supports automated workflow integration + + + The tool is maintained as part of the CycloneDX ecosystem and supports the community''s + standardization efforts for software supply chain security.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/CycloneDX/gh-python-generate-sbom + Name: gh-python-generate-sbom + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX GitHub Action for Python SBOM Generation (Deprecated) + + + A GitHub Action that generates Software Bill of Materials (SBOM) in CycloneDX + format for Python projects. The tool processes pip requirements files to create + standardized SBOM documentation in either XML or JSON format. Built on the cyclonedx-bom + Python package, it supports the CycloneDX specification for software component + transparency. + + + Key Features: + + - Processes pip requirements files + + - Generates CycloneDX-compliant SBOMs + + - Supports XML and JSON output formats + + - Configurable input and output paths + + + Note: This action is deprecated. Users are advised to directly utilize the underlying + cyclonedx-bom Python package for SBOM generation.' + Types: + - Source +- Abilities: + - Generate + Languages: + - Hex + License: No License + Link: https://github.com/red-shirts/action-mix-sbom + Name: action-mix-sbom + Publisher: red-shirts + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'The GitHub Action "Generate CycloneDX SBoM for mix project" is a specialized + tool for generating Software Bill of Materials (SBOM) for Elixir projects using + the mix build tool. The action produces CycloneDX-formatted SBOM files that document + project dependencies. + + + Key Features: + + - Generates CycloneDX-compliant SBOM files for Elixir/mix projects + + - Configurable output file naming (defaults to ''bom.xml'') + + - Optional inclusion of development and test dependencies + + - Runs in Docker containers with Elixir support + + - Compatible with GitHub Actions workflow environment + + + The tool operates as a GitHub Action, making it suitable for integration into + automated CI/CD pipelines for Elixir projects requiring dependency documentation + and software supply chain transparency.' + Types: + - Build +- Abilities: + - Generate + - Convert + Languages: + - Apk + - Bower + - Cargo + - Composer + - Elixir + - Gem + - Hackage + - Hale + - Maven + - Npm + - Nuget + - Pypi + License: Apache-2.0 + Link: https://github.com/oss-review-toolkit/ort + Name: ORT + Publisher: oss-review-toolkit + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'OSS Review Toolkit (ORT) is a FOSS policy automation and orchestration + toolkit that includes SBOM generation capabilities. The tool supports the creation + of CycloneDX and SPDX SBOMs through its Reporter component. ORT first analyzes + project dependencies using its Analyzer component, which supports multiple package + managers and build systems. The tool can also download source code, perform license + scanning, and check for security vulnerabilities before generating the SBOM. The + Reporter then processes this collected data to produce comprehensive SBOMs in + the desired format. ORT is available as a library, CLI tool, or through CI integrations, + and runs on Linux, Windows, and macOS platforms. The tool requires Java 11 or + later and can be installed via pre-built binaries or built from source. + + + Key SBOM Features: + + - Supports CycloneDX and SPDX formats + + - Comprehensive dependency analysis across multiple package managers + + - Integration of license and security vulnerability information + + - Flexible deployment options (CLI, library, CI) + + - Customizable output formats + + - Source code verification capabilities' + Types: + - Source + - Build + - Analyze +- Abilities: + - Generate + Languages: + - Npm + License: NOASSERTION + Link: https://github.com/RetireJS/retire.js + Name: retire.js + Publisher: RetireJS + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Retire.js is a security-focused tool designed to identify JavaScript libraries + and Node.js modules with known vulnerabilities in web applications. The tool supports + SBOM generation in CycloneDX format through its command-line interface. + + + Key Features: + + - Command-line scanner for web and Node.js applications + + - SBOM generation in CycloneDX format + + - Integration options with build tools (Grunt, Gulp) + + - Browser extensions for Chrome and Firefox + + - Security tool integration with Burp and OWASP ZAP + + - Vulnerability detection in JavaScript dependencies + + - Automated scanning capabilities + + + The tool serves as both a vulnerability scanner and SBOM generator, helping organizations + maintain secure JavaScript dependencies while supporting software supply chain + transparency through standardized SBOM output.' + Types: + - Source + - Analyze +- Abilities: + - Consume + - Validate + Languages: + - Alpine + - Cargo + - Composer + - Elixir + - Gem + - Hex + - Maven + - Npm + - Nuget + - Pypi + License: Apache-2.0 + Link: https://github.com/DependencyTrack/dependency-track + Name: dependency-track + Publisher: DependencyTrack + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Dependency-Track is an intelligent Component Analysis platform that utilizes + Software Bill of Materials (SBOM) for comprehensive software supply chain risk + management. The platform features SBOM capabilities through CycloneDX format for + both consumption and production, including support for Vulnerability Exploitability + Exchange (VEX). + + + Key SBOM-related features: + + - Generation and processing of CycloneDX SBOMs + + - Component tracking across multiple types (applications, libraries, containers, + firmware) + + - Integration with vulnerability databases (NVD, GitHub Advisories, OSV) + + - Repository support for major package ecosystems + + - Policy engine for security, license, and operational compliance + + - API-first architecture enabling automation and CI/CD integration + + + The platform is available in three distribution variants: API Server, Frontend + (SPA), and Bundled version. Deployment options include Docker containers and Kubernetes + via Helm charts. The tool is maintained as an OWASP Flagship project and licensed + under Apache License 2.0.' + Types: + - Analyze +- Abilities: + - Consume + Languages: + - Clojars + - Maven + - Nuget + License: Apache-2.0 + Link: https://github.com/jenkinsci/dependency-track-plugin + Name: dependency-track-plugin + Publisher: jenkinsci + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Dependency-Track Jenkins Plugin - SBOM Integration Tool + + + The Dependency-Track Jenkins plugin enables seamless integration between Jenkins + CI/CD pipelines and the Dependency-Track platform for Software Bill-of-Materials + (SBOM) management. The plugin supports uploading CycloneDX format SBOMs to Dependency-Track + for Software Supply Chain Component Analysis. + + + Key SBOM Features: + + - Supports synchronous and asynchronous SBOM publishing + + - Automated project creation and SBOM upload + + - Real-time vulnerability and policy violation analysis + + - Configurable risk thresholds and job status controls + + - Integration with Jenkins pipeline workflows + + - Support for CycloneDX SBOM format + + + The plugin requires Dependency-Track 4.12+ and Jenkins 2.479.1+ with Java 17+. + It provides comprehensive project property management, including tags, SWID identifiers, + and project hierarchies. The tool offers both UI-based configuration and pipeline + script support for SBOM operations. + + + For more information: https://dependencytrack.org/' + Types: + - Build +- Abilities: + - Consume + Languages: + - Maven + License: Apache-2.0 + Link: https://github.com/pmckeown/dependency-track-maven-plugin + Name: dependency-track-maven-plugin + Publisher: pmckeown + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'The Dependency-Track Maven Plugin enables integration with Dependency-Track + servers for analyzing project dependencies and managing Software Bill of Materials + (SBOM). The plugin supports SBOM generation, upload, and vulnerability analysis + with the following key features: + + + Core Features: + + - Upload and management of CycloneDX SBOM files to Dependency-Track + + - Project vulnerability findings analysis and reporting + + - Policy violation detection and enforcement + + - Inherited risk score calculation and thresholds + + - Project metrics collection and analysis + + - Project lifecycle management including deletion + + + Key SBOM Capabilities: + + - Automatic SBOM generation via integration with cyclonedx-maven-plugin + + - SBOM upload with project metadata updates + + - Support for parent/child project relationships + + - Project tagging and version management + + - Configurable polling for SBOM processing status + + + The plugin requires a Dependency-Track server with appropriate API access and + can be configured via Maven POM or command line properties. It integrates into + the Maven build lifecycle and supports both automated CI/CD pipelines and manual + execution modes. + + + Technical requirements include: + + - Maven build environment + + - Dependency-Track server (API endpoint) + + - API key with required permissions + + - CycloneDX plugin for SBOM generation' + Types: + - Source + - Build +- Abilities: + - Consume + Languages: + - Generic + - Npm + License: GPL-3.0 + Link: https://github.com/ozonru/dtrack-audit + Name: dtrack-audit + Publisher: ozonru + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Summary: + + Dtrack-audit is a command-line SBOM management tool that integrates with OWASP + Dependency Track. The tool facilitates SBOM handling in CI/CD pipelines by providing + automated project creation, vulnerability scanning, and results filtering. It + supports both synchronous and asynchronous operation modes for SBOM submission + and analysis. Key features include severity-based vulnerability filtering (critical + to unassigned), environment variable configuration, and TeamCity CI integration. + The tool accepts CycloneDX format and provides detailed vulnerability reports + with severity levels, affected components, and reference links. Written in Go, + dtrack-audit streamlines security analysis workflow by enabling automated SBOM + processing and vulnerability assessment in development pipelines.' + Types: + - Source +- Abilities: + - Generate + Languages: + - Apk + - Cargo + - Composer + - Elixir + - Gem + - Generic + - Npm + - Nuget + - Pypi + License: Apache-2.0 + Link: https://github.com/ShiftLeftSecurity/sast-scan + Name: sast-scan + Publisher: ShiftLeftSecurity + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Scan (by AppThreat) is an open-source security analysis tool that includes + SBOM generation capabilities through its integrated cdxgen component. The tool + supports SBOM creation for multiple programming languages and platforms including + Java, Node.js, Python, and Rust. SBOMs are generated in CycloneDX format, which + can be used for software composition analysis and vulnerability management. + + + Key SBOM Features: + + - Generates CycloneDX-format SBOMs + + - Supports multiple package ecosystems + + - Container image SBOM generation + + - Local scanning without data transmission + + - CI/CD pipeline integration + + - Automatic dependency detection + + - Free and Apache-2.0 licensed + + + The tool performs SBOM generation as part of its broader security scanning capabilities, + making it suitable for organizations seeking an integrated approach to software + security and dependency analysis.' + Types: + - Container +- Abilities: + - Generate + - Consume + Languages: + - Generic + License: No License + Link: https://github.com/scanoss/engine + Name: engine + Publisher: scanoss + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SCANOSS Open Source Engine Summary: + + + SCANOSS is an open-source software composition analysis tool focusing on real-time + SBOM generation during development. The engine performs file identification against + a knowledge database to detect open source components and generate SBOMs. + + + Key SBOM Features: + + - Real-time SBOM creation during development + + - Support for CycloneDX and SPDX 2.2 JSON formats + + - SBOM ingestion capability to prioritize declared components + + - File identification through full package, file, and snippet matching + + - Component ranking based on release dates and context hints + + + The tool integrates with existing development workflows and provides continuous + analysis of code components. Output is generated in JSON format, enabling easy + integration with other tools and processes. SCANOSS requires a knowledge database + (LDB) and can be customized through mining tools to create specialized component + databases. + + + License: GPL 2.0' + Types: + - Source +- Abilities: + - Generate + Languages: + - Dotnet + License: No License + Link: https://github.com/thspinto/oss_inventory + Name: oss_inventory + Publisher: thspinto + Source: AI-Generated + Standards: [] + Summary: 'Buffalo is a web development framework for Go that includes built-in support + for SBOM generation through FOSSA integration. The tool automatically tracks dependencies + and generates Software Bill of Materials (SBOM) during the build process. It features + a comprehensive database setup, automated binary rebuilding, and asset management + capabilities. FOSSA integration enables continuous monitoring of license compliance + and dependency tracking, providing up-to-date SBOM information for the project. + The framework supports automated SBOM creation as part of its development workflow, + making it suitable for projects requiring dependency transparency and compliance + documentation. + + + Note: Based on the provided text, the SBOM capabilities are primarily derived + from FOSSA integration. The summary focuses on this aspect while noting the general + framework features that support dependency management.' + Types: + - Source +- Abilities: + - Consume + Languages: + - Npm + - Alpine + License: Apache-2.0 + Link: https://github.com/sonatype-nexus-community/auditjs + Name: auditjs + Publisher: sonatype-nexus-community + Source: AI-Generated + Standards: + - SPDX + Summary: 'AuditJS is a vulnerability scanning tool that analyzes JavaScript projects + using the OSS Index API or Nexus IQ Server to identify known vulnerabilities and + outdated package versions. The tool generates SBOM data by traversing node_modules + directories to capture declared and transitive dependencies. + + + Key Features: + + - Supports npm, Angular, yarn, and bower package managers + + - Integrates with OSS Index and Nexus IQ Server for vulnerability data + + - Provides JSON and JUnit XML output formats + + - Includes vulnerability whitelisting capabilities + + - Supports proxy configurations + + - Offers CI/CD integration options + + - Caches scan results to optimize API usage + + - Command line and npm script usage options + + + The tool performs coordinate-based matching for dependency analysis but does not + detect vulnerabilities in manually copied code or unmanaged files. For complete + security coverage, it is recommended to use AuditJS in conjunction with the Sonatype + Nexus IQ CLI Scanner. + + + Technical Requirements: + + - Node.js LTS versions 8.x and above + + - Nexus IQ Server version 77+ for IQ scanning functionality + + - Network access to OSS Index API' + Types: + - Design + - Source + - Build +- Abilities: + - Consume + Languages: + - Gem + License: Apache-2.0 + Link: https://github.com/sonatype-nexus-community/chelsea + Name: chelsea + Publisher: sonatype-nexus-community + Source: AI-Generated + Standards: + - SPDX + Summary: 'Chelsea is a Ruby-based CLI tool for scanning RubyGem dependencies and + identifying security vulnerabilities. The tool integrates with Sonatype''s OSS + Index and Nexus IQ Server to provide vulnerability data and policy enforcement + capabilities. + + + Key Features: + + - Scans Gemfile.lock files for dependency vulnerabilities + + - Supports multiple report formats (text, JSON, XML/JUnit) + + - Provides reverse dependency tracking + + - Integrates with OSS Index for vulnerability data + + - Offers Nexus IQ Server integration for policy management + + - Includes caching mechanism to handle rate limiting + + - Allows vulnerability whitelist configuration + + + The tool is designed for Ruby developers and security teams to identify and manage + security risks in their RubyGem dependencies. It can be integrated into CI/CD + pipelines and supports authenticated access to OSS Index for enhanced usage limits.' + Types: + - Source +- Abilities: + - Generate + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/sonatype-nexus-community/jake + Name: jake + Publisher: sonatype-nexus-community + Source: AI-Generated + Standards: + - CycloneDX + Summary: "Jake is a Python-based tool for generating Software Bill of Materials\ + \ (SBOM) and performing vulnerability scanning. The tool offers the following\ + \ key SBOM capabilities:\n\n- Generates CycloneDX SBOMs in XML or JSON format\ + \ with support for schema versions 1.0-1.3\n- Accepts input from multiple sources\ + \ including:\n - Current Python environment\n - Conda packages (explicit and\ + \ JSON format)\n - requirements.txt files\n - Pipfile.lock (Pipenv)\n - poetry.lock\ + \ files\n - STDIN data streams\n\nThe tool can output SBOMs to files or console\ + \ and integrates with vulnerability scanning through OSS Index and Sonatype Nexus\ + \ Lifecycle. Additional features include pre-commit hook support and vulnerability\ + \ whitelisting capabilities.\n\nCommand line interface provides options for input\ + \ source specification, output format selection, and schema version control. The\ + \ tool requires Python 3.7+ and is available via PyPI package manager." + Types: + - Source + - Build +- Abilities: + - Consume + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/sonatype-nexus-community/nancy + Name: nancy + Publisher: sonatype-nexus-community + Source: AI-Generated + Standards: + - CycloneDX + Summary: "Nancy is a vulnerability checking tool for Golang dependencies, powered\ + \ by Sonatype OSS Index and Nexus IQ Server. The tool analyzes dependencies from\ + \ go.mod files or dep's Gopkg.lock to identify known security vulnerabilities.\n\ + \nKey Features:\n- Scans Golang dependencies for known vulnerabilities using Sonatype\ + \ OSS Index\n- Supports both go modules and dep dependency management\n- Integrates\ + \ with Nexus IQ Server for enhanced vulnerability reporting\n- Multiple output\ + \ formats including text, JSON, and CSV\n- Ability to exclude specific vulnerabilities\ + \ via CLI flags or config files \n- Caching support for OSS Index responses\n\ + - CI/CD integration with CircleCI and GitHub Actions\n- Docker container support\n\ + \nThe tool can be installed via package managers like Homebrew (macOS) and AUR\ + \ (Arch Linux), or by downloading pre-built binaries. Nancy offers configuration\ + \ options for authentication with OSS Index and Nexus IQ Server services.\n\n\ + Primary use cases include:\n- Development vulnerability scanning: `go list -json\ + \ -deps ./... | nancy sleuth`\n- CI/CD pipeline security checks\n- Integration\ + \ with Nexus IQ Server for enterprise policy management\n- Generation of vulnerability\ + \ reports in various formats" + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Hackage + License: Apache-2.0 + Link: https://github.com/sonatype-nexus-community/go-sona-types + Name: go-sona-types + Publisher: sonatype-nexus-community + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Go Sonatype Types is a Go library offering capabilities for Software Bill + of Materials (SBOM) generation and software composition analysis. The tool integrates + with Sonatype''s OSS Index and Nexus IQ Server for vulnerability scanning and + provides CycloneDX SBOM generation functionality. Key features include: + + + - CycloneDX SBOM creation from coordinate lists + + - Integration with Sonatype''s OSS Index for vulnerability scanning + + - Nexus IQ Server connectivity for advanced component analysis + + - Customizable User Agent management for service communication + + - Database caching support for improved performance + + + The library requires Go 1.16 or later and can be integrated as a module in Go + applications. It supports configuration through options for authentication, caching, + and custom client identification. + + + Reference: https://github.com/sonatype-nexus-community/go-sona-types' + Types: + - Source + - Build +- Abilities: + - Consume + Languages: + - Apk + - Maven + - Npm + License: MIT + Link: https://github.com/valaatech/kernel + Name: kernel + Publisher: valaatech + Source: AI-Generated + Standards: [] + Summary: "Summary of @valos/kernel SBOM Features:\n\n@valos/kernel is a distributed\ + \ platform system that implements a package monorepo structure. The tool provides\ + \ SBOM-relevant features through its package management and dependency tracking\ + \ capabilities.\n\nKey SBOM-related features:\n- Manages dependencies across multiple\ + \ @valos namespace packages\n- Tracks package relationships in a monorepo structure\ + \ \n- Documents dependencies using yarn package management\n- Provides dependency\ + \ information for core components like @valos/inspire, @valos/raem, @valos/script\n\ + - Includes development dependencies through shared configurations\n- Contains\ + \ license information (MIT) and attribution details\n\nThe tool primarily focuses\ + \ on package management and dependency tracking within its ecosystem rather than\ + \ explicit SBOM generation. It serves as a source for dependency information that\ + \ can be used by dedicated SBOM generation tools." + Types: + - Source +- Abilities: + - Generate + - Convert + Languages: + - Swift + License: MIT + Link: https://github.com/CERTCC/SBOM + Name: SBOM + Publisher: CERTCC + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SwiftBOM is an SBOM generation tool developed by CERT for proof-of-concept + and demonstration purposes. The tool generates Software Bill of Materials (SBOM) + in three standard formats: SPDX, CycloneDX, and SWID. It features a web-based + interface with live demo capabilities and supports basic SBOM import functionality + with multi-format output options. + + + Key Features: + + - Multi-format SBOM generation (SPDX, CycloneDX, SWID) + + - Visual representation through downloadable PNG tree graphs + + - Basic SBOM import capabilities + + - Web-based interface with live demo + + - Component relationship visualization using CONTAINS relationship mode + + - Standalone document generation without external relationship support + + + The tool has been utilized in Healthcare Proof of Concept initiatives and serves + as a practical demonstration platform for SBOM generation and visualization. SwiftBOM + focuses on basic SBOM functionality and is primarily intended for educational + and demonstration purposes.' + Types: + - Design + - Deployment +- Abilities: + - Consume + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/thinksabin/DTrackAuditor + Name: DTrackAuditor + Publisher: thinksabin + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'DTrackAuditor is a Python-based command-line tool designed to integrate + DependencyTrack functionality into CI/CD pipelines. The tool facilitates automated + SBOM analysis by uploading and evaluating Software Bill of Materials (SBOM) files + against a DependencyTrack instance. + + + Key SBOM-related features: + + - Automated SBOM file upload and analysis + + - Support for project creation and version management + + - Configurable vulnerability assessment rules based on severity levels + + - Policy violation detection and enforcement + + - Integration with CI/CD pipelines through exit status codes + + - Support for custom certificate chains in secure environments + + + The tool accepts SBOM files in XML format and can be deployed via pip installation, + Docker container, or direct source code usage. It integrates with DependencyTrack + 4.10 and requires Python 3.11.8.' + Types: + - Build +- Abilities: + - Consume + Languages: + - Bower + - Cargo + - Composer + - Deb + - Dotnet + - Elixir + - Gem + - Generic + - Npm + - Nuget + - Pypi + License: Apache-2.0 + Link: https://github.com/anchore/grype + Name: Grype + Publisher: Anchore + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "Grype is a vulnerability scanner for container images and filesystems\ + \ developed by Anchore. The tool integrates seamlessly with Syft for Software\ + \ Bill of Materials (SBOM) generation and scanning. Here are its key features\ + \ related to SBOM:\n\nSupport for SBOM Input Formats:\n- Syft JSON\n- SPDX\n-\ + \ CycloneDX \n\nSBOM Scanning Capabilities:\n- Can scan existing SBOMs for vulnerabilities\n\ + - Supports piped SBOM input\n- Can work with SBOM attestations via cosign integration\n\ + - Option to automatically generate CPEs when packages have none\n- Supports scanning\ + \ container images and filesystems to generate vulnerability reports\n\nOutput\ + \ Formats:\n- CycloneDX XML and JSON (spec v1.6)\n- SARIF reports\n- JSON\n- Custom\ + \ templates\n- Table format (default)\n\nKey SBOM Related Features:\n- Fast vulnerability\ + \ scanning using pre-generated SBOMs\n- Support for external sources to enhance\ + \ vulnerability matching\n- VEX (Vulnerability Exploitability Exchange) support\n\ + - Integration with standard container registry authentication\n\nThe tool is designed\ + \ to work efficiently with SBOM workflows and can operate in both online and air-gapped\ + \ environments. It maintains its own vulnerability database which is automatically\ + \ updated to ensure current vulnerability information." + Types: + - Analyze +- Abilities: + - Compare + - Convert + - Edit + - Generate + - Merge + - Validate + - Sign + Languages: + - Alpine + - Apk + - Clojars + - Composer + - Conan + - Cran + - Deb + - Dotnet + - Elixir + - Gem + - Generic + - Haxe + - Maven + - Npm + - Nuget + - Pypi + - Rpm + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-cli + Name: CycloneDX-cli + Publisher: CycloneDX + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'CycloneDX CLI Tool - SBOM Utility + + + The CycloneDX CLI is a comprehensive command-line tool for Software Bill of Materials + (SBOM) manipulation and analysis. It supports SBOM generation, validation, and + conversion between different formats including CycloneDX XML, JSON, Protobuf, + CSV, and SPDX JSON v2.2. + + + Key Features: + + - SBOM analysis and modification + + - Format conversion and version control + + - Component version tracking and diffing + + - BOM merging capabilities + + - Digital signing and verification + + - Validation against CycloneDX schema + + + The tool is designed for automation workflows with support for stdin/stdout operations. + It runs on multiple platforms including Windows, Linux, and MacOS, with Docker + container deployment option available. The CLI tool requires .NET Core runtime + dependencies and is distributed under the Apache 2.0 license. + + + Integration capabilities include support for file system scanning, component analysis, + and hierarchical BOM merging. The tool facilitates SBOM management throughout + the software development lifecycle with features for both creation and maintenance + of software component documentation.' + Types: + - Analyze +- Abilities: + - Convert + - Validate + - Merge + Languages: + - Autotools + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-web-tool + Name: CycloneDX-web-tool + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: CycloneDX Web Tool is a browser-based application for processing CycloneDX + Software Bill of Materials (SBOM). The tool performs all operations client-side + using WebAssembly, ensuring data privacy as no BOM information is transmitted + to external servers. Key features include format conversion between different + CycloneDX versions, BOM validation, and the ability to merge multiple BOMs into + a single document. The tool is compatible with major web browsers including Safari, + Chrome, Edge, and Firefox, and can be self-hosted as a static site. It is developed + under the Apache 2.0 license and is available as a hosted version at cyclonedx.github.io/cyclonedx-web-tool. + Types: + - Analyze +- Abilities: + - Convert + Languages: + - Cargo + License: Apache-2.0 + Link: https://github.com/doddi/cyclonedx-rust + Name: CycloneDX-rust + Publisher: doddi + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'cyclonedx-rust is a Rust library for encoding and decoding CycloneDX Software + Bill of Materials (SBOM). The library provides functionality to process CycloneDX + BOMs in different formats through a simple API. It supports both reading (decoding) + and writing (encoding) operations for CycloneDX documents using generic reader + and writer types. The library is released under the Apache 2.0 license and is + maintained as an open-source project on GitHub. + + + Key Features: + + - CycloneDX BOM encoding and decoding capabilities + + - Support for different CycloneDX format types + + - Generic reader/writer interface compatibility + + - Clear error handling through dedicated error types' + Types: + - Source +- Abilities: + - Generate + Languages: + - Objective_C + - Swift + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-cocoapods + Name: CycloneDX-Cocoapods + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX CocoaPods is a Ruby gem that generates Software Bill of Materials + (SBOM) for iOS and macOS projects using CocoaPods dependency manager. The tool + creates CycloneDX-compliant BOM documents in XML or JSON format, supporting specification + version 1.6. + + + Key Features: + + - Generates SBOM from CocoaPods project dependencies + + - Supports both XML and JSON output formats + + - Handles CocoaPods subspecs with granular dependency tracking + + - Provides component metadata inclusion from podspec files + + - Allows manufacturer metadata customization + + - Offers test target exclusion option + + - Includes support for package URL (purl) specifications + + + The tool integrates with build systems and requires Ruby 2.6.3 or newer. Output + can be consumed by vulnerability scanning tools like Dependency Track for security + analysis. The gem is available through RubyGems or can be built from source.' + Types: + - Source + - Build +- Abilities: + - Convert + Languages: + - Pypi + License: MIT + Link: https://github.com/HaRo87/mdbom + Name: mdbom + Publisher: HaRo87 + Source: AI-Generated + Standards: + - SPDX + Summary: 'Markdown SBOM (mdbom) is a Python-based tool for converting Software Bill + of Materials (SBOM) files into Markdown format. The tool supports Python 3.8 and + above, offering a streamlined approach to SBOM documentation transformation. It + can be installed via pip or pipx package managers. The tool''s primary function + is to generate human-readable Markdown documentation from SBOM files, facilitating + easier sharing and integration of SBOM information in documentation workflows. + The project is actively maintained with continuous integration, deployment pipelines, + and comprehensive test coverage. + + + Key Features: + + - SBOM to Markdown conversion + + - Python 3.8+ compatibility + + - Simple installation through standard Python package managers + + - Comprehensive documentation + + - High test coverage' + Types: + - Analyze +- Abilities: + - Generate + - Edit + Languages: + - Golang + - Maven + License: Apache-2.0 + Link: https://github.com/openrewrite/rewrite + Name: rewrite + Publisher: openrewrite + Source: AI-Generated + Standards: [] + Summary: 'OpenRewrite SBOM Generator + + ----------------------------------- + + + OpenRewrite is an automated refactoring tool that includes SBOM (Software Bill + of Materials) generation capabilities as part of its feature set. The tool generates + SBOMs by analyzing project dependencies and source code during the build process. + + + Key SBOM Features: + + - Integrates with Maven and Gradle build systems + + - Generates CycloneDX format SBOMs + + - Provides dependency analysis and tracking + + - Supports multi-module project structures + + - Enables automated SBOM generation as part of CI/CD pipelines + + + The tool is available as open-source software under the Apache 2.0 license and + offers both command-line interface and build tool plugin implementations. OpenRewrite''s + SBOM generation can be configured through build configuration files and integrated + into existing development workflows.' + Types: + - Source +- Abilities: + - Consume + Languages: + - Generic + - Pypi + License: BSD-3-Clause + Link: https://github.com/DefectDojo/django-DefectDojo + Name: django-DefectDojo + Publisher: DefectDojo + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'DefectDojo SBOM Capabilities Summary: + + + DefectDojo is a vulnerability management and DevSecOps platform that supports + Software Bill of Materials (SBOM) functionality through its comprehensive integration + system. The tool can import and process SBOMs from various sources and formats, + including CycloneDX and SPDX. It provides capabilities for SBOM management, visualization, + and analysis within its vulnerability tracking framework. + + + Key SBOM Features: + + - Imports SBOMs in industry-standard formats (CycloneDX, SPDX) + + - Integrates SBOM data with vulnerability management workflows + + - Supports dependency tracking and analysis + + - Enables correlation between SBOM components and security findings + + - Provides SBOM visualization and reporting capabilities + + + The platform offers these SBOM features as part of its broader application security + posture management functionality, making it suitable for organizations requiring + integrated SBOM handling within their security processes.' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Clojars + License: Apache-2.0 + Link: https://github.com/CycloneDX/gh-gomod-generate-sbom + Name: gh-gomod-generate-sbom + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'gh-gomod-generate-sbom is a GitHub Action designed to generate Software + Bill of Materials (SBOM) in CycloneDX format for Go module-based projects. The + tool leverages cyclonedx-gomod for SBOM generation and supports both XML and JSON + output formats. It enables automated SBOM creation during GitHub workflows with + configurable versioning and command-line arguments. + + + Key Features: + + - Generates CycloneDX-compliant SBOMs + + - Supports Go modules dependency analysis + + - Configurable cyclonedx-gomod version selection + + - Optional license information inclusion + + - Flexible output format (XML/JSON) + + - Integration with GitHub Actions workflow + + - Support for both direct execution and multi-step workflow usage + + + The action can be incorporated into existing GitHub workflows for automated SBOM + generation as part of continuous integration processes.' + Types: + - Source + - Build +- Abilities: + - Consume + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-bom-repo-server + Name: CycloneDX-bom-repo-server + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'The CycloneDX BOM Repository Server is a specialized server application + designed for storing, managing, and distributing CycloneDX Software Bill of Materials + (SBOM). The tool provides a REST API interface for SBOM management operations + and supports various CycloneDX formats and versions. + + + Key Features: + + - RESTful API endpoints for SBOM storage, retrieval, and deletion + + - Support for multiple SBOM versions and formats (JSON, XML) + + - Search functionality based on component metadata + + - Configurable storage backends (FileSystem and S3) + + - Built-in version control and retention policies + + - In-memory metadata cache for efficient searching + + - Support for high availability deployments + + - Swagger/OpenAPI documentation + + + The server can be deployed using Docker or traditional web servers, and includes + security controls for method authorization. It is particularly suitable for organizations + requiring a centralized SBOM repository with distributed access capabilities.' + Types: + - Container +- Abilities: + - Generate + - Validate + Languages: + - Cargo + - Npm + - Pypi + - Gem + - Clojars + License: No License + Link: https://github.com/coinbase/salus + Name: salus + Publisher: coinbase + Source: AI-Generated + Standards: [] + Summary: 'Salus (Security Automation as a Lightweight Universal Scanner) is a container-based + security scanning coordinator that includes SBOM generation capabilities through + dependency tracking. The tool analyzes dependency files across multiple languages + including Ruby, Node.js, Python, Go, and Rust, providing detailed reports on library + usage and versions. Salus operates via Docker and can be integrated into CI/CD + pipelines through CircleCI Orb or GitHub Actions. + + + Key SBOM-related features: + + - Multi-language dependency tracking + + - Centralized scanning configuration + + - CVE detection through various package auditing tools + + - Customizable reporting formats + + - Integration with CI/CD workflows + + - Container-based deployment + + + The tool is available under Apache 2.0 license and supports global configuration + management with local override capabilities.' + Types: + - Source + - Build +- Abilities: + - Sign + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/sigstore/cosign + Name: cosign + Publisher: sigstore + Source: AI-Generated + Standards: [] + Summary: 'Cosign is a container signing, verification, and storage tool developed + as part of the Sigstore project. While its primary focus is on container image + signing, it includes SBOM-related capabilities: + + + Key SBOM Features: + + - Supports attaching and signing Software Bill of Materials (SBOMs) to container + images + + - Can store SBOMs in OCI registries alongside container images + + - Enables verification of SBOM signatures and attestations + + - Works with common SBOM formats like SPDX and CycloneDX + + + Core Functionality: + + - Keyless signing using ephemeral keys and certificates + + - Hardware and KMS signing support + + - Container signing, verification and storage in OCI registries + + - Support for multiple artifact types including containers, blobs, and Tekton + bundles + + - Integration with transparency logs for signature verification + + + The tool allows organizations to integrate SBOM generation and signing into their + software supply chain security practices while leveraging the same infrastructure + used for container image signing and verification. + + + Target Users: + + - DevOps teams managing container deployments + + - Security teams implementing software supply chain security + + - Organizations requiring SBOM generation and verification capabilities + + + The tool is actively maintained as part of the Sigstore project and has production-ready + support for its core signing and verification features.' + Types: + - Runtime +- Abilities: + - Generate + - Convert + Languages: + - Pypi + License: BSD-2-Clause + Link: https://github.com/tern-tools/tern + Name: Tern + Publisher: tern-tools + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Tern is a software inspection tool designed for container image analysis + and Software Bill of Materials (SBOM) generation. The tool analyzes container + images layer by layer to identify installed packages, their metadata, and dependencies. + + + Key Features: + + - Generates SBOMs for container images in multiple formats including SPDX (tag-value + and JSON), CycloneDX JSON, and custom formats + + - Analyzes Dockerfiles and generates "locked" versions for reproducible builds + + - Supports extension plugins for additional analysis capabilities like license + scanning (via Scancode) and vulnerability scanning (via cve-bin-tool) + + - Provides detailed layer-by-layer analysis of container contents + + - Operates on Docker images using manifest v2 schema 2 + + - Generates reports in various formats including human-readable, JSON, YAML, and + HTML + + + The tool is written in Python 3 and runs natively on Linux systems. It can analyze + both local Docker images and Dockerfiles to provide comprehensive software component + information. Tern is particularly useful for container development, security analysis, + and compliance verification scenarios.' + Types: + - Container +- Abilities: + - Generate + - Convert + Languages: + - Alpine + - Alpm + - Apk + - Autotools + - Bazel + - Bower + - Cargo + - Composer + - Conan + - Cran + - Deb + - Dotnet + - Elixir + - Gem + - Golang + - Hackage + - Haxe + - Maven + - Npm + - Nuget + - Opam + - Osgi + - Pkg + - Pub + - Pypi + - Rpm + - Swift + License: No License + Link: https://github.com/nexB/scancode-toolkit + Name: Scancode-Toolkit + Publisher: nexB + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'ScanCode Toolkit is a command-line tool designed for software composition + analysis with SBOM generation capabilities. It detects licenses, copyrights, package + manifests, and dependencies in both source code and binary files. The tool supports + multiple output formats including CycloneDX and SPDX for SBOM creation. + + + Key Features: + + - Advanced license detection through full text comparison + + - Package manifest parsing for multiple formats including npm, PyPI, Maven + + - Extensive package format support for dependency analysis + + - Multiple output formats (JSON, YAML, HTML, CycloneDX, SPDX) + + - Cross-platform compatibility (Windows, macOS, Linux) + + - Plugin architecture for extensibility + + - Integration capabilities with CI/CD pipelines + + + The tool operates as a standalone application and can be integrated with other + systems through its companion projects ScanCode.io (server) and ScanCode Workbench + (visualization). It is actively maintained and tested, with support for Python + 3.9-3.12.' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Swift + License: No License + Link: https://github.com/mattt/swift-package-sbom + Name: swift-package-sbom + Publisher: mattt + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Swift Package SBOM is a command-line tool for generating CycloneDX-compliant + Software Bill of Materials (SBOM) for Swift packages. The tool analyzes Swift + packages and produces detailed component information including library and executable + products, source files with SHA256/384/512 checksums, git commit history, and + dependency relationships. It requires Swift 5.4+ and macOS 10.15+ with libgit2 + installed. The output is provided in JSON format following the CycloneDX specification, + making it suitable for integration into software supply chain security workflows. + + + Key features: + + - Generates CycloneDX-compliant SBOM + + - Maps Swift package components and dependencies + + - Provides cryptographic hashes for source files + + - Includes git commit information + + - Tracks transitive dependency relationships + + + The tool is currently under active development and not yet recommended for production + use.' + Types: + - Source +- Abilities: + - Convert + Languages: + - Pypi + License: No License + Link: https://github.com/veracode/srcclr_sbom_gen + Name: srcclr_sbom_gen + Publisher: veracode + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Tool Name: srcclr_sbom_gen + + + A Python-based conversion utility that transforms Veracode SCA (formerly SourceClear) + scan results into CycloneDX Software Bill of Materials (SBOM) format. The tool + generates SBOM output in JSON format, compatible with the CycloneDX specification. + It can be utilized either as a Python library through direct import or as a command-line + tool. The converter is installed via pip and requires a srcclr scan result file + as input to produce the standardized SBOM output. + + + Key Features: + + - Converts srcclr scan results to CycloneDX SBOM format + + - Supports JSON output format + + - Provides both programmatic and command-line interfaces + + - Simple installation through pip package manager' + Types: + - Source +- Abilities: + - Generate + Languages: + - Conan + - Pypi + License: Apache-2.0 + Link: https://github.com/CycloneDX/cyclonedx-conan + Name: CycloneDX-conan + Publisher: CycloneDX + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Conan SBOM Generator is a command-line tool designed for generating + Software Bill of Materials (SBOM) in CycloneDX format for C/C++ projects using + Conan package manager. The tool supports Conan v1 and integrates with Conan v2 + through official extensions. + + + Key Features: + + - Generates CycloneDX JSON format SBOMs + + - Creates complete dependency graphs including all project dependencies + + - Supports excluding development dependencies + + - Provides compatibility with standard Conan CLI options + + - Allows configuration of build settings, profiles, and environment variables + + - Offers flexible output options including file output and STDOUT + + - Integrates with Conan remote repositories and lockfiles + + + The tool is available through PyPI and can be installed using standard Python + package managers. It is part of the CycloneDX ecosystem and adheres to the lightweight + BOM specification that emphasizes human-readability and ease of parsing.' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Autotools + License: MIT + Link: https://github.com/conan-io/conan-extensions + Name: conan-extensions + Publisher: conan-io + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Conan Extensions - SBOM Generation Feature + + + Conan Extensions provides Software Bill of Materials (SBOM) generation capabilities + as part of its custom commands for the Conan package manager. The SBOM functionality + is implemented as a dedicated command module, allowing users to create detailed + software component inventories of their Conan-managed dependencies. + + + Key Features: + + - Generates SBOM documentation for Conan packages + + - Integrates with existing Conan package management workflows + + - Available through Conan''s extension system + + - Installable via Conan''s config install mechanism + + + The SBOM command module is part of a larger suite of experimental extensions designed + to enhance Conan''s functionality. Users can install these extensions directly + from the GitHub repository using Conan''s configuration management system. + + + Note: This extension is provided as a reference implementation and may require + customization for production use cases.' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/bridgecrewio/checkov + Name: checkov + Publisher: bridgecrewio + Source: AI-Generated + Standards: [] + Summary: 'Checkov - Security and Compliance Scanner with SBOM Generation + + + Checkov is a comprehensive static code analysis and software composition analysis + (SCA) tool that includes SBOM generation capabilities. The tool generates CycloneDX + format SBOMs for container images and software packages, capturing dependencies + and vulnerability information. Key SBOM-related features include: + + + - Software composition analysis scanning of open source packages and container + images + + - Detection of Common Vulnerabilities and Exposures (CVEs) in dependencies + + - CycloneDX SBOM output format support + + - Container image scanning with Dockerfile correlation + + - Package dependency scanning across multiple ecosystems + + - Integration with Prisma Cloud for enhanced vulnerability data + + + The tool supports scanning infrastructure as code configurations across multiple + platforms and can be run via CLI, CI/CD pipelines, or container deployments. SBOM + generation requires an API key for the Prisma Cloud integration to access vulnerability + data. + + + To generate SBOMs, users can utilize the SCA scanning capabilities with the appropriate + framework flag and supply authentication credentials: + + + ``` + + checkov --framework sca_package --bc-api-key --repo-id + + ```' + Types: + - Source + - Build + - Analyze +- Abilities: + - Generate + - Validate + Languages: + - Pypi + License: MIT + Link: https://github.com/ochronasec/ochrona-cli + Name: ochrona-cli + Publisher: ochronasec + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Ochrona is a security-focused dependency analysis tool for Python projects + that includes SBOM generation capabilities. The tool supports CycloneDX as its + SBOM standard, providing both JSON and XML output formats. SBOM generation can + be enabled using the `--sbom` and `--output` arguments. + + + Key SBOM features: + + - CycloneDX format support + + - JSON and XML output options + + - Integration with dependency analysis workflow + + - Supply chain transparency focus + + - License compliance documentation + + + The SBOM functionality helps organizations understand their software supply chain + composition and ensures license compliance by documenting all software components + used in their Python projects. While the tool is no longer under active development, + its SBOM generation capabilities remain functional for existing implementations.' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/trailofbits/pip-audit + Name: pip-audit + Publisher: trailofbits + Source: AI-Generated + Standards: + - CycloneDX + Summary: "pip-audit is a Python package vulnerability scanning tool that includes\ + \ SBOM generation capabilities. The tool provides the following key features:\n\ + \nKey Features:\n- Generates Software Bill of Materials (SBOM) in CycloneDX XML\ + \ or JSON formats\n- Scans Python environments and requirements files for known\ + \ vulnerabilities \n- Utilizes multiple vulnerability data sources including PyPI\ + \ and OSV databases\n- Supports automatic fixing of vulnerable dependencies through\ + \ version upgrades\n- Offers multiple output formats including human-readable\ + \ and machine-readable (JSON, Markdown)\n- Integrates with existing pip caches\ + \ and environments\n\nThe tool can be used to audit local Python environments\ + \ as well as requirements files, making it suitable for both development and deployment\ + \ scenarios. The SBOM generation capability allows tracking and documenting software\ + \ components and their relationships, which is valuable for security and compliance\ + \ purposes.\n\nInstallation and usage is straightforward through pip or conda\ + \ package managers. The tool also provides GitHub Actions integration for automated\ + \ vulnerability scanning in CI/CD pipelines." + Types: + - Analyze + - Source +- Abilities: + - Sign + Languages: + - Pypi + License: MIT + Link: https://github.com/jitsuin-inc/archivist-samples + Name: archivist-samples + Publisher: jitsuin-inc + Source: AI-Generated + Standards: + - SPDX + Summary: 'DataTrails Samples - SBOM Generation Tool + + + A Python-based utility that demonstrates the implementation of Software Bill of + Materials (SBOM) generation using the DataTrails SDK. The tool operates as part + of a larger sample collection that showcases various asset management capabilities. + + + Key SBOM Features: + + - Generates SBOM records through the archivist_samples_software_bill_of_materials + command + + - Integrates with DataTrails'' asset tracking system + + - Supports authentication and namespace isolation + + - Provides detailed event tracking and asset management capabilities + + + The tool requires Python 3.8 or later and operates within the DataTrails ecosystem, + utilizing environment-based configuration for deployment flexibility. Installation + is handled through standard Python package management (pip). + + + Technical Requirements: + + - DataTrails endpoint configuration + + - Authentication token + + - Namespace specification for asset isolation + + - Partner ID for organizational context + + + The SBOM functionality is accessible via command-line interface and can be integrated + into existing software supply chain management workflows.' + Types: + - Source +- Abilities: + - Generate + - Edit + - Convert + Languages: + - Composer + License: GPL-2.0 + Link: https://github.com/sepbit/wpbom + Name: wpbom + Publisher: sepbit + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'WpBom is a WordPress plugin that generates Software Bill of Materials + (SBOM) in CycloneDX format and integrates with OWASP Dependency Track. The tool + is designed for WordPress installations version 6.0 and above, requiring PHP 8.2 + or higher. + + + Key Features: + + - Generates CycloneDX-compliant SBOM for WordPress installations + + - Supports automatic and manual BOM submission to OWASP Dependency Track + + - Enables BOM download in JSON format + + - Provides filter hooks for customizing component information + + - Allows addition and removal of components through WordPress filter API + + - Supports CPE (Common Platform Enumeration) integration + + + The plugin facilitates software composition analysis and vulnerability tracking + through its integration with Dependency Track, making it suitable for organizations + requiring continuous monitoring of their WordPress installation''s component security.' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Generic + License: No License + Link: https://github.com/spack/spack-sbom + Name: spack-sbom + Publisher: spack + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Spack SBOM Generator + + + The Spack SBOM Generator is a Python-based tool that creates Software Bill of + Materials (SBOM) in CycloneDX format for packages managed by the Spack package + manager. The tool generates detailed component metadata including package specifications, + build information, and dependency relationships. + + + Key Features: + + - Generates CycloneDX-compliant SBOM documents (version 1.3) + + - Includes package metadata such as version, architecture, and variants + + - Captures build specifications and hash information + + - Documents licensing information + + - Provides external references to package sources + + - Outputs JSON-formatted SBOM data + + + The tool integrates with existing Spack installations and can be executed using + the Spack Python interpreter to generate SBOMs for any installed or available + Spack package. Output includes comprehensive package metadata, making it suitable + for software supply chain documentation and compliance requirements.' + Types: + - Source + - Build +- Abilities: + - Convert + Languages: + - Cargo + - Maven + License: Apache-2.0 + Link: https://github.com/jfrog/build-info-go + Name: build-info-go + Publisher: jfrog + Source: AI-Generated + Standards: + - CycloneDX + Summary: "Build Info Go is a Go library and CLI tool for generating build information\ + \ (build-info) and Software Bill of Materials (SBOM) for source code projects.\ + \ The tool supports multiple package manager ecosystems including Go, Maven, Gradle,\ + \ npm, Yarn, pip, pipenv, twine, .NET, and NuGet. \n\nKey SBOM-related features:\n\ + - Generates detailed dependency information including package IDs, versions, and\ + \ checksums\n- Records dependency relationships and dependency paths\n- Supports\ + \ conversion to CycloneDX format in XML or JSON\n- Provides both CLI interface\ + \ and Go API for integration\n- Includes module-specific dependency calculation\ + \ for different package managers\n- Stores build metadata like timestamps and\ + \ environment variables\n- Caches build information locally for multi-process\ + \ usage\n\nThe tool outputs standardized build-info JSON that can be used to create\ + \ SBOMs and track software supply chain details. It allows generating dependency\ + \ trees and collecting metadata needed for supply chain security and compliance\ + \ purposes." + Types: + - Build +- Abilities: + - Validate + - Generate + Languages: + - Clojars + License: Apache-2.0 + Link: https://github.com/kyverno/kyverno + Name: kyverno + Publisher: kyverno + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Kyverno SBOM Generation and Management + + + Kyverno is a cloud-native policy engine that includes built-in Software Bill of + Materials (SBOM) capabilities. The tool generates SBOMs in CycloneDX JSON format + for all Kyverno images. These SBOMs are stored in a dedicated repository at ghcr.io/kyverno/sbom, + ensuring transparency and accessibility of software component information. + + + Key SBOM Features: + + - Automated SBOM generation for all Kyverno container images + + - CycloneDX JSON format compliance + + - Centralized SBOM storage and retrieval system + + - Integration with container image security verification + + - Support for software supply chain security controls + + + The tool enables organizations to maintain comprehensive software component inventories + while integrating with existing Kubernetes workflows and policy management processes. + SBOMs can be retrieved and analyzed as part of security and compliance processes.' + Types: + - Container +- Abilities: + - Generate + Languages: + - Maven + License: Apache-2.0 + Link: https://github.com/Contrast-Security-OSS/jbom + Name: jbom + Publisher: Contrast-Security-OSS + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'jbom is a tool designed to generate Software Bill of Materials (SBOM) + for Java applications through runtime analysis and static inspection. The tool + produces CycloneDX SBOM in JSON format and supports both running applications/APIs + and binary analysis. Its primary feature is the ability to generate Runtime SBOMs, + which capture the exact libraries used by applications during execution, including + platform, appserver, and plugin dependencies. + + + Key capabilities include: + + - Runtime and static SBOM generation for local and remote Java applications + + - Analysis of nested jar, war, ear, and zip files + + - Support for shaded and relocated JARs + + - No source code requirement + + - Remote system scanning support + + - Batch processing of directory contents + + - Exclusion of test libraries not present at runtime + + + The tool differentiates itself through its runtime analysis approach, providing + more accurate dependency identification compared to traditional static analysis + methods. Output is provided in standard CycloneDX format, ensuring compatibility + with existing SBOM toolchains and processes.' + Types: + - Source + - Runtime +- Abilities: + - Validate + Languages: + - Gem + - Alpm + - Autotools + - Clojars + - Generic + License: Apache-2.0 + Link: https://github.com/Checkmarx/kics + Name: kics + Publisher: Checkmarx + Source: AI-Generated + Standards: [] + Summary: 'KICS (Keeping Infrastructure as Code Secure) is an open-source static + analysis tool focused on validating security and compliance in Infrastructure + as Code (IaC) files. The tool can generate CycloneDX SBOM documents for IaC resources, + providing visibility into dependencies and components. + + + Key SBOM Features: + + - Supports generating CycloneDX SBOM format + + - Lists IaC resources and their relationships + + - Identifies dependencies across IaC files + + - Provides component metadata and version information + + - Integrates with CI/CD pipelines + + + Supported IaC Technologies: + + - Terraform/OpenTofu + + - Kubernetes + + - Docker/Compose + + - CloudFormation + + - Ansible + + - Helm + + - Azure ARM/Bicep + + - CDK + + - Others (20+ platforms) + + + The tool focuses on early detection of security vulnerabilities, compliance issues + and infrastructure misconfigurations in IaC definitions. It offers extensive customization + options through adjustable rules and can be integrated into development workflows.' + Types: + - Source + - Analyze +- Abilities: + - Convert + - Generate + Languages: + - Deb + - Pypi + License: BSD-3-Clause + Link: https://github.com/elear/apt2sbom + Name: apt2sbom + Publisher: elear + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "apt2sbom - SBOM Generator for Ubuntu Systems\n\nA command-line tool and\ + \ library for generating Software Bill of Materials (SBOM) from Ubuntu package\ + \ inventories. The tool converts installed Ubuntu packages into standardized SBOM\ + \ formats including SPDX (JSON/YAML) and CycloneDX (JSON). \n\nKey Features:\n\ + - Generates SBOM from installed Ubuntu packages\n- Optional inclusion of Python\ + \ packages (pip)\n- Supports multiple SBOM formats: SPDX (JSON/YAML) and CycloneDX\ + \ (JSON)\n- Web service capability through Werkzeug interface\n- Configurable\ + \ authentication for web service\n- Pre-generation capability for improved performance\n\ + \nThe tool is specifically designed for Ubuntu systems and provides both CLI and\ + \ HTTP delivery options. Configuration options allow customization of authentication,\ + \ pip package inclusion, and pre-generated SBOM usage.\n\nLimitations:\n- Ubuntu-specific\ + \ implementation\n- Early development stage\n- Basic authentication mechanism" + Types: + - Deployment +- Abilities: + - Consume + - Convert + Languages: + - Generic + License: MIT + Link: https://github.com/relizaio/rebom + Name: rebom + Publisher: relizaio + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Rebom is a tool for managing Software Bills of Materials (SBOMs) that + supports the CycloneDX JSON standard. The tool provides a web interface for SBOM + visualization and management, with deployment options via Docker-compose or Kubernetes + using Helm charts. + + + Key Features: + + - CycloneDX JSON format support + + - Command-line interface for SBOM uploads via Reliza CLI + + - Web-based SBOM visualization + + - OCI repository integration + + - PostgreSQL backend for SBOM storage + + - Available as Docker containers and Helm charts + + - Public demo instance available + + + The solution consists of a Vue.js frontend and an Express.js/Apollo GraphQL backend, + designed for easy deployment and integration into existing workflows. Rebom is + listed in the CycloneDX Tool Center and supports enterprise use cases through + containerized deployment options.' + Types: + - Build +- Abilities: + - Consume + - Generate + Languages: + - Cargo + - Elixir + - Generic + - Npm + - Pypi + - Gem + - Haxe + - Swift + License: GPL-3.0 + Link: https://github.com/intel/cve-bin-tool + Name: cve-bin-tool + Publisher: intel + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'The CVE Binary Tool is a security scanning utility designed to identify + known vulnerabilities in software components and generate Software Bill of Materials + (SBOM). Key features include: + + + - Binary scanning to detect software components and versions through signature + matching + + - Support for multiple SBOM formats including SPDX, CycloneDX, and SWID + + - Integration with vulnerability databases including NVD, Redhat, OSV, GAD and + Curl + + - Language-specific package scanning for Python, Java, JavaScript and others + + - VEX (Vulnerability Exploitability eXchange) document generation and consumption + + - Multiple output formats including CSV, JSON, HTML and PDF + + - Ability to run offline with local vulnerability database + + - Support for archive extraction and scanning including ZIP, TAR, DEB, RPM + + - Triaging capabilities to handle false positives and document risk decisions + + - Integration with CI/CD through GitHub Actions + + + The tool performs vulnerability scanning by: + + 1. Downloading vulnerability data from multiple sources + + 2. Creating/reading component lists through binary scanning or SBOM parsing + + 3. Matching components against known vulnerabilities + + 4. Generating reports in various formats + + + The tool currently supports over 375 binary checkers for detecting common open + source components. While comprehensive, it does not guarantee finding all vulnerabilities + and requires regular database updates for new vulnerability detection.' + Types: + - Analyze + - Container +- Abilities: + - Generate + Languages: + - Generic + - Autotools + License: Apache-2.0 + Link: https://github.com/jetstack/jetstack-secure + Name: jetstack-secure + Publisher: jetstack + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Jetstack Secure Agent SBOM Features Summary: + + + The Jetstack Secure Agent provides integrated Software Bill of Materials (SBOM) + capabilities as part of its container image security features. The tool generates + CycloneDX format SBOMs that are cryptographically signed using cosign and attached + to the released container images. This functionality is complemented by SLSA provenance + attestation support. + + + Key SBOM Features: + + - CycloneDX SBOM generation + + - Cryptographic signing of SBOMs using cosign + + - SBOM attachment to container images + + - Integration with SLSA provenance attestation + + - Verification capabilities for SBOM signatures and attachments + + + The SBOM functionality is available for all released container images across the + various deployment tiers and can be verified using standard cosign tooling following + the provided verification documentation.' + Types: + - Container +- Abilities: + - Generate + Languages: + - Elixir + License: Apache-2.0 + Link: https://github.com/google/ko + Name: ko + Publisher: google + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Ko - Go Container Image Builder with SBOM Generation + + + Ko is a container image builder specifically designed for Go applications that + generates Software Bill of Materials (SBOM) by default. The tool executes Go builds + locally without requiring Docker installation, making it suitable for CI/CD pipelines. + Ko automatically generates SBOMs in SPDX format during the build process, providing + transparency about the software components and dependencies included in the container + image. The tool supports multi-platform builds and includes YAML templating features + for Kubernetes applications. Ko''s SBOM generation capability helps organizations + maintain compliance and security requirements by documenting the components used + in their container images. + + + Key SBOM Features: + + - Default SPDX format SBOM generation + + - Automated component documentation + + - Dependency tracking for Go applications + + - Integration with container image build process' + Types: + - Build +- Abilities: + - Convert + Languages: + - Haxe + License: Apache-2.0 + Link: https://github.com/goneall/spdxcyclone + Name: spdxcyclone + Publisher: goneall + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "CDX2SPDX is a conversion utility that transforms Software Bill of Materials\ + \ (SBOM) documents from CycloneDX format to SPDX format. The tool supports both\ + \ JSON and XML input formats from CycloneDX and can output to various SPDX formats\ + \ including JSON, tag/value, XLSX, XML, RDF/XML, and YAML. \n\nKey Features:\n\ + - Command-line interface for direct file conversion\n- Docker container support\ + \ for containerized execution\n- Comprehensive mapping of CycloneDX properties\ + \ to SPDX equivalents\n- Handling of non-mappable properties through annotations\n\ + - Intelligent conversion of CycloneDX Components to SPDX Packages or Files based\ + \ on property analysis\n\nThe tool is currently in prototype stage and implements\ + \ mappings according to documented specifications between the two SBOM standards.\ + \ Non-mappable CycloneDX properties are preserved in the SPDX output through a\ + \ structured annotation system." + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Alpine + - Apk + - Dart + - Deb + - Gem + - Golang + - Npm + - Nuget + - Pkg + - Pypi + - Rpm + License: Apache-2.0 + Link: https://github.com/aquasecurity/trivy + Name: Trivy + Publisher: Aquasecurity + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Trivy is a comprehensive security scanner that includes SBOM generation + capabilities among its core features. The tool can generate Software Bill of Materials + (SBOM) for container images, filesystems, Git repositories, virtual machine images, + and Kubernetes environments. It detects OS packages and software dependencies + across most popular programming languages, operating systems, and platforms. + + + Key SBOM-related features: + + - Supports multiple scanning targets including containers and filesystems + + - Generates detailed dependency information for OS packages and software components + + - Integrates with CI/CD platforms through GitHub Actions + + - Available as CLI tool, Docker container, and Kubernetes operator + + - Provides machine-readable output formats suitable for further processing + + + The tool is available through common distribution channels including package managers, + container registries, and direct binary downloads. It can be integrated into existing + workflows through various plugins and extensions.' + Types: + - Analyze + - Container +- Abilities: + - Consume + Languages: + - Autotools + License: Apache-2.0 + Link: https://github.com/uselagoon/insights-handler + Name: insights-handler + Publisher: uselagoon + Source: AI-Generated + Standards: + - SPDX + Summary: 'Lagoon Insights Handler is a service tool focused on processing and managing + Software Bill of Materials (SBOM) data within the Lagoon ecosystem. The tool processes + SBOMs generated by Trivy during project builds and integrates with the Lagoon + API for vulnerability tracking. + + + Key SBOM Features: + + - Processes SBOM data generated during build deployments + + - Supports vulnerability scanning through Trivy integration + + - Implements configurable data filtering and transformation + + - Stores SBOM data in S3-compatible storage + + - Provides GraphQL API integration for data access + + + The tool offers customizable processing of SBOM data through YAML-based filter-transformers, + allowing organizations to modify package information before storage. It operates + as part of the larger Lagoon platform, receiving data through RabbitMQ messaging + and supporting local development environments.' + Types: + - Design + - Build + - Analyze +- Abilities: + - Consume + Languages: + - Pypi + License: MIT + Link: https://github.com/Andrii-Grytsenko-OWASP/SnykVulnCheck + Name: SnykVulnCheck + Publisher: Andrii-Grytsenko-OWASP + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Snyk Vulnerability Checking Tool (SnykVulnCheck) is a security analysis + tool designed to scan Software Bill of Materials (SBOM) for known vulnerabilities. + The tool processes SBOM files in JSON format and queries the Snyk Vulnerability + Database through its public API (security.snyk.io/api) to identify potential security + risks in software components. + + + Key Features: + + - Processes CycloneDX SBOM files in JSON format + + - Integrates with Snyk''s public vulnerability database + + - Generates vulnerability reports in JSON format + + - Supports both Docker containerized and standalone Python implementations + + - Cross-platform compatibility (Windows, Linux) + + + The tool accepts an input SBOM file and produces a detailed vulnerability report, + making it suitable for integration into security analysis pipelines and continuous + integration workflows. Configuration options allow customization of input/output + directories and processing parameters.' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Alpine + - Apk + License: Apache-2.0 + Link: https://github.com/chainguard-dev/apko + Name: apko + Publisher: chainguard-dev + Source: AI-Generated + Standards: + - SPDX + Summary: 'Apko - APK-based OCI Image Builder + + + Apko is a tool for creating reproducible OCI container images using APK packages. + The tool focuses on generating minimal, secure container images with integrated + Software Bill of Materials (SBOM) generation. Each image build automatically produces + a detailed SBOM that lists all included packages, enabling transparent dependency + tracking and security analysis. The SBOM support is a core feature, making Apko + particularly suitable for environments where software component documentation + is critical. The tool''s declarative configuration approach ensures consistent + and reproducible builds while maintaining comprehensive package documentation + through its SBOM generation capabilities. + + + Key SBOM-related features: + + - Automated SBOM generation for every build + + - Complete package dependency documentation + + - Integration with standard SBOM formats + + - Reproducible builds supporting SBOM verification + + + These capabilities make Apko a valuable tool for organizations requiring thorough + software component documentation and tracking in their container infrastructure.' + Types: + - Build + - Container +- Abilities: + - Consume + Languages: + - Autotools + - Bower + - Cargo + - Composer + - Deb + - Dotnet + - Elixir + - Gem + - Golang + - Npm + - Pypi + - Rpm + License: Apache-2.0 + Link: https://github.com/google/osv + Name: osv + Publisher: google + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'OSV Scanner is a vulnerability scanning tool developed by Google that + supports SBOM ingestion and analysis. The tool processes Software Bill of Materials + (SBOM) in SPDX and CycloneDB formats to identify known vulnerabilities through + the OSV database API. Besides SBOM scanning capabilities, OSV Scanner can analyze + various lockfiles, Debian docker containers, and git repositories. The tool is + implemented in Go and operates as a command-line utility, making it suitable for + integration into automated security workflows. OSV Scanner leverages the comprehensive + OSV vulnerability database to provide accurate vulnerability detection across + multiple package ecosystems. + + + Key SBOM Features: + + - SPDX format support + + - CycloneDB format support + + - Integration with OSV vulnerability database + + - Command-line interface + + - Cross-ecosystem vulnerability detection' + Types: + - Analyze +- Abilities: + - Generate + - Consume + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/docker/docker-sbom-cli-plugin + Name: docker-sbom-cli-plugin + Publisher: docker + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Summary: + + + The Docker SBOM CLI Plugin is a utility that extends Docker''s command-line interface + to generate and view Software Bill of Materials (SBOM) for Docker images. Built + on Syft''s scanning capabilities, this plugin integrates directly with the Docker + CLI, allowing users to analyze container images and produce detailed software + component inventories. The tool generates SBOMs in standard formats, providing + visibility into the dependencies and components present within Docker container + images. Installation is streamlined through a simple shell script, making it accessible + for immediate integration into existing Docker workflows. + + + Features: + + - Direct integration with Docker CLI + + - Syft-powered SBOM generation + + - Container image analysis + + - Simple installation process + + - Native Docker command syntax' + Types: + - Container +- Abilities: + - Generate + Languages: + - Apk + - Composer + - Dart + - Deb + - Dotnet + - Elixir + - Gem + - Golang + - Npm + - Pypi + - Rpm + License: Apache-2.0 + Link: https://github.com/deepfence/ThreatMapper + Name: ThreatMapper + Publisher: deepfence + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'ThreatMapper is a runtime threat management and attack path enumeration + tool designed for cloud-native environments. The tool generates Software Bill + of Materials (SBOM) through its agent-based inspection capabilities. As part of + its core functionality, ThreatMapper''s sensors report discovered services and + generate manifests of software dependencies, which form the basis for SBOM creation. + The tool supports multiple deployment platforms including Kubernetes, Docker, + AWS ECS, AWS Fargate, and bare-metal or virtual machines. SBOM generation is integrated + into the broader security monitoring features, allowing organizations to maintain + an up-to-date inventory of software components while identifying vulnerable dependencies + in production environments. + + + Key SBOM Features: + + - Agent-based dependency discovery + + - Runtime software component monitoring + + - Multi-platform support + + - Integration with vulnerability scanning + + - Continuous SBOM updates in production + + - Component risk assessment' + Types: + - Runtime + - Container +- Abilities: + - Generate + Languages: + - Cargo + - Generic + - Haxe + - Npm + License: Apache-2.0 + Link: https://github.com/cisco-open/kubei + Name: kubei + Publisher: cisco-open + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "OpenClarity - VM Security and SBOM Analysis Tool\n\nOpenClarity is an\ + \ open-source tool for agentless Software Bill of Materials (SBOM) generation\ + \ and security threat detection for virtual machines. The tool supports SBOM generation\ + \ through multiple scanning engines including Syft, Trivy, Windows Registry scanning,\ + \ and Cyclonedx-gomod. \n\nKey SBOM Features:\n- Agentless SBOM generation for\ + \ virtual machines\n- Multiple scanner integration for comprehensive package detection\n\ + - Support for various filesystem types including Ext2/3/4, XFS, and NTFS\n- Asset\ + \ discovery across multiple cloud providers (AWS, Azure, GCP) and container environments\n\ + - Normalized and merged results from different scanning tools\n- Available as\ + \ CLI tool, complete stack solution, or Go module\n\nThe tool provides a unified\ + \ interface for SBOM generation and security analysis, making it suitable for\ + \ enterprise environments requiring comprehensive software inventory management.\ + \ Results can be visualized through an integrated dashboard when deployed as a\ + \ complete stack solution." + Types: + - Build + - Analyze + - Deployment +- Abilities: + - Generate + Languages: + - Maven + License: MIT + Link: https://github.com/javixeneize/yasca + Name: yasca + Publisher: javixeneize + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Zasca is a Python-based Software Composition Analysis (SCA) tool designed + for analyzing Java Maven projects. The tool generates CycloneDX Software Bill + of Materials (SBOM) in JSON format and performs vulnerability scanning using GitHub + Advisories. + + + Key Features: + + - CycloneDX SBOM generation + + - Vulnerability scanning through GitHub Advisories integration + + - Configurable quality gates for vulnerability severity thresholds + + - Vulnerability suppression capabilities + + - HTML report generation + + - Available as CLI tool, Docker container, and GitHub Action + + + The tool requires a GitHub token for advisory queries and supports both production + and development dependencies analysis. While currently limited to Maven projects, + future development plans include support for Gradle and NodeJS ecosystems. + + + Installation is available through pip package manager or as a Docker image. The + SBOM generation feature is enabled by default and can be configured through command + line parameters or GitHub Action inputs.' + Types: + - Source + - Build +- Abilities: + - Consume + Languages: + - Generic + License: NOASSERTION + Link: https://github.com/fortify-ps/fortify-ssc-parser-cyclonedx + Name: fortify-ssc-parser-cyclonedx + Publisher: fortify-ps + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Tool: Fortify SSC Parser Plugin for CycloneDX + + + This parser plugin enables the import of CycloneDX-formatted Software Bill of + Materials (SBOM) files into Fortify Software Security Center (SSC). Available + in two versions, the plugin supports either basic SSC integration or enhanced + functionality for SSC 22.2 and above with additional Open Source page display + capabilities. The tool processes CycloneDX SBOM data, including vulnerability + information, and integrates it into SSC''s security assessment workflow. Key features + include vulnerability data import, issue tracking, and compatibility with the + CycloneDX specification. Notable limitations include dependency on input data + quality and inability to merge CycloneDX results from multiple tools within a + single SSC application version. The plugin serves as a generic solution for organizations + requiring CycloneDX SBOM integration with their Fortify SSC deployment.' + Types: + - Source +- Abilities: + - Consume + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/evryfs/sbom-dependency-submission-action + Name: sbom-dependency-submission-action + Publisher: evryfs + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'The sbom-dependency-submission-action is a GitHub Action that facilitates + the submission of Software Bill of Materials (SBOM) to GitHub''s dependency submission + API. The tool processes CycloneDX-formatted SBOMs and integrates them with GitHub''s + dependency graph using the official GitHub Dependency Submission Toolkit. This + integration enables automatic vulnerability scanning and dependency tracking within + GitHub''s security features. The action is designed to work within GitHub Actions + workflows and supports automated SBOM submission as part of continuous integration + pipelines. + + + Core Features: + + - Processes CycloneDX SBOM format + + - Integrates with GitHub''s dependency submission API + + - Supports automated submission in CI/CD workflows + + - Enables dependency tracking and vulnerability scanning + + - Compatible with GitHub''s dependency graph' + Types: + - Build +- Abilities: + - Consume + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/madpah/vexy + Name: vexy + Publisher: madpah + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Vexy is a Python-based tool designed to generate VEX (Vulnerability Exploitability + Exchange) documents in CycloneDX format from existing Software Bill of Materials + (SBOM). The tool accepts CycloneDX SBOM files as input and produces separate VEX + documents containing known vulnerabilities from publicly available data sources. + Leveraging CycloneDX''s BOM Link capability, Vexy enables periodic VEX generation + to maintain up-to-date vulnerability information without requiring complete SBOM + regeneration. The tool supports both XML and JSON output formats, adhering to + CycloneDX schema version 1.4. It can be installed via PyPI package manager and + is available as a Docker container. The tool is released under the Apache 2.0 + license and supports all actively maintained Python versions. + + + Key Features: + + - Generates VEX documents from CycloneDX SBOMs + + - Supports XML and JSON output formats + + - Integrates with public vulnerability data sources + + - Implements CycloneDX BOM Link capability + + - Provides command-line interface + + - Offers file-based and STDIN/STDOUT operations' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Golang + License: Apache-2.0 + Link: https://github.com/SAP/jenkins-library + Name: jenkins-library + Publisher: SAP + Source: AI-Generated + Standards: [] + Summary: 'Project Piper SBOM Generation Tool Summary: + + + Project Piper is a CI/CD pipeline tool that includes SBOM (Software Bill of Materials) + generation capabilities as part of its build and deployment processes. The tool + integrates with SAP systems and provides a shared library of steps for customizable + pipeline creation. While the project is no longer accepting contributions, it + remains available for use. + + + Key SBOM Features: + + - Integration with SAP systems for comprehensive dependency tracking + + - Pipeline-based SBOM generation during build processes + + - Customizable SBOM generation steps through shared library functions + + - Support for standard CI/CD workflows with built-in SBOM capabilities + + + The tool is documented through the Project Piper pages and includes community + support through a Google group forum.' + Types: + - Build +- Abilities: + - Generate + - Convert + Languages: + - Cargo + - Deb + - Dotnet + - Elixir + - Gem + - Generic + - Maven + - Npm + - Pypi + License: MIT + Link: https://github.com/Quobis/action-owasp-dependecy-track-check + Name: action-owasp-dependecy-track-check + Publisher: Quobis + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'SBOM Generation and Vulnerability Analysis with OWASP Dependency Track + + + The action-owasp-dependency-track-check is a GitHub Action that generates Software + Bill of Materials (SBOM) and performs vulnerability analysis through integration + with OWASP Dependency Track. The tool supports multiple programming languages + including Node.js, Python, Golang, Ruby, Java (Maven), .NET, and PHP Composer. + + + Key Features: + + - Generates CycloneDX v1.2 format SBOM + + - Automatic upload to OWASP Dependency Track + + - Vulnerability assessment and risk score calculation + + - License compliance checking + + - Support for custom vulnerability check sources + + - Version tracking with repository name and branch/tag information + + + The action requires an OWASP Dependency Track instance and API key for operation. + It provides risk score output that can be utilized in CI/CD pipelines for security + governance. Compatible with OWASP Dependency Track v4.0.0 and higher. + + + Technical Requirements: + + - OWASP Dependency Track server + + - API access key + + - Language-specific dependency files (e.g., requirements.txt, pom.xml) + + - GitHub Actions workflow configuration' + Types: + - Build +- Abilities: + - Consume + Languages: + - Maven + - Npm + License: Apache-2.0 + Link: https://github.com/medavis-gmbh/LicenseComplianceTool + Name: LicenseComplianceTool + Publisher: medavis-gmbh + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'The License Compliance Tool is a utility designed to manage software license + compliance through SBOM processing and license documentation generation. It accepts + CycloneDX format SBOMs and can process them through either a Jenkins plugin or + a CLI interface. + + + Key SBOM-related features: + + - Processes CycloneDX format SBOMs from various build tools (Maven, NPM) + + - Generates component manifests with license information + + - Supports metadata enrichment through JSON configuration files + + - Downloads and manages license files automatically + + - Allows license mapping and normalization + + - Enables custom manifest templates through FreeMarker + + + The tool facilitates license compliance by automating the collection and documentation + of component licenses, attribution notices, and source code locations from SBOM + data. It can be integrated into CI/CD pipelines through Jenkins or used standalone + via CLI.' + Types: + - Design + - Source +- Abilities: + - Compare + - Consume + Languages: + - Generic + License: MIT + Link: https://github.com/thepwagner/sbom-action + Name: sbom-action + Publisher: thepwagner + Source: AI-Generated + Standards: + - SPDX + Summary: "SBOM Action is a GitHub Action designed for Software Bill of Materials\ + \ (SBOM) analysis of container images. The tool performs differential analysis\ + \ between SBOMs, comparing a base image SBOM with a locally generated one. \n\n\ + Key Features:\n- Automated SBOM comparison for container images\n- Pull request\ + \ comments highlighting package and vulnerability differences\n- Automated pull\ + \ request creation for detected package changes\n- Integration with GitHub Container\ + \ Registry\n- Compatible with external SBOM generation tools like Trivy\n\nThe\ + \ action operates in two modes: pull request analysis and scheduled comparison.\ + \ In pull request mode, it posts comparison results as comments. In scheduled\ + \ mode, it automatically creates pull requests when differences are detected.\ + \ The tool is particularly useful for maintaining security visibility and tracking\ + \ dependency changes in containerized applications." + Types: + - Container +- Abilities: + - Consume + Languages: + - Pypi + License: No License + Link: https://github.com/nyph-infosec/daggerboard + Name: daggerboard + Publisher: nyph-infosec + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'DaggerBoard - SBOM Vulnerability Scanner + + + DaggerBoard is a software tool designed for processing and analyzing Software + Bill of Materials (SBOM) files in CycloneDX and SPDX formats. The tool performs + vulnerability assessments on software dependencies and presents analysis results + through a web-based dashboard interface. + + + Key SBOM Related Features: + + - Import and processing of SPDX and CycloneDX SBOM formats + + - Automated vulnerability scanning of SBOM components + + - CPE correlation and mapping to known vulnerabilities + + - Integration with National Vulnerability Database (NVD) + + - Vendor scorecard generation based on SBOM analysis + + - Risk assessment grading system for evaluated SBOMs + + + The tool is implemented as a Django web application with a REST API interface. + It supports both local and LDAP authentication and includes an administrative + interface for system configuration and user management. DaggerBoard processes + SBOM data through an automated pipeline that correlates component information + with vulnerability databases and generates comprehensive security assessments. + + + Technology Requirements: + + - Python 3.10 + + - Ubuntu 22.04 (recommended) + + - 20 GB disk space + + - RabbitMQ message broker + + + License: MIT' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Composer + - Dotnet + - Npm + - Maven + License: Apache-2.0 + Link: https://github.com/mattermost/gobom + Name: gobom + Publisher: mattermost + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Gobom is a command-line tool for generating Software Bill of Materials + (SBOM) in CycloneDX format. The tool provides integration with Dependency-Track + for vulnerability analysis and supports multiple dependency ecosystems including + Go modules, npm, CocoaPods, and Gradle. + + + Key Features: + + - Generates CycloneDX-compatible SBOMs + + - Recursive dependency scanning across multiple ecosystems + + - Package URL (PURL) generation for all components + + - Dependency-Track integration for upload and analysis + + - Extensible architecture for custom generators + + - Component path tracing for transitive dependencies + + + The tool focuses on dependency enumeration rather than vulnerability analysis, + producing component listings compatible with Dependency-Track''s analysis capabilities. + Gobom''s modular design allows for custom generator implementation without modifying + the core codebase. The tool is particularly suited for projects utilizing multiple + technology stacks, as it can generate consolidated SBOM output including dependencies + from various ecosystems in a single scan.' + Types: + - Design + - Source + - Build +- Abilities: + - Generate + Languages: + - Pypi + License: MIT + Link: https://github.com/flexera-public/sca-codeinsight-reports-cyclonedx + Name: sca-codeinsight-reports-cyclonedx + Publisher: flexera-public + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX SBOM Report for Code Insight is a custom report generator that + creates CycloneDX-formatted Software Bill of Materials (SBOM) for projects within + Revenera''s Code Insight platform. The tool integrates directly with Code Insight''s + reporting framework and supports hierarchical project structures. + + + Key Features: + + - Generates CycloneDX-compliant SBOM reports + + - Supports project hierarchy with optional child project inclusion + + - Utilizes custom fields for application name, version, and publisher + + - Produces both viewable XML and downloadable ZIP artifacts + + - Requires Code Insight 2021R4 or later + + - Integrates via REST API with Code Insight platform + + - Includes automated registration process + + + The tool is implemented in Python and requires minimal configuration through a + server properties file. It provides standardized SBOM output suitable for software + composition analysis and compliance documentation.' + Types: + - Design +- Abilities: + - Generate + Languages: + - Generic + License: NOASSERTION + Link: https://github.com/bgnetworks/meta-dependencytrack + Name: meta-dependencytrack + Publisher: bgnetworks + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Meta-DependencyTrack is a Yocto meta-layer that integrates Software Bill + of Materials (SBOM) generation into the Yocto build process. The tool generates + CycloneDX-format SBOMs from the root filesystem and automatically uploads them + to a Dependency-Track server for vulnerability analysis and component tracking. + + + Key Features: + + - Automatic SBOM generation during Yocto builds + + - CycloneDX format support + + - Direct integration with Dependency-Track + + - Project-specific SBOM management + + - Configurable API endpoints and authentication + + - Build-time SBOM artifact storage + + + The tool requires minimal configuration through Yocto''s local.conf file, including + project ID, API URL, and authentication key. Generated SBOMs are stored in the + Yocto deploy directory and can be accessed through the Dependency-Track interface + for further analysis and management.' + Types: + - Build +- Abilities: + - Consume + Languages: + - Cargo + - Maven + - Npm + License: Apache-2.0 + Link: https://github.com/jetstack/tally + Name: tally + Publisher: jetstack + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Tally is a command-line tool designed to analyze Software Bill of Materials + (SBOM) files by retrieving and generating OpenSSF Scorecard scores for the included + packages. The tool supports CycloneDX (JSON/XML) and Syft JSON SBOM formats. + + + Key features: + + - Queries the public Scorecard API for repository security scores + + - On-demand score generation for repositories not available in public API + + - Local caching of scorecard results for improved performance + + - Configurable score thresholds for CI/CD integration + + - Multiple output formats including JSON for automation + + - Package repository mapping and score correlation + + + The tool facilitates security assessment of software dependencies by providing + visibility into the security practices of upstream repositories through their + OpenSSF Scorecard scores. It can be integrated into existing workflows through + direct SBOM file processing or pipeline integration through standard input.' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Apk + - Pypi + - Rpm + License: GPL-3.0 + Link: https://github.com/e-m-b-a/emba + Name: emba + Publisher: e-m-b-a + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'EMBA (Embedded Linux Analyzer) is a comprehensive firmware analysis tool + that includes SBOM generation capabilities. The tool generates Software Bill of + Materials (SBOM) as part of its firmware analysis process using a dedicated SBOM + scan profile. EMBA can identify and catalog software components, their versions, + and dependencies within firmware images of embedded devices. + + + Key SBOM Features: + + - Automated component identification and version detection + + - Support for multiple SBOM formats + + - Integration with the broader firmware security analysis workflow + + - Web-based reporting of identified components + + - Command-line interface for SBOM generation + + + The tool is available as open-source software under the GPLv3 license and can + be deployed via Docker or local installation. EMBA''s SBOM functionality is particularly + useful for product security teams, developers, and managers who need to maintain + software component inventories of embedded systems.' + Types: + - Analyze +- Abilities: + - Compare + - Consume + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbomdiff + Name: sbomdiff + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOMDiff is a comparison tool for Software Bill of Materials (SBOM) that + analyzes differences between two SBOM files. The tool supports both SPDX (2.3) + and CycloneDX (1.4) formats in various file representations including JSON, XML, + YAML, and RDF. + + + Key Features: + + - Detection of package version changes + + - Identification of license modifications + + - Tracking of added and removed packages + + - Multiple output formats (text, JSON, YAML) + + - Automatic SBOM format detection + + - Command-line interface with configurable options + + + The tool processes SBOM files by comparing package names, versions, and licenses. + Output can be directed to stdout or saved to a file. SBOMDiff is implemented in + Python (3.7+) and is available through pip installation. The tool returns a non-zero + exit code when differences are detected, facilitating integration into automated + workflows. + + + SBOMDiff aids in software development and security audit functions, though its + effectiveness depends on the quality of input SBOM data. The tool is licensed + under Apache 2.0.' + Types: + - Analyze +- Abilities: + - Generate + - Convert + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbom4python + Name: sbom4python + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOM4Python is an open-source command-line tool designed to generate Software + Bill of Materials (SBOM) for Python modules. The tool produces SBOM documentation + in SPDX and CycloneDX formats, supporting various output formats including JSON, + YAML, and tag-value notation. + + + Key Features: + + - Identifies explicit and implicit dependencies of installed Python modules + + - Generates SBOM from requirements.txt, pyproject.toml, setup.cfg, or setup.py + files + + - Automatic license detection with SPDX license identifier mapping + + - PURL and CPE reference generation for package identification + + - Dependency graph generation in DOT format + + - System-wide Python module analysis capability + + - Optional file inclusion for comprehensive package documentation + + + The tool requires Python 3.7+ and can be installed via pip. It supports integration + into continuous integration pipelines for automated SBOM generation and maintenance. + Network connectivity is required for complete package metadata retrieval. + + + SBOM4Python is licensed under Apache 2.0 and is particularly suited for software + development teams requiring accurate dependency tracking and security audit compliance.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbom4files + Name: sbom4files + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: SBOM4Files is a command-line tool designed to generate Software Bill of + Materials (SBOM) for directory contents. The tool supports both SPDX and CycloneDX + SBOM formats and can process files recursively through directory structures. Key + features include license identification, copyright detection, and multiple checksum + generation (SHA1, SHA256, SHA512) for each file. SBOM4Files supports various output + formats including tag-value, JSON, and YAML for SPDX, while CycloneDX output is + provided in JSON format. The tool is implemented in Python (3.7+) and can be integrated + into continuous integration pipelines to maintain accurate SBOM records throughout + the build development phase. It includes capabilities to ignore specific file + extensions and provides flexible output options for integration into existing + workflows. + Types: + - Build +- Abilities: + - Generate + - Convert + Languages: + - Cargo + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbom4rust + Name: sbom4rust + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOM4Rust is a command-line tool for generating Software Bill of Materials + (SBOM) from Rust applications or libraries. The tool processes Cargo.lock files + to identify and document all dependent components and their relationships. It + supports output in both SPDX and CycloneDX formats, with SPDX offering additional + formatting options in tag-value, JSON, and YAML. + + + Key Features: + + - Generates SBOM from Cargo.lock files + + - Supports SPDX and CycloneDX output formats + + - Multiple output format options for SPDX (tag-value, JSON, YAML) + + - Identifies component dependencies and relationships + + - Integrates with continuous integration systems + + - Python-based implementation (requires Python 3.7+) + + + The tool is designed for integration into continuous integration pipelines and + supports software development and security audit functions. It provides flexibility + in output formats and can be used to maintain accurate records of software components + for audit purposes. + + + Available under Apache 2.0 License.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Cran + - Rpm + - Haxe + License: Apache-2.0 + Link: https://github.com/anthonyharrison/distro2sbom + Name: distro2sbom + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'DISTRO2SBOM is a Python-based tool for generating Software Bill of Materials + (SBOM) for installed applications or complete system installations. The tool supports + both SPDX and CycloneDX output formats in various serializations including JSON, + YAML, and tag-value format. + + + Key Features: + + - Supports multiple package management systems (RPM, DEB, Windows) + + - Generates SBOM for single packages or entire system installations + + - Automatic package dependency resolution + + - PURL and CPE reference generation + + - Customizable output formats and serializations + + - License identifier mapping to SPDX standard + + - Integration-ready for CI/CD pipelines + + + The tool is designed for system auditing and compliance purposes, providing detailed + component tracking and dependency analysis. It requires Python 3.7+ and can be + installed via pip or from source. DISTRO2SBOM is licensed under Apache 2.0 and + supports custom configuration for specialized environments through environment + variables.' + Types: + - Deployment +- Abilities: + - Convert + - Validate + - Consume + Languages: + - Pypi + License: MIT + Link: https://github.com/anthonyharrison/sbom-manager + Name: sbom-manager + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOM Manager is an open-source tool designed for managing Software Bill + of Materials (SBOM) collections. It supports multiple SBOM formats including SPDX + and CycloneDX, operating both as a repository for component tracking and as a + query tool for project development analysis. + + + Key Features: + + - Supports SPDX (2.3), CycloneDX (1.4, 1.5), CSV, and directory listing formats + + - Repository management for tracking software components + + - Query capabilities for component version tracking + + - Vulnerability scanning integration + + - Export and import functionality for repository management + + - Project-based filtering + + - Configurable output formats (CSV, console) + + + The tool integrates with continuous integration systems for maintaining SBOM records + and supports security auditing through vulnerability scanning capabilities. It + requires Python 3.7+ and can be installed via pip or from source. + + + Primary Use Cases: + + - Component vulnerability impact assessment + + - Version tracking across projects + + - Component usage analysis + + - Vulnerability scanning and reporting + + + The tool''s effectiveness depends on the quality and completeness of the provided + SBOM data. It is distributed under the MIT License.' + Types: + - Source + - Build +- Abilities: + - Consume + - Validate + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbomaudit + Name: sbomaudit + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOMAUDIT is a quality assessment tool for Software Bill of Materials + (SBOM) that supports both SPDX and CycloneDX formats. The tool performs comprehensive + validation checks on SBOM contents including format compliance, package metadata + completeness, license validation, and relationship integrity. + + + Key Features: + + - Validates SBOM format versions and essential metadata + + - Verifies package information completeness including names, versions, and suppliers + + - Checks license compliance with SPDX identifiers and OSI approval status + + - Validates CPE and PURL specifications + + - Performs latest version checks for multiple programming language ecosystems + + - Validates NTIA minimum requirements compliance + + - Supports policy enforcement through allow/deny lists + + - Provides package age analysis capabilities + + - Generates detailed JSON format reports + + + The tool can operate in both online and offline modes, with certain checks like + latest version verification only available in online mode. It is designed for + integration into development workflows and supports policy enforcement through + configurable rules and checks.' + Types: + - Analyze +- Abilities: + - Consume + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbom2doc + Name: sbom2doc + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOM2DOC is a documentation tool for Software Bill of Materials (SBOM) + that processes and presents component information from SPDX and CycloneDX formats. + The tool generates comprehensive summaries in multiple output formats including + console, HTML, Excel, JSON, Markdown, and PDF. + + + Key features: + + - Supports SPDX (TagValue, JSON, YAML) and CycloneDX (JSON) formats + + - Provides detailed package information including licenses, suppliers, and dependencies + + - Generates NTIA conformance reports + + - Offers multiple output formats with Bootstrap-based HTML support + + - Includes package metadata like PURL and CPE identifiers + + - Creates statistical summaries of component types and licenses + + + The tool is implemented in Python (3.7+) and can be installed via pip. Output + can be customized to include license texts and additional debug information as + needed.' + Types: + - Analyze +- Abilities: + - Consume + Languages: + - Pypi + License: No License + Link: https://github.com/anthonyharrison/sbom2dot + Name: sbom2dot + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOM2DOT is a specialized visualization tool that converts Software Bill + of Materials (SBOM) files into dependency graphs using the DOT language format. + The tool processes SPDX (in TagValue, JSON, and YAML formats) and CycloneDX (in + JSON format) SBOM files, generating outputs compatible with GraphViz visualization + software. Key features include: + + + - Automated generation of component dependency graphs from SBOM files + + - Support for multiple SBOM format inputs + + - GraphViz DOT language output for flexible visualization options + + - Command-line interface with input/output file specification + + - Python-based implementation (requires Python 3.7+) + + + The tool serves as a utility for visualizing component relationships within SBOMs, + though it has limitations with RDF/XML formats and large-scale dependency visualization. + SBOM2DOT is distributed under the Apache 2.0 License.' + Types: + - Analyze +- Abilities: + - Merge + - Convert + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbommerge + Name: sbommerge + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "SBOMMerge is a Python-based tool designed to merge two Software Bill of\ + \ Materials (SBOM) documents. The tool supports both SPDX 2.3 and CycloneDX (1.4,\ + \ 1.5) formats in various file types including JSON, YAML, and TagValue. \n\n\ + Key Features:\n- Automatic format detection based on file extensions\n- Support\ + \ for multiple output formats (tag, JSON, YAML)\n- Cross-format merging capabilities\n\ + - Package version-aware merging logic\n- Command-line interface with customizable\ + \ output options\n\nThe tool processes SBOM files by merging package data when\ + \ versions match and creating separate entries for different versions. It requires\ + \ Python 3.7 or higher and can be installed via pip. SBOMMerge operates under\ + \ the Apache 2.0 License and is primarily intended for software development and\ + \ security audit functions.\n\nTechnical Requirements:\n- Python 3.7+\n- pip package\ + \ manager\n- Input SBOM files in supported formats (SPDX or CycloneDX)" + Types: + - Analyze +- Abilities: + - Convert + - Generate + - Consume + Languages: + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/lib4sbom + Name: lib4sbom + Publisher: anthonyharrison + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "Here's a concise summary of Lib4SBOM:\n\nLib4SBOM is a Python library\ + \ for parsing and generating Software Bill of Materials (SBOMs) in both SPDX and\ + \ CycloneDX formats. Key features include:\n\nCore Capabilities:\n- Parses SPDX\ + \ SBOMs in TagValue, JSON, YAML, XML and RDF formats\n- Parses CycloneDX SBOMs\ + \ in JSON and XML formats \n- Generates SPDX SBOMs in TagValue, JSON and YAML\ + \ formats\n- Generates CycloneDX SBOMs in JSON format\n- Supports SPDX 2.2/2.3\ + \ and CycloneDX 1.4/1.5/1.6\n\nKey Components:\n- SBOMParser - Parses existing\ + \ SBOM files into a common data model\n- SBOMGenerator - Creates new SBOMs from\ + \ component data\n- SBOM objects for managing files, packages, relationships,\ + \ vulnerabilities and services\n- Format-agnostic abstraction layer\n\nNotable\ + \ Features:\n- Auto-detection of SBOM format based on file extension\n- License\ + \ validation against SPDX identifiers\n- Support for package metadata, dependencies,\ + \ vulnerabilities\n- Console and file output options\n\nThe library provides a\ + \ unified interface for working with different SBOM formats through a consistent\ + \ API, allowing developers to handle SBOMs without dealing with format-specific\ + \ details." + Types: + - Source + - Build +- Abilities: + - Consume + Languages: + - Golang + - Pypi + License: MPL-2.0 + Link: https://github.com/devops-kung-fu/bomber + Name: Bomber + Publisher: devops-kung-fu + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Bomber is a versatile SBOM vulnerability scanning tool that analyzes Software + Bill of Materials (SBOMs) for security vulnerabilities and license information. + The tool supports multiple SBOM formats including CycloneDX (JSON/XML), SPDX (JSON), + and Syft. + + + Key Features: + + - Multiple vulnerability data providers: OSV (default), GitHub Advisory Database, + Sonatype OSS Index, and Snyk + + - Support for folder-based batch scanning + + - Multiple output formats: CLI, HTML, JSON, and Markdown + + - Vulnerability filtering by severity levels + + - CVE ignore list functionality + + - Data enrichment with Exploit Prediction Scoring System (EPSS) + + - STDIN scanning support for CI/CD pipeline integration + + + The tool is particularly useful for analyzing closed-source vendor SBOMs but can + also be used for open-source components. Bomber provides detailed vulnerability + reports including severity levels, exploitation probabilities, and comprehensive + vulnerability descriptions. It supports environment variables for credential management + and offers experimental features like severity-based exit codes and AI-enriched + vulnerability descriptions using OpenAI.' + Types: + - Analyze +- Abilities: + - Generate + - Convert + Languages: + - Elixir + - Npm + License: MIT + Link: https://github.com/patriksvensson/covenant + Name: covenant + Publisher: patriksvensson + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Covenant is a .NET-based SBOM generation tool that creates Software Bill + of Materials from source code artifacts. The tool supports both CycloneDX and + SPDX output formats and can analyze projects built with .NET 5 to .NET 8, .NET + Core, and NPM dependencies. It also processes existing CycloneDX BOMs. + + + Key Features: + + - Generation of SBOMs from source code and project files + + - Conversion between SBOM formats (CycloneDX and SPDX) + + - HTML report generation for SBOM visualization + + - License compliance checking with configurable rules + + - Support for arbitrary file inclusion in SBOM + + - Metadata customization options + + + The tool requires built projects with restored dependencies for accurate analysis + and can be installed either as a project-specific or global .NET tool. Configuration + is managed through a JSON file that supports custom file inclusion and license + compliance rules.' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Apk + - Alpm + - Rpm + - Maven + - Pypi + License: GPL-3.0 + Link: https://github.com/future-architect/vuls + Name: vuls + Publisher: future-architect + Source: AI-Generated + Standards: [] + Summary: 'Vuls is a vulnerability scanner designed for Linux, FreeBSD, Windows, + and macOS systems. The tool operates agent-less and is written in Go. It provides + comprehensive vulnerability scanning capabilities through integration with multiple + vulnerability databases including NVD, JVN, and various vendor-specific security + advisories. + + + Key Features: + + - Supports multiple operating systems and environments including cloud, on-premise, + and Docker containers + + - Integrates with multiple vulnerability databases and security advisories + + - Offers both remote and local scanning capabilities + + - Provides SBOM functionality through package management system integration + + - Supports scanning of non-OS packages including programming language libraries + and self-compiled software + + - Includes CPE-based scanning capabilities + + - Features automatic vulnerability detection and regular reporting + + - Operates in multiple modes: Fast Scan (non-root), Fast Root Scan, Remote Scan, + and Local Scan + + + The tool is particularly useful for system administrators who need to maintain + security across multiple systems without implementing automatic updates. Vuls + focuses on vulnerability detection and reporting rather than remediation, making + it suitable for security assessment and compliance monitoring workflows.' + Types: + - Analyze + - Deployment + - Runtime +- Abilities: + - Consume + - Validate + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/interlynk-io/sbomqs + Name: sbomqs + Publisher: interlynk-io + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOMQS (SBOM Quality Score) is a tool designed to assess the quality and + compliance of Software Bill of Materials (SBOM). The tool supports major SBOM + formats including SPDX and CycloneDX in various data representations (JSON, YAML, + RDF, and tag-value for SPDX; JSON and XML for CycloneDX). + + + Key Features: + + - Quality scoring based on multiple categories including NTIA minimum elements, + structural compliance, semantic validation, and sharing capabilities + + - Compliance reporting for industry standards (BSI TR-03183-2, OpenChain Telco + SBOM Guide) + + - Customizable scoring output with category and feature-level configuration + + - Integration with Dependency Track for project scoring + + - Support for air-gapped environments + + - Container-based deployment options + + + The tool provides both basic and detailed output formats (tabular and JSON) for + quality assessment results. Quality scores are calculated based on component completeness, + license information, identifier accuracy, and adherence to industry specifications. + SBOMQS can be integrated into automated workflows and supports sharing results + through sbombenchmark.dev.' + Types: + - Analyze +- Abilities: + - Consume + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/interlynk-io/sbomgr + Name: sbomgr + Publisher: interlynk-io + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOMGR (SBOM Grep) is a command-line utility designed for searching Software + Bill of Materials (SBOM) repositories. The tool supports both SPDX and CycloneDX + formats, enabling users to search for packages based on name, checksum, CPE, and + PURL identifiers. Key features include regular expression support, JSON output + formatting, and recursive directory scanning. SBOMGR provides efficient search + capabilities with options for case-sensitive matching, license information extraction, + and customizable output formats. The tool can be deployed in air-gapped environments + and offers integration options for CI/CD pipelines. Installation is available + through multiple methods including prebuilt binaries, Homebrew, Go install, or + building from source. + + + Primary features: + + - Format-agnostic SBOM searching (SPDX and CycloneDX support) + + - Multiple search criteria (name, checksum, CPE, PURL) + + - Regular expression support + + - Customizable output formats + + - Container deployment support + + - CI/CD pipeline integration + + - Air-gapped environment compatibility' + Types: + - Analyze +- Abilities: + - Consume + Languages: + - Golang + License: NOASSERTION + Link: https://github.com/interlynk-io/sbomex + Name: sbomex + Publisher: interlynk-io + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOMEX (SBOM Explorer) is a command-line utility designed for querying + and retrieving Software Bill of Materials (SBOMs) from Interlynk''s public SBOM + repository. The tool supports searching through a periodically updated collection + of SBOMs generated by various tools and in different formats. + + + Key Features: + + - Search functionality with filtering by specification, format, and tool name + + - SBOM retrieval capabilities with quality score information + + - Support for multiple SBOM formats including CycloneDX and SPDX + + - Available as a containerized application + + - Integration with SBOM quality scoring system + + + The tool can be installed through multiple methods including pre-built binaries, + Homebrew, Go install, or building from source. SBOMEX is part of a broader ecosystem + of SBOM tools maintained by Interlynk.io and is distributed under the Apache License + 2.0.' + Types: + - Analyze +- Abilities: + - Compare + - Convert + - Validate + Languages: + - Clojars + - Composer + - Dart + - Dotnet + - Elixir + - Gem + - Hackage + - Haxe - Hex - - Pub + - Npm + - Pypi + License: Apache-2.0 + Link: https://github.com/cyclonedx/sbom-utility + Name: sbom-utility + Publisher: CycloneDX + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "Here's a concise summary of the sbom-utility tool and its key features\ + \ focused on SBOM:\n\nThe sbom-utility is a command-line platform for validating,\ + \ analyzing and editing Software Bills-of-Materials (SBOMs). Key capabilities\ + \ include:\n\n- Validates SBOMs against official CycloneDX and SPDX JSON schemas\n\ + - Supports custom JSON schema variants for additional validation requirements\ + \ \n- Analyzes and edits BOM data through commands like trim, patch, and diff\n\ + - Provides SQL-like querying to extract specific data from SBOMs\n- Generates\ + \ reports on components, services, licenses, resources and vulnerabilities\n-\ + \ Supports multiple output formats (txt, csv, md, json)\n- Handles CycloneDX SBOM\ + \ variants (Software, Hardware, Manufacturing, ML/AI, Crypto)\n- Offers license\ + \ policy management and compliance checking\n- Includes vulnerability report analysis\ + \ capabilities\n\nThe tool focuses on validating SBOM data quality and enabling\ + \ analysis of key aspects like inventory, licensing, and security. It supports\ + \ both CycloneDX and SPDX formats with their respective schema versions.\n\nWritten\ + \ in Go for memory safety and cross-platform compatibility, it provides consistent\ + \ outputs suitable for both standalone use and integration into automated toolchains.\n\ + \nThe tool is licensed under Apache 2.0 and actively maintained by the CycloneDX\ + \ community." + Types: + - Analyze +- Abilities: + - Convert + - Generate + Languages: + - Generic + License: Apache-2.0 + Link: https://github.com/CycloneDX/license-scanner + Name: license-scanner + Publisher: CycloneDX + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'License Scanner by CycloneDX is a dual-purpose tool for scanning files + and identifying licenses. Its SBOM-related features include: + + + Key Features: + + - Generates CycloneDX LicenseChoice components compatible with CycloneDX v1.4 + + - Scans files and directories to identify SPDX licenses and license expressions + + - Provides license information suitable for SBOM generation via CLI or API + + - Detects copyrights and legal terms in scanned content + + - Outputs normalized license text and hash values + + + Technical Specifications: + + - Written in Go (requires Go 1.18+) + + - Supports SPDX license template matching (tested with v3.17/3.18) + + - Available as CLI tool and Go module for integration + + - Configurable for custom license policies and terms + + + The tool focuses on accurate license identification and standardized output formats + suitable for automated SBOM creation workflows. It can be integrated into software + supply chain processes either through direct API usage or command-line automation.' + Types: + - Deployment +- Abilities: + - Generate + - Convert + Languages: + - Clojars + License: MIT + Link: https://github.com/advanced-security/gh-sbom + Name: gh-sbom + Publisher: advanced-security + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: gh-sbom is a GitHub CLI extension for generating Software Bill of Materials + (SBOM) in SPDX or CycloneDX format. The tool leverages GitHub's Dependency Graph + to extract component information from repositories. The SPDX output utilizes the + Dependency Graph SBOM API for efficient server-side generation, making it suitable + for large repositories and ensuring comprehensive license information. CycloneDX + output is generated by combining dependency information from the Dependency Graph + GraphQL API with license data from ClearlyDefined's API. The tool requires GitHub + CLI installation and supports GitHub Enterprise Server 3.9 or higher. Key features + include JSON output format, package relationship tracking, and license information + inclusion. + Types: + - Source +- Abilities: + - Consume + Languages: - Hackage + License: BSD-3-Clause + Link: https://github.com/MaibornWolff/SecObserve + Name: SecObserve + Publisher: MaibornWolff + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SecObserve SBOM and Vulnerability Management System + + + SecObserve is an open-source vulnerability and license management system that + incorporates SBOM (Software Bill of Materials) capabilities through integration + with various scanning tools. The system processes and aggregates results from + multiple vulnerability scanners, providing a unified view of software components + and their associated security risks. + + + Key SBOM-related features: + + - Integration with multiple open-source vulnerability scanners + + - Automated processing of scan results into structured component information + + - Centralized management of software dependencies and their security status + + - Support for CI/CD pipeline integration via GitLab CI templates and GitHub actions + + - Standardized reporting of component vulnerabilities and license information + + - Rule-based assessment capabilities for vulnerability management + + + The tool offers a comprehensive platform for teams requiring SBOM generation and + vulnerability tracking as part of their security compliance and risk management + processes. It supports both development environments and cloud deployments with + automated scanning and result aggregation capabilities.' + Types: + - Analyze +- Abilities: + - Consume + - Edit + Languages: + - Autotools + - Cargo + - Composer + - Elixir + - Generic + - Maven + - Npm + - Nuget + - Pypi + License: Apache-2.0 + Link: https://github.com/snyk/parlay + Name: parlay + Publisher: snyk + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'Parlay is a command-line tool designed to enrich Software Bill of Materials + (SBOM) documents in CycloneDX (JSON, XML) and SPDX 2.3 (JSON) formats. The tool + integrates with multiple external services including ecosyste.ms, Snyk, and OpenSSF + Scorecard to add supplementary information to existing SBOMs. + + + Key Features: + + - Enriches SBOM data with package metadata from ecosyste.ms including licenses, + external links, and maintainer information + + - Adds vulnerability information from Snyk (requires Snyk subscription) + + - Incorporates OpenSSF Scorecard security metrics + + - Supports multiple package formats including npm, Maven, PyPI, and others + + - Enables pipeline integration through stdin/stdout support + + - Processes both CycloneDX and SPDX 2.3 formats + + + The tool maintains the original SBOM structure while adding valuable contextual + information that can be used for better dependency analysis and security assessment. + It is particularly useful for organizations looking to enhance their SBOM data + with security and maintenance-related metadata.' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Cargo + - Generic + License: MIT + Link: https://github.com/nikstur/bombon + Name: bombon + Publisher: nikstur + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Bombon is a specialized tool designed to generate CycloneDX v1.5 Software + Bill of Materials (SBOMs) for Nix packages. The tool aims for compliance with + the German Technical Guideline TR-03183 v2.0.0 and US Executive Order 14028 requirements. + + + Key Features: + + - Automatic SBOM generation for Nix packages + + - Support for vendored dependencies in Rust and Go ecosystems + + - Configurable inclusion of buildtime dependencies + + - Path exclusion functionality via regex patterns + + - Integration with both Nix Flakes and Niv + + - Extra paths support for components with discarded references + + + The tool offers flexibility through optional configuration parameters and provides + specific functions for handling vendored dependencies in different programming + language ecosystems. Bombon integrates seamlessly with the Nix ecosystem and supports + modern Nix workflows through Flakes and traditional approaches via Niv.' + Types: + - Source + - Build +- Abilities: + - Generate + - Convert + Languages: + - Cran + - Dotnet + - Maven + - Npm + - Pypi + - Rpm + License: MIT + Link: https://github.com/siemens/continuous-clearing + Name: continuous-clearing + Publisher: siemens + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Continuous Clearing Tool is a software composition analysis tool that + generates SBOM (Software Bill of Materials) for various package types including + NPM, NuGet, Maven, Python, and Debian. The tool integrates with SW360 and FOSSology + for license clearing workflows. + + + Key Features: + + - Generates CycloneDX SBOM format + + - Identifies dependency classifications (development, internal) + + - Verifies component availability in JFrog Artifactory + + - Creates and updates components in SW360 + + - Triggers FOSSology license scanning + + - Uploads cleared components to Artifactory + + - Utilizes Syft for Debian package detection + + + The tool is available as a Docker container or .NET package and consists of three + main modules: Package Identifier for SBOM generation, SW360 Package Creator for + component management, and Artifactory Uploader for repository integration.' + Types: + - Source + - Build +- Abilities: + - Edit + - Merge + - Validate + Languages: + - Pypi + License: GPL-3.0 + Link: https://github.com/Festo-se/cyclonedx-editor-validator + Name: CycloneDX-editor-validator + Publisher: Festo-se + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Editor/Validator is a command-line tool for manipulating and + validating CycloneDX Software Bill of Materials (SBOM). The tool supports CycloneDX + versions 1.2 through 1.6 and is designed for integration into automated workflows + and CI/CD pipelines. + + + Key Features: + + - SBOM modification through targeted component updates and global amendments + + - Merging of multiple SBOM documents + + - Creation of redacted SBOM versions for public distribution + + - SBOM validation against schema definitions + + - Content listing and initial SBOM template generation + + - Support for both JSON and XML formats + + + The tool provides scriptable interfaces with multiple output options and specific + exit codes for automation purposes. It is distributed under the GPL-3.0-or-later + license and is available through PyPI package manager. + + + Repository: https://github.com/Festo-se/cyclonedx-editor-validator + + Documentation: https://festo-se.github.io/cyclonedx-editor-validator' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Apk + - Autotools + - Cargo + - Clojars + - Composer + - Cran + - Dotnet + - Elixir + - Gem + - Golang + - Maven + - Npm + - Nuget + - Pypi + License: NOASSERTION + Link: https://github.com/leanix/vsm-sbom-booster + Name: vsm-sbom-booster + Publisher: leanix + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'VSM SBOM Booster - SBOM Generation Tool + + + VSM SBOM Booster is an automated SBOM generation tool based on the OSS Review + Toolkit (ORT). The tool generates CycloneDX SBOMs by scanning repositories across + multiple Git providers including GitHub Cloud/Enterprise, GitLab Cloud/Self-Hosted, + and BitBucket Cloud. + + + Key Features: + + - Centralized SBOM generation without CI/CD pipeline modifications + + - Direct integration with Git provider APIs + + - Automatic SBOM upload to VSM workspace + + - Support for multiple package managers through ORT + + - Parallel processing capabilities with configurable concurrency + + - Configurable analysis timeouts and proxy settings + + - Support for ORT configuration files + + + The tool achieves an 80% success rate in SBOM generation for service repositories + and operates using a docker-in-docker architecture. Configuration is handled through + environment variables, allowing customization of Git provider settings, LeanIX + workspace integration, and runtime parameters. + + + Limitations: + + - Experimental prototype status + + - No filtering of non-service repositories + + - Basic repository scanning without build-time integration + + - Sporadic maintenance schedule + + + License: [REUSE compliant]' + Types: + - Source + - Build +- Abilities: + - Generate + Languages: + - Generic + License: NOASSERTION + Link: https://github.com/xeedio/asdf-cyclonedx + Name: asdf-cyclonedx + Publisher: xeedio + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'CycloneDX Plugin for ASDF Version Manager + + + A version management plugin that enables installation and management of the CycloneDX + CLI tool through the ASDF version manager. The plugin facilitates the generation + of Software Bill of Materials (SBOM) in CycloneDX format, supporting multiple + versions of the CycloneDX tool. It provides straightforward version installation, + global version setting, and version management capabilities through ASDF''s command-line + interface. The tool requires basic POSIX utilities (bash, curl, tar) for operation + and integrates seamlessly with existing ASDF workflows. + + + Features: + + - Version listing and management + + - Automated installation of CycloneDX CLI + + - Global version configuration + + - SBOM generation capabilities + + - Integration with ASDF version manager' + Types: + - Build +- Abilities: + - Consume + Languages: - Cargo + - Gem + License: Apache-2.0 + Link: https://github.com/nscuro/cdx-central + Name: cdx-central + Publisher: nscuro + Source: AI-Generated + Standards: + - CycloneDX + Summary: cdx-central is a command-line utility designed for downloading public CycloneDX + Software Bill of Materials (SBOMs) from Maven Central repository. The tool focuses + on retrieving SBOMs for the latest versions of artifacts and offers configurable + parameters for concurrent processing and filtering based on component count. Key + features include concurrent artifact processing with adjustable concurrency levels, + filtering capabilities based on minimum component thresholds, and customizable + output directory for downloaded SBOMs. Written in Go, the tool provides a streamlined + approach for bulk SBOM retrieval from Maven Central. + Types: + - Analyze +- Abilities: + - Compare + Languages: + - Pypi + License: No License + Link: https://github.com/marcosanchotene/cdx-vs-cdx + Name: cdx-vs-cdx + Publisher: marcosanchotene + Source: AI-Generated + Standards: + - CycloneDX + Summary: CDX vs CDX is a comparison tool for CycloneDX Software Bill of Materials + (SBOM) files in JSON format. The tool analyzes two CycloneDX files and identifies + components that are unique to each file as well as components that are common + between them. It features a graphical user interface for easy file selection and + visualization of comparison results. The tool is implemented in Python and can + be run either as a Python application or as a standalone executable, primarily + targeting Linux environments. It serves as a utility for SBOM analysis and component + inventory management by providing clear differentiation of component presence + across multiple SBOM files. + Types: + - Analyze +- Abilities: + - Consume + Languages: + - Apk + - Cran + - Gem + - Golang + - Npm + License: UPL-1.0 + Link: https://github.com/oracle/macaron + Name: macaron + Publisher: oracle + Source: AI-Generated + Standards: [] + Summary: 'Macaron is a supply chain security analysis tool developed by Oracle Labs + that focuses on build integrity and artifact dependencies analysis. The tool implements + checks based on the Supply chain Levels for Software Artifacts (SLSA) specification + to verify compliance requirements automatically. + + + Key Features: + + - Provides SLSA compliance verification + + - Supports multiple build systems including Maven, Gradle, Pip, Poetry, npm, Yarn, + Go, and Docker + + - Implements customizable checker platform for defining interdependent checks + + - Analyzes CI configuration files and build scripts + + - Creates call graphs and intermediate representations for security analysis + + - Verifies user-specified policies for software components + + + The tool generates an assessment of the software supply chain security posture + by examining build processes, dependencies, and compliance with SLSA requirements. + While Macaron does not directly generate SBOMs, its analysis capabilities complement + SBOM-focused tools by providing security insights about the build environment + and processes that produced the analyzed artifacts.' + Types: + - Analyze +- Abilities: + - Generate + Languages: + - Apk + License: No License + Link: https://github.com/ksoclabs/kbom + Name: kbom + Publisher: ksoclabs + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'KBOM (Kubernetes Bill of Materials) is a specialized software composition + analysis tool designed for generating Software Bill of Materials (SBOM) for Kubernetes + environments. The tool is now maintained under the rad-security organization. + KBOM enables users to create detailed inventories of software components and dependencies + within Kubernetes clusters. Note: Further technical details and features are not + provided in the source material as the repository has been relocated. + + + Repository: https://github.com/rad-security/kbom' + Types: + - Container +- Abilities: + - Consume + - Validate + Languages: + - Pub + License: Apache-2.0 + Link: https://github.com/eBay/sbom-scorecard + Name: sbom-scorecard + Publisher: eBay + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: "SBOM Scorecard is a tool designed to evaluate the quality and completeness\ + \ of Software Bill of Materials (SBOM) files. The tool supports multiple SBOM\ + \ formats including SPDX and CycloneDX. It analyzes SBOM files against a set of\ + \ weighted criteria to produce a numerical score.\n\nKey Features:\n- Validates\ + \ SBOM specification compliance\n- Evaluates generation metadata completeness\n\ + - Assesses package information quality including:\n - Package identifiers (purls,\ + \ CPEs)\n - Version information and checksums\n - License documentation\n- Supports\ + \ multiple input formats\n- Provides detailed scoring breakdown\n- Configurable\ + \ scoring weights\n\nThe tool assigns weights to different aspects of the SBOM:\ + \ 25% for specification compliance, 15% for generation information, and 60% for\ + \ package metadata quality. Its primary use case is quality assessment of first-party\ + \ generated SBOMs to ensure they contain sufficient metadata for downstream consumption\ + \ and analysis.\n\nCurrently marked as work in progress (WIP), the tool is available\ + \ as a command-line utility and can be installed via pre-compiled binaries or\ + \ built from source." + Types: + - Analyze +- Abilities: + - Edit + - Merge + Languages: + - Haxe + License: Apache-2.0 + Link: https://github.com/interlynk-io/sbomasm + Name: sbomasm + Publisher: interlynk-io + Source: AI-Generated + Standards: + - SPDX + - CycloneDX + Summary: 'SBOM Assembly and Editing Tool + + + sbomasm is a command-line tool for assembling and editing Software Bill of Materials + (SBOM) documents. The tool supports both CycloneDX and SPDX formats, offering + capabilities to merge multiple SBOMs and edit SBOM metadata. + + + Key Features: + + - Format-agnostic SBOM assembly supporting SPDX (JSON, YAML, RDF, tag-value) and + CycloneDX (JSON, XML) + + - Multiple merge algorithms: Hierarchical, Flat, and Assembly + + - Primary component/package configuration + + - Metadata editing for documents and components + + - Duplicate component handling + + - Support for air-gapped environments + + + The tool enables organizations to: + + - Combine multiple vendor SBOMs into a unified document + + - Edit SBOM metadata for compliance purposes + + - Maintain relationships between components during merging + + - Configure output formats and specifications + + - Integrate with Dependency Track + + + Output formats: + + - SPDX: JSON, XML (spec version 2.3) + + - CycloneDX: JSON, XML (spec version 1.6) + + + The tool is particularly useful for organizations managing complex software supply + chains or requiring consolidated SBOM views for compliance and security purposes.' + Types: + - Analyze +- Abilities: + - Consume + Languages: + - Generic + License: GPL-3.0 + Link: https://github.com/javixeneize/neo4cyclone + Name: neo4cyclone + Publisher: javixeneize + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'Neo4Cyclone is a visualization tool for CycloneDX Software Bill of Materials + (SBOM) that leverages Neo4J graph database capabilities. The tool parses CycloneDX + SBOM files and creates a graph representation of projects, their dependencies, + and associated vulnerabilities. + + + Key Features: + + - Ingests CycloneDX SBOM files via REST API or command line + + - Visualizes dependencies and vulnerability relationships in Neo4J + + - Supports project-level organization of multiple SBOMs + + - Provides graph queries for dependency and vulnerability analysis + + - Deployable via Docker Compose or standalone installation + + + The tool creates three types of nodes (Project, Dependency, Vulnerability) and + two relationships (Uses, Vulnerable_to) to represent the SBOM structure. The Neo4J + browser interface enables interactive exploration and analysis of the dependency + graph. + -- Name: Kubernetes-BOM - Link: https://github.com/kubernetes-sigs/bom - Publisher: Kubernetes-SIGs - License: OpenSource - Standards: - - SPDX - Abilities: - - Generate + Implementation requires Neo4J database access and configuration of basic authentication + parameters. The tool is particularly useful for organizations needing to visualize + and analyze complex dependency relationships in their software supply chain.' Types: - - Container + - Analyze +- Abilities: + - Merge + - Convert Languages: - - Pkg - -- Name: Bomber - Link: https://github.com/devops-kung-fu/bomber - Publisher: DevOps-Kung-Fu-Mafia - License: OpenSource + - Golang + License: MIT + Link: https://github.com/fnxpt/cyclonedx-merge + Name: CycloneDX-merge + Publisher: fnxpt + Source: AI-Generated Standards: - CycloneDX - - SPDX - Abilities: - - Consume + Summary: 'CycloneDX-merge is a command-line tool designed for merging multiple Software + Bill of Materials (SBOM) files in CycloneDX format (JSON/XML). The tool supports + three merging modes: normal, flat, and smart (planned), each offering different + approaches to handling component relationships and dependencies. + + + Key Features: + + - Merges multiple SBOM files from specified directories or individual files + + - Supports both JSON and XML output formats + + - Configurable parent component attributes (name, version, group, type) + + - Implements distinct merge rules for different SBOM elements (annotations, components, + compositions) + + - Provides multiple merge modes for different dependency relationship handling + strategies + + + The tool uses BomRef identifiers as the primary key for merging components and + handles duplicate entries based on predefined merge rules. It is particularly + useful for consolidating SBOMs from different sources or build processes into + a single, comprehensive SBOM document. + + + Installation is available through Go package manager or as a Docker container, + making it accessible across different platforms and deployment scenarios.' Types: + - Source +- Abilities: + - Edit + - Validate Languages: - -- Name: CycloneDX-Cocoapods - Link: https://github.com/CycloneDX/cyclonedx-cocoapods - Publisher: CycloneDX - License: OpenSource + - Maven + - Npm + - Pypi + License: MIT + Link: https://github.com/fnxpt/cyclonedx-enrich + Name: CycloneDX-enrich + Publisher: fnxpt + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Generate + Summary: 'CycloneDX-Enrich is a tool designed to enhance Software Bill of Materials + (SBOM) files in CycloneDX format. The tool addresses the common limitation where + SBOM generators cannot capture all component information by implementing various + enrichment mechanisms. + + + Key Features: + + - Enhances existing SBOM files with additional component information + + - Supports enrichment of licenses, hashes, properties, and references + + - Provides multiple enricher types including database-based and regexp-based + + - Integrates with package manager repositories (Maven, NPM, PyPI, Cocoapods) + + - Offers both CLI and server deployment options + + - Includes validation capabilities for SBOM files + + + The tool maintains a separate data repository for enrichment information and can + be operated through command-line interface or as a server service. It supports + importing custom SBOM data into its database and provides Docker deployment options.' Types: - - Source + - Analyze +- Abilities: + - Generate + - Convert Languages: - - Objective-C - - Swift - -- Name: Voltone_SBOM - Link: https://github.com/voltone/sbom - Publisher: Voltone - License: OpenSource + - Cargo + License: MIT + Link: https://github.com/psastras/sbom-rs + Name: sbom-rs + Publisher: psastras + Source: AI-Generated Standards: + - SPDX - CycloneDX - Abilities: - - Generate + Summary: 'SBOM-rs is a collection of Rust projects focused on Software Bill of Materials + (SBOM) generation and manipulation. The main component, cargo-sbom, is a CLI tool + that generates SBOMs for Cargo projects in both SPDX and CycloneDX formats. The + tool supports direct integration with GitHub Actions and enables vulnerability + scanning through the Open Source Vulnerability Database (OSV). + + + Key Features: + + - SPDX and CycloneDX SBOM generation + + - GitHub Actions integration + + - OSV vulnerability scanning compatibility + + - Serde-based type-safe structures for SPDX and CycloneDX + + - Multiple installation options via cargo, cargo-binstall, or direct download + + + The project includes additional components for serialization and deserialization + of SPDX and CycloneDX data structures, making it suitable for integration into + larger Rust-based security toolchains.' Types: - Source + - Build +- Abilities: + - Consume Languages: - - Elixir - -- Name: CycloneDX_GoMod - Link: https://github.com/CycloneDX/cyclonedx-gomod - Publisher: CycloneDX - License: OpenSource + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/mlbomdoc + Name: mlbomdoc + Publisher: anthonyharrison + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Generate + Summary: 'MLBOMDoc is a documentation generator specifically designed for Machine + Learning Bill of Materials (ML-BOM) within Software Bill of Materials (SBOM) specifications. + The tool supports CycloneDX format and provides comprehensive documentation of + machine learning model components. + + + Key Features: + + - Generates human-readable documentation from ML-BOM files + + - Supports CycloneDX JSON format + + - Multiple output formats including console, JSON, Markdown, and PDF + + - Detailed reporting of model parameters, datasets, performance metrics, and ethical + considerations + + - Documentation includes model architecture, training data, governance, and technical + limitations + + + The tool is implemented in Python (3.8+) and can be installed via pip. MLBOMDoc + processes SBOM files according to standardized filename conventions and provides + flexibility in output destinations. It is particularly useful for organizations + needing to document and track machine learning components within their software + supply chain. + + + License: Apache 2.0' Types: - - Source + - Build +- Abilities: + - Consume Languages: - - Go - -- Name: CycloneDX-go - Link: https://github.com/CycloneDX/cyclonedx-go + - Pypi + License: Apache-2.0 + Link: https://github.com/anthonyharrison/sbomtrend + Name: sbomtrend + Publisher: anthonyharrison + Source: AI-Generated Standards: + - SPDX - CycloneDX - License: OpenSource - Publisher: CycloneDX - Abilities: - - Generate - - Edit + Summary: 'SBOMTrend is an analysis tool for Software Bill of Materials (SBOM) that + processes collections of SBOM files in SPDX and CycloneDX formats. The tool tracks + and reports version changes and license information across components over time. + + + Key Features: + + - Analyzes multiple SBOM files within a directory + + - Supports both SPDX and CycloneDX formats + + - Tracks version changes of components + + - Monitors license changes and usage + + - Generates reports in console output or JSON format + + - Provides component-specific or full package analysis + + - Includes date-based tracking of changes + + - Offers filtering capabilities for specific components + + + The tool is implemented in Python (3.8+) and available via pip installation. Output + can be further processed using provided example scripts to generate visual analytics + using Matplotlib. SBOMTrend is licensed under Apache 2.0 and designed to support + software development and security audit functions. + + + Main limitations include dependency on SBOM data quality and completeness, as + the tool cannot validate the source data accuracy independently.' Types: - - Source + - Analyze +- Abilities: + - Consume + - Edit Languages: - - Go - -- Name: CycloneDX_Node_Module - Link: https://github.com/CycloneDX/cyclonedx-node-module - Publisher: CycloneDX - License: OpenSource + - Pypi + License: MIT + Link: https://github.com/productaize/bogrod + Name: bogrod + Publisher: productaize + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Generate + Summary: 'Bogrod is a command-line tool designed for managing Software Bill of Materials + (SBOM) and Vulnerability Exploitability eXchange (VEX) analysis using established + git practices. The tool enables DevOps teams to handle SBOM management directly + within their code repositories rather than through external UI tools. + + + Key SBOM Features: + + - Creates and updates CycloneDX format SBOMs + + - Updates SBOM metadata from common sources + + - Integrates with Syft and Grype for SBOM generation and vulnerability scanning + + - Supports component metadata management and transformation + + - Enables SBOM difference analysis + + - Facilitates SBOM handling in CI/CD pipelines + + + The tool distinguishes itself through its git-centric approach, allowing teams + to track SBOM and VEX analysis changes using version control. It supports interactive + vulnerability analysis, template-based VEX analysis, and multi-image SBOM management. + Bogrod can be integrated with vulnerability management platforms and provides + both command-line and interactive interfaces for SBOM operations.' Types: + - Design - Source + - Build +- Abilities: + - Generate Languages: - Npm - -- Name: CycloneDX-dotnet - Link: https://github.com/CycloneDX/cyclonedx-dotnet - Publisher: CycloneDX - License: OpenSource + License: MIT + Link: https://github.com/janbiasi/rollup-plugin-sbom + Name: rollup-plugin-sbom + Publisher: janbiasi + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Generate + Summary: 'Rollup Plugin SBOM is a tool designed to generate Software Bill of Materials + (SBOM) in CycloneDX format for Vite and Rollup projects. The plugin creates SBOMs + specifically for production dependencies, ensuring accurate representation of + shipped software components. + + + Key Features: + + - Supports CycloneDX specification versions 1.5 and 1.6 + + - Compatible with Vite (v4-v6) and Rollup (v3-v4) + + - Generates SBOMs in both JSON and XML formats + + - Configurable output directory and file naming + + - Automatic root package detection + + - Optional well-known directory generation + + - Customizable supplier information + + - Support for both library and application component types + + + The plugin operates as a build tool integration, requiring Node.js versions 18, + 20, or 22. It provides a streamlined approach to SBOM generation as part of the + build process, making it suitable for automated software supply chain documentation.' Types: - - Source + - Build +- Abilities: + - Generate Languages: - - Dotnet + - Pypi + License: MIT + Link: https://github.com/LLNL/Surfactant + Name: Surfactant + Publisher: LLNL + Source: AI-Generated + Standards: [] + Summary: 'Surfactant is a modular framework for SBOM generation and dependency analysis. + The tool extracts surface-level metadata from recognized file types such as PE, + ELF, and MSI files within a directory structure of extracted software packages. + Key features include: -- Name: CycloneDX-dotnet-lib - Link: https://github.com/CycloneDX/cyclonedx-dotnet-library - Standards: - - CycloneDX - - SPDX - License: OpenSource - Publisher: CycloneDX - Abilities: - - Compare - - Convert - - Edit + + - Automated metadata extraction without requiring file execution or decompilation + + - Support for multiple file formats including PE, ELF, MSI and optional Mach-O + support + + - Configurable SBOM generation with customizable paths and file inclusion rules + + - Relationship mapping between software components (Uses/Contains) + + - Plugin system for extending functionality + + - SBOM merging capabilities to combine multiple SBOM files + + - Flexible output formats through plugin system + + - Command line interface for configuration and execution + + + The tool generates SBOMs containing software entries with metadata like file size, + vendor, version information and establishes relationships between components. + It can process individual files, directories or multiple related software packages + while maintaining proper dependency relationships in the generated SBOM. + + + The framework is designed to be extensible through plugins and supports different + output formats. It runs on Python 3.8+ and is available via PyPI or source installation.' + Types: + - Analyze +- Abilities: + - Consume - Validate Languages: - - Dotnet - -- Name: CycloneDX-NPM - Link: https://github.com/CycloneDX/cyclonedx-node-npm - Publisher: CycloneDX - License: OpenSource + - Generic + License: Apache-2.0 + Link: https://github.com/chainloop-dev/chainloop + Name: chainloop + Publisher: chainloop-dev + Source: AI-Generated Standards: + - SPDX - CycloneDX - Abilities: - - Generate + Summary: 'Chainloop is an open-source evidence store for Software Supply Chain attestations + that supports multiple SBOM formats and security reporting standards. The tool + enables the storage and management of CycloneDX and SPDX Software Bill of Materials + (SBOMs) alongside other supply chain artifacts like VEX reports and security scans. + + + Key SBOM-related features: + + - Support for CycloneDX and SPDX SBOM formats + + - Integration with Dependency-Track and Guac for SBOM analysis + + - Policy-based validation using Rego rules + + - Secure storage in OCI registries or cloud blob storage + + - SLSA level 3 compliant attestation process + + - Contract-based workflow definition for standardized SBOM requirements + + + The tool implements a role-based approach where security teams define SBOM requirements + through workflow contracts while development teams follow simplified procedures + for SBOM generation and submission. Chainloop stores all artifacts with their + attestations in a centralized repository, enabling comprehensive supply chain + transparency and compliance monitoring.' Types: - Source + - Build +- Abilities: + - Edit + - Convert + - Consume Languages: - - Npm - -- Name: CycloneDX-Yarn - Link: https://github.com/CycloneDX/cyclonedx-node-yarn + - Deb + License: Apache-2.0 + Link: https://github.com/mtsfoni/cdx-enrich + Name: cdx-enrich + Publisher: mtsfoni + Source: AI-Generated Standards: - CycloneDX - License: OpenSource - Publisher: CycloneDX - Abilities: - - Generate + Summary: 'cdx-enrich is a .NET-based command-line tool for enriching CycloneDX Software + Bill of Materials (SBOM) files. The tool enables post-processing of SBOMs through + configurable transformations defined in YAML configuration files. Its primary + function is to enhance SBOM data that might be incomplete or incorrect from the + original generation process. + + + Key Features: + + - Supports both XML and JSON CycloneDX formats + + - Configurable license information updates based on URL matching or component + references + + - Multiple configuration files can be applied sequentially + + - Designed for integration into automated build pipelines + + - Functions as an intermediary step between SBOM generation and deployment + + + The tool specifically addresses the common need to modify license information + in SBOMs, providing capabilities to replace license data based on URL patterns + or specific component references. It operates as a .NET global tool and requires + .NET 8 runtime.' Types: - - Source + - Build +- Abilities: + - Convert Languages: - - Yarn + - Alpm + - Apk + - Autotools + - Cargo + - Composer + - Gem + - Golang - Npm - -- Name: CycloneDX-javascript-lib - Link: https://github.com/CycloneDX/cyclonedx-javascript-library + - Nuget + - Osgi + - Pkg + - Pypi + - Yarn + License: GPL-2.0 + Link: https://github.com/kdeldycke/meta-package-manager + Name: meta-package-manager + Publisher: kdeldycke + Source: AI-Generated Standards: + - SPDX - CycloneDX - Publisher: CycloneDX - License: OpenSource - Abilities: - - Edit - - Validate + Summary: 'Meta Package Manager (mpm) is a unified command-line interface that provides + SBOM (Software Bill of Materials) generation capabilities across multiple package + managers. The tool can export installed packages to industry-standard SBOM formats + including SPDX and CycloneDX. + + + Key SBOM features: + + - Generates SBOMs from packages installed via 35+ supported package managers + + - Supports export to SPDX and CycloneDX formats + + - Works across Linux, macOS and Windows platforms + + - Provides both installed package inventory and dependency information + + - Handles package URLs (purls) for unique component identification + + + The tool acts as a wrapper around native package managers, aggregating package + data into standardized SBOM outputs suitable for software supply chain security + and compliance use cases. It can be installed via common package managers like + Homebrew, Scoop and pip, or used as standalone executables.' + Types: + - Deployment +- Abilities: + - Consume Languages: - - Npm + - Generic + License: BSD-3-Clause + Link: https://github.com/netskopeoss/BOMSkope + Name: BOMSkope + Publisher: netskopeoss + Source: AI-Generated + Standards: + - CycloneDX + Summary: 'BOMSkope is a Software Bill of Materials (SBOM) management tool designed + to track and analyze software components from vendors. The tool integrates with + CycloneDX for SBOM processing and provides vulnerability tracking capabilities. + Key features include: + + + - SBOM component tracking and management + + - Vendor software component vulnerability discovery + + - Integration with NIST NVD for vulnerability data + + - Bitsight VRM (ThirdPartyTrust) integration for vendor SBOM collection + + - OpenID Connect (OIDC) authentication support + + - Web-based interface for SBOM management + + - SQLAlchemy database backend support + -- Name: CycloneDX-Maven - Link: https://github.com/CycloneDX/cyclonedx-maven-plugin - Publisher: CycloneDX - License: OpenSource - Standards: - - CycloneDX - Abilities: - - Generate + The tool can be deployed using Docker or run locally, requiring minimal setup + configuration. BOMSkope is licensed under BSD 3-Clause and supports both x64 and + ARM architectures.' Types: - - Source + - Analyze +- Abilities: + - Generate Languages: - - Maven - -- Name: CycloneDX-Gradle - Link: https://github.com/CycloneDX/cyclonedx-gradle-plugin - Publisher: CycloneDX - License: OpenSource + - Gem + - Pypi + License: Apache-2.0 + Link: https://github.com/IBM/sonar-cryptography + Name: sonar-cryptography + Publisher: IBM + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Generate + Summary: 'CBOMkit-hyperion (Sonar Cryptography Plugin) is a SonarQube plugin designed + for detecting cryptographic assets in source code and generating Cryptography + Bill of Materials (CBOM) in CycloneDX format. The tool is part of the CBOMKit + toolset and supports SonarQube versions 9.9 LTS and above. + + + Key Features: + + - Detects cryptographic implementations in Java (JCA and BouncyCastle light-weight + API) and Python (pyca/cryptography) + + - Generates CBOM output in JSON format + + - Integrates with SonarQube''s quality profiles and rules system + + - Provides visualization capabilities through IBM''s CBOM Viewer service + + - Supports extensibility for additional programming languages and cryptographic + libraries + + + The tool operates as a SonarQube plugin, requiring activation of cryptography-related + rules to generate CBOM during source code analysis. The generated CBOM provides + insights into cryptographic assets and their post-quantum safety compliance.' Types: - Source +- Abilities: + - Consume Languages: - - Maven - - Jar - -- Name: CycloneDX-PHP-Composer - Link: https://github.com/CycloneDX/cyclonedx-php-composer - Publisher: CycloneDX - License: OpenSource + - Generic + License: Apache-2.0 + Link: https://github.com/guacsec/guac + Name: guac + Publisher: guacsec + Source: AI-Generated Standards: + - SPDX - CycloneDX - Abilities: - - Generate + Summary: 'GUAC (Graph for Understanding Artifact Composition) is a software security + metadata aggregation tool that consolidates data into a high-fidelity graph database. + The tool processes multiple SBOM formats including CycloneDX and SPDX, along with + various security-related metadata formats such as SLSA, OpenSSF Scorecard, and + vulnerability data. + + + Key Features: + + - Normalizes entity identities across different SBOM and security metadata formats + + - Maps relationships between software components and their security attributes + + - Supports multiple backend databases with PostgreSQL and in-memory storage being + the primary supported options + + - Provides a GraphQL API for querying aggregated data + + - Enables security audit, policy enforcement, and risk management capabilities + + + The tool''s ability to process multiple SBOM formats and link them with security + metadata makes it particularly valuable for organizations managing complex software + supply chains. GUAC is an OpenSSF incubating project, maintained under the Supply + Chain Integrity Working Group.' Types: - - Source + - Analyze +- Abilities: + - Consume Languages: - - Composer - -- Name: CycloneDX-PHP-lib - Link: https://github.com/CycloneDX/cyclonedx-php-library + - Generic + - Maven + License: NOASSERTION + Link: https://github.com/eclipse-sw360/sw360 + Name: sw360 + Publisher: eclipse-sw360 + Source: AI-Generated Standards: - - CycloneDX - SPDX - Publisher: CycloneDX - License: OpenSource - Abilities: - - Edit - - Validate + Summary: 'SW360 Portal is a software component catalogue application designed to + manage software components, their metadata, and associated SPDX files for license + compliance. The tool provides SBOM-related functionalities through its backend + services and REST API. -- Name: CycloneDX-Python - Link: https://github.com/CycloneDX/cyclonedx-python - Publisher: CycloneDX - License: OpenSource - Standards: - - CycloneDX - Abilities: - - Generate + Key SBOM Features: + + - Management of software components and their metadata + + - SPDX file handling for license condition tracking + + - Project and product dependency management + + - License information maintenance and compliance tracking + + + Technical Implementation: + + - Backend: Tomcat-based Thrift services + + - Database: CouchDB for component storage + + - Frontend: Web portal interface + + - REST API: External integration capabilities + + + The system can be deployed via Docker containers or on bare metal systems, with + Ubuntu server 22.04 LTS as the reference platform. SW360 is released under the + Eclipse Public License 2.0.' Types: - - Source + - Design +- Abilities: + - Compare + - Convert + - Validate Languages: + - Cargo - Pypi - -- Name: CycloneDX-Python-lib - Link: https://github.com/CycloneDX/cyclonedx-python-lib - Publisher: CycloneDX - License: OpenSource + License: Apache-2.0 + Link: https://github.com/spdx/spdx-online-tools + Name: spdx-online-tools + Publisher: spdx + Source: AI-Generated Standards: - - CycloneDX - Abilities: - - Generate - - Consume + - SPDX + Summary: 'SPDX Online Tools is a web-based application for working with Software + Package Data Exchange (SBOM) documents. The tool provides validation, comparison, + and format conversion capabilities for SPDX files. + + + Key SBOM-related features: + + - Upload and parse SPDX documents in multiple formats + + - Validate SPDX documents against the SPDX specification + + - Compare multiple SPDX RDF files + + - Convert between different SPDX formats + + - License text comparison against SPDX license list + + - REST API access to all SBOM functionality + + + The tool is built on Django and leverages the SPDX Java Tools library for document + processing. It requires Python 3.7+ and either Oracle JDK/JRE or OpenJDK. The + system can be deployed via Docker or installed locally on Linux, Windows or macOS + systems.' Types: - - Source + - Analyze +- Abilities: + - Convert + - Generate + - Validate Languages: - Pypi - -- Name: CycloneDX-Ruby-Gem - Link: https://github.com/CycloneDX/cyclonedx-ruby-gem - Publisher: CycloneDX - License: OpenSource + License: Apache-2.0 + Link: https://github.com/spdx/tools-python + Name: tools-python + Publisher: spdx + Source: AI-Generated Standards: - - CycloneDX - Abilities: - - Generate - Types: - - Source - Languages: - - Gem + - SPDX + Summary: 'SPDX Tools Python is a comprehensive library for handling Software Package + Data Exchange (SPDX) documents. The tool supports SPDX versions 2.2, 2.3, and + provides experimental support for the upcoming 3.0 specification. -- Name: CycloneDX-Rust-Cargo - Link: https://github.com/CycloneDX/cyclonedx-rust-cargo - Publisher: CycloneDX - License: OpenSource - Standards: - - CycloneDX - Abilities: - - Generate + + Key SBOM-related features: + + - Parse, validate, and create SPDX documents + + - Support multiple formats: Tag/Value, RDF, JSON, YAML, XML + + - Full validation against SPDX v2.2 and v2.3 specifications + + - Document visualization through graph generation + + - Programmatic API for document manipulation + + - Command-line interface for parsing, validation, and format conversion + + - Type-safe implementation with strict validation rules + + + The library uses a dataclass-based model for SPDX documents, ensuring type safety + and validation during document creation and modification. It provides comprehensive + support for license handling through the license-expression library and includes + utilities for checksum calculation and relationship management. + + + The tool is maintained by the SPDX community and is available under the Apache-2.0 + license. It can be installed via pip and requires Python 3.7 or later. + + + Repository: https://github.com/spdx/tools-python + + PyPI Package: https://pypi.python.org/pypi/spdx-tools' Types: - Source +- Abilities: + - Compare + - Convert + - Generate + - Validate Languages: - - Cargo - -- Name: CycloneDX-Webpack-Plugin - Link: https://github.com/CycloneDX/cyclonedx-webpack-plugin - Publisher: CycloneDX - License: OpenSource + - Generic + License: Apache-2.0 + Link: https://github.com/spdx/tools-java + Name: tools-java + Publisher: spdx + Source: AI-Generated Standards: - - CycloneDX - Abilities: - - Generate + - SPDX + Summary: 'SPDX Tools-Java: SBOM Generation and Management Utility + + + SPDX Tools-Java is a comprehensive software utility for creating, converting, + and managing Software Bill of Materials (SBOM) in SPDX format. The tool supports + SPDX specifications versions 2.0 through 3.0.1 and provides functionality for + format conversion, document comparison, verification, and validation. + + + Key Features: + + - Supports multiple SBOM formats including Tag, RDF/XML, XLSX, JSON, XML, YAML, + and JSON-LD + + - Format conversion capabilities between supported formats + + - Document comparison functionality for multiple SBOM files + + - Verification code generation for source files + + - Document validation and verification + + - SPDX document viewing and pretty printing + + + The tool is available as a command-line interface and can be integrated into build + processes. It is distributed under the Apache-2.0 license and is maintained by + the SPDX Workgroup. The utility is accessible through Maven Central and direct + binary downloads from the project''s release page. + + + Online validation and conversion services are available through the SPDX Validation + Tool portal at tools.spdx.org.' Types: - Source + - Analyze +- Abilities: + - Generate Languages: - - Npm - -- Name: ORT - Link: https://github.com/oss-review-toolkit/ort - Publisher: OSS-Review-Toolkit - License: OpenSource + - Maven + License: Apache-2.0 + Link: https://github.com/spdx/spdx-gradle-plugin + Name: spdx-gradle-plugin + Publisher: spdx + Source: AI-Generated Standards: - - CycloneDX - SPDX - Abilities: - - Generate - - Consume + Summary: 'SPDX Gradle Plugin - SBOM Generation Tool Summary + + + The SPDX Gradle Plugin is a build automation tool for generating Software Bill + of Materials (SBOM) in SPDX format. The plugin integrates with Gradle build systems + and produces SBOM documentation in JSON format. + + + Key Features: + + - Generates SPDX-compliant SBOMs for Gradle projects + + - Supports multiple configuration targets within a single project + + - Customizable document properties including name, namespace, and creator information + + - SCM (Source Control Management) integration capabilities + + - Configurable package relationship handling + + - Maven dependency analysis with licensing and copyright detection + + + The tool provides flexible configuration options through Gradle''s DSL, allowing + users to specify output locations, document metadata, and dependency configurations. + While primarily focused on Maven dependencies, the plugin offers experimental + features for advanced use cases such as custom repository URI mapping and selective + project inclusion in the SBOM. + + + The SBOM output includes comprehensive dependency information, making it suitable + for software composition analysis and compliance documentation requirements.' Types: - Source + - Build +- Abilities: + - Generate Languages: - -- Name: Protobom - Link: https://github.com/bom-squad/protobom - Publisher: BOM-Squad - License: OpenSource + - Maven + License: Apache-2.0 + Link: https://github.com/spdx/spdx-maven-plugin + Name: spdx-maven-plugin + Publisher: spdx + Source: AI-Generated Standards: - - CycloneDX - SPDX - Abilities: - - Convert + Summary: 'SPDX Maven Plugin + + + The SPDX Maven Plugin is a Maven extension that generates Software Package Data + Exchange (SPDX) documents from Maven project artifacts defined in POM files. The + plugin creates standardized SBOM documentation in SPDX format, which is compatible + with the SPDX specification. + + + Key Features: + + - Generates SPDX documents from Maven project metadata + + - Supports all SPDX document and package properties + + - Allows configuration of file-level SPDX information + + - Provides mapping between POM properties and SPDX fields + + - Handles both standard SPDX licenses and custom license declarations + + - Configurable file exclusion patterns + + - Outputs SPDX files in the project''s target directory + + + The plugin integrates seamlessly with Maven build processes and can be configured + through standard Maven plugin configuration mechanisms. It supports automated + SBOM generation as part of the build lifecycle or can be executed independently + using the ''createSPDX'' goal.' Types: + - Build +- Abilities: + - Generate + - Edit Languages: - -- Name: Sbom-workbench + - Npm + License: NOASSERTION Link: https://github.com/scanoss/sbom-workbench - Publisher: SCANOSS - License: OpenSource + Name: sbom-workbench + Publisher: scanoss + Source: AI-Generated Standards: - SPDX - Abilities: - - Generate - - Consume + Summary: 'SBOM Workbench is a graphical user interface tool for source code scanning + and auditing utilizing the SCANOSS API. The tool focuses on license compliance + and SBOM generation with support for SPDX-Lite format. Key features include source + code component identification, local cryptography detection, and collaborative + workspace capabilities. + + + The tool provides configuration options for scanner parameters, proxy settings, + and custom cryptography detection rules. Through its BOM rules system, users can + include, remove, or replace components in the bill of materials before and after + scanning. The system supports both full and partial matching rules based on file + paths and Package URLs (PURL). + + + SBOM Workbench offers multi-language support and is built using Electron and React. + The tool is available as open-source software under the GPL-2.0 license and provides + pre-built binaries for multiple platforms through the Software Transparency Foundation.' Types: - Source +- Abilities: + - Convert + - Consume Languages: - -- Name: SPDX-Maven - Link: https://github.com/spdx/spdx-maven-plugin - Publisher: SPDX - License: OpenSource + - Generic + License: Apache-2.0 + Link: https://github.com/bom-squad/protobom + Name: protobom + Publisher: bom-squad + Source: AI-Generated Standards: - SPDX - Abilities: - - Generate + - CycloneDX + Summary: 'Protobom is a protocol buffers-based tool for SBOM data representation + and conversion. It provides a neutral intermediate format capable of processing + both SPDX and CycloneDX documents without data loss. The tool features a Go library + with implementations for reading and writing various SBOM formats. + + + Key Features: + + - Supports multiple SBOM formats (SPDX 2.3, CycloneDX 1.4-1.6) + + - Provides JSON encoding/decoding capabilities + + - Implements format-specific serializers and unserializers + + - Offers programmatic SBOM generation and manipulation + + - Enables lossless conversion between supported formats + + + The tool is particularly useful for SBOM format conversion, data extraction, and + programmatic SBOM generation. It is available as an OpenSSF Sandbox project and + can be extended to support additional formats and languages through protocol buffers + implementations.' Types: - - Source + - Build +- Abilities: + - Generate + - Convert + - Consume Languages: - - Maven - -- Name: SPDX-Gradle - Link: https://github.com/spdx/spdx-gradle-plugin - Publisher: SPDX - License: OpenSource + - Clojars + - Generic + License: Apache-2.0 + Link: https://github.com/kubernetes-sigs/bom + Name: bom + Publisher: kubernetes-sigs + Source: AI-Generated Standards: - SPDX - Abilities: - - Generate + Summary: 'bom: A versatile SBOM generation and analysis tool + + + bom is a utility for creating, viewing, and transforming Software Bills of Materials + (SBOMs) in SPDX format. The tool supports multiple input sources including directories, + container images, single files, and archives. Key features include: + + + - SPDX-compliant SBOM generation with support for tag-value and JSON formats + + - Built-in license classifier supporting 400+ SPDX catalog licenses + + - Container image analysis with layer inspection capabilities + + - Golang dependency analysis with go.mod support + + - GitIgnore integration for repository scanning + + - SBOM visualization and query functionality + + - In-toto provenance attestation export + + - Multiple output formats and package relationship tracking + + + Originally developed for the Kubernetes project''s SBOM generation needs, bom + is now incubating under the Linux Foundation''s Automating Compliance Tooling + TAC. The tool provides a comprehensive solution for organizations requiring detailed + software component tracking and license compliance documentation.' Types: + - Design - Source + - Container +- Abilities: + - Generate + - Validate Languages: - - Maven - -- Name: SPDX-Java-Tools - Link: https://github.com/spdx/tools-java - Publisher: SPDX - License: OpenSource + - Autotools + - Dotnet + License: MIT + Link: https://github.com/microsoft/sbom-tool + Name: sbom-tool + Publisher: microsoft + Source: AI-Generated Standards: - SPDX - Abilities: - - Consume - - Convert - - Merge - Types: - Languages: + Summary: 'Microsoft SBOM Tool is an enterprise-grade solution for generating Software + Bill of Materials (SBOM) in SPDX 2.2 format. The tool leverages Component Detection + libraries and the ClearlyDefined API to identify components and populate license + information. -- Name: SPDX-Python-Tools - Link: https://github.com/spdx/tools-python - Publisher: SPDX - License: OpenSource - Standards: - - SPDX - Abilities: - - Consume - - Convert - - Compare - Types: - Languages: -- Name: SPDX-Online-Tools - Link: https://github.com/spdx/spdx-online-tools - Publisher: SPDX - License: OpenSource - Standards: - - SPDX - Abilities: - - Consume - - Convert - - Compare - - Validate - Types: - Languages: + Key Features: -- Name: SW360 - Link: https://github.com/eclipse-sw360/sw360 - Publisher: Eclipse-SW360 - License: OpenSource - Standards: - - SPDX - Abilities: - - Consume - - Merge - Types: - Languages: + - Generates SPDX 2.2 compatible SBOMs -- Name: Sbom4files - Link: https://github.com/anthonyharrison/sbom4files - Publisher: Anthony-Harrison - License: OpenSource - Standards: - - CycloneDX - - SPDX - Abilities: - - Generate + - Supports multiple platforms (Windows, Linux, macOS) + + - Available as standalone executable, Docker image, and .NET tool + + - Validates generated SBOM files + + - Includes redaction capabilities for file references + + - Integrates with CI/CD pipelines (GitHub Actions, Azure DevOps) + + - Component detection for various package ecosystems + + - Scalable for enterprise environments + + + The tool provides comprehensive CLI arguments for customization and can be deployed + through package managers like WinGet and Homebrew. It includes built-in telemetry + features and outputs results in JSON format.' Types: - Source + - Build +- Abilities: + - Consume Languages: - Generic - -- Name: Sbom4python - Link: https://github.com/anthonyharrison/sbom4python - Publisher: Anthony-Harrison - License: OpenSource + License: No License + Link: https://github.com/jenkinsci/nexus-platform-plugin + Name: nexus-platform-plugin + Publisher: jenkinsci + Source: AI-Generated Standards: - - CycloneDX - SPDX - Abilities: - - Generate + Summary: 'Sonatype Nexus Platform Plugin for Jenkins + + + The Nexus Platform Plugin integrates Sonatype''s software supply chain management + capabilities into Jenkins CI/CD pipelines. While primarily known for its artifact + management and security scanning features, the plugin supports Software Bill of + Materials (SBOM) generation as part of the build process. It can create detailed + component inventories that document dependencies, versions, and licensing information + of software components used in builds. + + + Key SBOM Features: + + - Generates CycloneDX format SBOMs + + - Provides component vulnerability data + + - Integrates with Nexus Repository Manager + + - Supports policy evaluation of SBOMs + + + Note: This plugin is no longer distributed through the Jenkins project. Installation + and usage instructions are available through Sonatype''s documentation.' Types: - - Source + - Build +- Abilities: + - Convert + - Merge + - Generate + - Validate Languages: + - Bazel + - Deb + - Elixir + - Maven + - Npm + - Nuget - Pypi - -- Name: Sbom4rust - Link: https://github.com/anthonyharrison/sbom4rust - Publisher: Anthony-Harrison - License: OpenSource + License: NOASSERTION + Link: https://github.com/sw360/capycli + Name: capycli + Publisher: sw360 + Source: AI-Generated Standards: - CycloneDX - - SPDX - Abilities: - - Generate + Summary: 'CaPyCli (Clearing Automation Python Command Line Tool) is a Python-based + utility designed to automate license clearing processes using SW360. The tool + provides comprehensive SBOM (Software Bill of Materials) capabilities, including: + + + Key SBOM Features: + + - Generation of SBOM from various project types (NuGet, Python, JavaScript, Maven) + + - Conversion between different SBOM formats + + - Mapping of SBOM data to SW360 components + + - Creation and update of components and releases in SW360 + + - Source code download for SBOM items + + - Component granularity analysis + + - SBOM comparison and merging capabilities + + + The tool uses a custom JSON-based SBOM format compatible with CycloneDX, focusing + on essential information for SW360 integration. It supports automated dependency + detection and metadata enrichment, making it particularly suitable for projects + with numerous third-party components. + + + Requirements: + + - Python 3.8 or higher + + - SW360 instance with API access + + - Valid SW360 access token + + + The tool is available via PyPI and is released under the MIT license.' Types: - Source + - Build +- Abilities: + - Generate Languages: - - Cargo - -- Name: CycloneDX-Editor-Validator-Tool - Link: https://github.com/Festo-se/cyclonedx-editor-validator - Publisher: Festo - License: OpenSource + - Npm + License: MIT + Link: https://github.com/shiftleftcyber/cyclonedx-npm-pipe + Name: cyclonedx-npm-pipe + Publisher: shiftleftcyber + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Edit - - Merge - - Validate + Summary: 'ShiftSBOM-Node is a Bitbucket Pipe designed for generating CycloneDX-compliant + Software Bill of Materials (SBOM) for Node.js/npm projects. The tool operates + client-side without requiring external subscriptions, server access, or API keys. + + + Key Features: + + - Generates SBOMs in both JSON and XML formats + + - Supports CycloneDX specification versions 1.2 through 1.6 + + - Configurable component flattening and PackageURL formatting + + - Selective dependency inclusion with options to omit dev, optional, or peer dependencies + + - Customizable output directory and main component type specification + + - Package-lock.json only mode for dependency analysis + + + The tool integrates with Bitbucket Pipelines and utilizes the cyclonedx-npm library + for SBOM generation. It requires pre-installed npm dependencies and supports caching + for improved pipeline performance. ShiftSBOM-Node is maintained in both Bitbucket + and GitHub repositories, ensuring broad accessibility and community contribution + options.' Types: + - Source + - Build +- Abilities: + - Consume Languages: - -- Name: GUAC - Link: https://github.com/guacsec/guac - Publisher: GUAC (OpenSSF) - License: OpenSource + - Conan + License: MIT + Link: https://github.com/shiftleftcyber/sbom-utilities-pipe + Name: sbom-utilities-pipe + Publisher: shiftleftcyber + Source: AI-Generated Standards: - - CycloneDX - SPDX - Abilities: - - Consume - - Compare + - CycloneDX + Summary: 'ShiftSBOM-Utils is a Bitbucket Pipe that provides a comprehensive suite + of tools for analyzing Software Bill of Materials (SBOM) in CycloneDX or SPDX + formats. The tool operates entirely client-side without requiring external subscriptions + or API keys. + + + Key Features: + + - Vulnerability scanning through multiple engines including bomber, osv-scanner, + and grype + + - SBOM quality assessment using sbomqs + + - Integration with OWASP Dependency Track for advanced analysis + + - Support for multiple output formats (JSON, HTML, detailed reports) + + - Configurable scanning parameters and ignore lists + + - Pipeline-ready implementation for CI/CD workflows + + + The tool serves as a centralized solution for SBOM analysis, combining multiple + open-source security and quality assessment tools in a single pipeline step. It + supports automated assessment workflows and can be easily integrated into existing + Bitbucket CI/CD pipelines. + + + Technical Requirements: + + - Bitbucket Pipelines environment + + - Valid SBOM in CycloneDX or SPDX format + + - Docker container support + + + The tool is actively maintained and regularly updated with new analysis capabilities + and vulnerability scanning engines.' Types: - - Source - - Build - Analyze +- Abilities: + - Generate + - Convert Languages: - - Generic - -- Name: CycloneDX-CLI - Link: https://github.com/CycloneDX/cyclonedx-cli - Publisher: CycloneDX - License: OpenSource + - Hackage + - Maven + - Npm + License: MIT + Link: https://github.com/shiftleftcyber/syft-bitbucket-pipe + Name: syft-bitbucket-pipe + Publisher: shiftleftcyber + Source: AI-Generated Standards: - - CycloneDX - SPDX - Abilities: + - CycloneDX + Summary: 'ShiftSBOMGen is a Bitbucket Pipe designed for Software Bill of Materials + (SBOM) generation, operating as a client-side solution without requiring external + subscriptions, server access, or API keys. The tool leverages Syft technology + to create SBOMs in both CycloneDX and SPDX formats. + + + Key Features: + + - Supports multiple SBOM standards (CycloneDX, SPDX) + + - Compatible with various ecosystems and container types + + - Generates JSON-formatted output + + - Integrates seamlessly with Bitbucket pipelines + + - Supports scanning of local repositories, JAR files, and Docker image archives + + - Enables artifact preservation for downstream processing + + + The tool is implemented as a Docker container and can be easily incorporated into + existing Bitbucket pipelines through simple YAML configuration. Output files can + be automatically archived as pipeline artifacts for further processing or documentation + purposes. + + + For detailed information: https://bitbucket.org/ccideas1/syft-pipe/src/main/' + Types: + - Build + - Container +- Abilities: + - Generate - Consume - - Compare - - Convert - - Edit - - Merge - Validate - - Sign - Types: Languages: + - Hackage + - Pypi + License: Apache-2.0 + Link: https://github.com/IBM/cbomkit + Name: cbomkit + Publisher: IBM + Source: AI-Generated + Standards: [] + Summary: 'CBOMkit - Cryptography Bill of Materials Toolkit -- Name: distro2SBOM - Link: https://github.com/anthonyharrison/distro2sbom - Publisher: Anthony Harrison - License: OpenSource - Standards: - - CycloneDX - - SPDX - Abilities: - - Generate + + CBOMkit is a comprehensive toolset for managing Cryptography Bill of Materials + (CBOM), designed to handle the identification, documentation, and compliance verification + of cryptographic components in software projects. The toolkit consists of several + key components: + + + Core Features: + + - CBOM Generation through source code scanning of git repositories + + - Interactive CBOM visualization and statistical analysis + + - Compliance verification against specified security policies + + - CBOM storage and REST API access + + + Technical Capabilities: + + - Supports Java (JCA, BouncyCastle) and Python (pyca/cryptography) cryptographic + libraries + + - Provides deployment options via Docker, Podman, or Kubernetes + + - Implements WebSocket integration for real-time scan progress monitoring + + - Includes configurable compliance checking mechanisms with quantum-safe verification + + + The toolkit is particularly useful for organizations requiring cryptographic asset + management and compliance verification in their software development lifecycle. + Its modular architecture allows for extensibility and integration with external + compliance services. + + + License: Apache License 2.0' Types: - - Analyze + - Source +- Abilities: + - Generate Languages: - -- Name: lib4sbom - Link: https://github.com/anthonyharrison/lib4sbom - Publisher: Anthony Harrison - License: OpenSource + - Generic + - Clojars + License: Apache-2.0 + Link: https://github.com/IBM/cbomkit-theia + Name: cbomkit-theia + Publisher: IBM + Source: AI-Generated Standards: - CycloneDX - - SPDX - Abilities: - - Convert - - Edit - Types: - Languages: + Summary: 'CBOMkit-theia is a specialized tool for detecting and analyzing cryptographic + assets in container images and directories. The tool generates Cryptographic Bill + of Materials (CBOM) in CycloneDX v1.6 format. It operates as part of the CBOMkit + ecosystem and integrates with the Sonar Cryptography Plugin. -- Name: FOSSLight - Link: https://github.com/fosslight/fosslight - Publisher: FOSSLight - License: OpenSource - Standards: - - SPDX - Abilities: - - Generate + + Key Features: + + - Detection of certificates, keys, and secrets in images/directories + + - Verification of cryptographic assets'' executability in CBOMs + + - Support for multiple image sources including local directories, Docker images, + OCI registries + + - Plugins for certificate detection, Java security configuration analysis, and + secret detection + + - Server mode capability for API-based operation + + - Command-line interface for direct interaction + + + The tool supports various container formats and can analyze local directories, + Docker images, and OCI-compliant containers. Output is provided in CycloneDX v1.6 + format, making it compatible with standard SBOM toolchains. Implementation requires + Go 1.23 or higher and Docker daemon for specific functionalities.' Types: - Analyze + - Container +- Abilities: + - Consume Languages: - -- Name: CycloneDX-core-java - Link: https://github.com/CycloneDX/cyclonedx-core-java + - Pypi + License: Apache-2.0 + Link: https://github.com/CycloneDX/Sunshine/ + Name: Sunshine Publisher: CycloneDX - License: OpenSource + Source: AI-Generated Standards: - CycloneDX - Abilities: - - Compare - - Edit - - Validate - - Sign - Languages: - - Java - - Jar - - Maven + Summary: 'Sunshine is a visualization tool for CycloneDX Software Bill of Materials + (SBOM) files. The tool processes CycloneDX JSON format and generates an interactive + HTML report containing graphical charts and tabular representations of components, + dependencies, vulnerabilities, and licenses. + + + Key Features: + + - Browser-based processing without data transmission + + - Standalone CLI operation + + - Visual dependency mapping + + - Component relationship visualization + + - Vulnerability and license tracking + + - Interactive HTML output + + + The tool can be deployed as a web application through GitHub Pages or local hosting, + or utilized as a command-line interface tool. The generated reports provide comprehensive + visibility into software composition and supply chain relationships documented + in CycloneDX SBOMs. + + + Developed by the CycloneDX community, Sunshine serves as an analytical tool for + SBOM data interpretation and supply chain transparency.' + Types: + - Analyze diff --git a/SBOM-Catalog/public/logos/BOMSkope.png b/SBOM-Catalog/public/logos/BOMSkope.png new file mode 100644 index 0000000..6f1f184 Binary files /dev/null and b/SBOM-Catalog/public/logos/BOMSkope.png differ diff --git a/SBOM-Catalog/public/logos/CERTCC.png b/SBOM-Catalog/public/logos/CERTCC.png new file mode 100644 index 0000000..0067edc Binary files /dev/null and b/SBOM-Catalog/public/logos/CERTCC.png differ diff --git a/SBOM-Catalog/public/logos/CycloneDX-Gradle.png b/SBOM-Catalog/public/logos/CycloneDX-dotnet-library.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-Gradle.png rename to SBOM-Catalog/public/logos/CycloneDX-dotnet-library.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-Maven.png b/SBOM-Catalog/public/logos/CycloneDX-gomod.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-Maven.png rename to SBOM-Catalog/public/logos/CycloneDX-gomod.png diff --git a/SBOM-Catalog/public/logos/DefectDojo.png b/SBOM-Catalog/public/logos/DefectDojo.png new file mode 100644 index 0000000..6db2242 Binary files /dev/null and b/SBOM-Catalog/public/logos/DefectDojo.png differ diff --git a/SBOM-Catalog/public/logos/DependencyTrack.png b/SBOM-Catalog/public/logos/DependencyTrack.png new file mode 100644 index 0000000..3885d3c Binary files /dev/null and b/SBOM-Catalog/public/logos/DependencyTrack.png differ diff --git a/SBOM-Catalog/public/logos/Festo-se.png b/SBOM-Catalog/public/logos/Festo-se.png new file mode 100644 index 0000000..257e3f5 Binary files /dev/null and b/SBOM-Catalog/public/logos/Festo-se.png differ diff --git a/SBOM-Catalog/public/logos/IBM.png b/SBOM-Catalog/public/logos/IBM.png new file mode 100644 index 0000000..50d2e47 Binary files /dev/null and b/SBOM-Catalog/public/logos/IBM.png differ diff --git a/SBOM-Catalog/public/logos/LLNL.png b/SBOM-Catalog/public/logos/LLNL.png new file mode 100644 index 0000000..31f79df Binary files /dev/null and b/SBOM-Catalog/public/logos/LLNL.png differ diff --git a/SBOM-Catalog/public/logos/MaibornWolff.png b/SBOM-Catalog/public/logos/MaibornWolff.png new file mode 100644 index 0000000..65c9097 Binary files /dev/null and b/SBOM-Catalog/public/logos/MaibornWolff.png differ diff --git a/SBOM-Catalog/public/logos/RetireJS.png b/SBOM-Catalog/public/logos/RetireJS.png new file mode 100644 index 0000000..0ec1592 Binary files /dev/null and b/SBOM-Catalog/public/logos/RetireJS.png differ diff --git a/SBOM-Catalog/public/logos/SBOM.png b/SBOM-Catalog/public/logos/SBOM.png new file mode 100644 index 0000000..0067edc Binary files /dev/null and b/SBOM-Catalog/public/logos/SBOM.png differ diff --git a/SBOM-Catalog/public/logos/Scancode.png b/SBOM-Catalog/public/logos/Scancode-Toolkit.png similarity index 100% rename from SBOM-Catalog/public/logos/Scancode.png rename to SBOM-Catalog/public/logos/Scancode-Toolkit.png diff --git a/SBOM-Catalog/public/logos/SecObserve.png b/SBOM-Catalog/public/logos/SecObserve.png new file mode 100644 index 0000000..65c9097 Binary files /dev/null and b/SBOM-Catalog/public/logos/SecObserve.png differ diff --git a/SBOM-Catalog/public/logos/ShiftLeftSecurity.png b/SBOM-Catalog/public/logos/ShiftLeftSecurity.png new file mode 100644 index 0000000..831670f Binary files /dev/null and b/SBOM-Catalog/public/logos/ShiftLeftSecurity.png differ diff --git a/SBOM-Catalog/public/logos/CycloneDX-PHP-Composer.png b/SBOM-Catalog/public/logos/Sunshine.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-PHP-Composer.png rename to SBOM-Catalog/public/logos/Sunshine.png diff --git a/SBOM-Catalog/public/logos/Surfactant.png b/SBOM-Catalog/public/logos/Surfactant.png new file mode 100644 index 0000000..31f79df Binary files /dev/null and b/SBOM-Catalog/public/logos/Surfactant.png differ diff --git a/SBOM-Catalog/public/logos/anchore.png b/SBOM-Catalog/public/logos/anchore.png new file mode 100644 index 0000000..ac58880 Binary files /dev/null and b/SBOM-Catalog/public/logos/anchore.png differ diff --git a/SBOM-Catalog/public/logos/antenna.png b/SBOM-Catalog/public/logos/antenna.png new file mode 100644 index 0000000..3df734a Binary files /dev/null and b/SBOM-Catalog/public/logos/antenna.png differ diff --git a/SBOM-Catalog/public/logos/asdf-cyclonedx.png b/SBOM-Catalog/public/logos/asdf-cyclonedx.png new file mode 100644 index 0000000..e79d236 Binary files /dev/null and b/SBOM-Catalog/public/logos/asdf-cyclonedx.png differ diff --git a/SBOM-Catalog/public/logos/auditjs.png b/SBOM-Catalog/public/logos/auditjs.png new file mode 100644 index 0000000..aed5509 Binary files /dev/null and b/SBOM-Catalog/public/logos/auditjs.png differ diff --git a/SBOM-Catalog/public/logos/bogrod.png b/SBOM-Catalog/public/logos/bogrod.png new file mode 100644 index 0000000..04c6566 Binary files /dev/null and b/SBOM-Catalog/public/logos/bogrod.png differ diff --git a/SBOM-Catalog/public/logos/bom-squad.png b/SBOM-Catalog/public/logos/bom-squad.png new file mode 100644 index 0000000..ea2422e Binary files /dev/null and b/SBOM-Catalog/public/logos/bom-squad.png differ diff --git a/SBOM-Catalog/public/logos/bom.png b/SBOM-Catalog/public/logos/bom.png new file mode 100644 index 0000000..c915cb8 Binary files /dev/null and b/SBOM-Catalog/public/logos/bom.png differ diff --git a/SBOM-Catalog/public/logos/capycli.png b/SBOM-Catalog/public/logos/capycli.png new file mode 100644 index 0000000..6b5b050 Binary files /dev/null and b/SBOM-Catalog/public/logos/capycli.png differ diff --git a/SBOM-Catalog/public/logos/cas-authenticate-docker-bom-github-action.png b/SBOM-Catalog/public/logos/cas-authenticate-docker-bom-github-action.png new file mode 100644 index 0000000..9e2c595 Binary files /dev/null and b/SBOM-Catalog/public/logos/cas-authenticate-docker-bom-github-action.png differ diff --git a/SBOM-Catalog/public/logos/cas-notarize-docker-image-bom-github-action.png b/SBOM-Catalog/public/logos/cas-notarize-docker-image-bom-github-action.png new file mode 100644 index 0000000..9e2c595 Binary files /dev/null and b/SBOM-Catalog/public/logos/cas-notarize-docker-image-bom-github-action.png differ diff --git a/SBOM-Catalog/public/logos/cas.png b/SBOM-Catalog/public/logos/cas.png new file mode 100644 index 0000000..9e2c595 Binary files /dev/null and b/SBOM-Catalog/public/logos/cas.png differ diff --git a/SBOM-Catalog/public/logos/cbomkit-theia.png b/SBOM-Catalog/public/logos/cbomkit-theia.png new file mode 100644 index 0000000..50d2e47 Binary files /dev/null and b/SBOM-Catalog/public/logos/cbomkit-theia.png differ diff --git a/SBOM-Catalog/public/logos/cbomkit.png b/SBOM-Catalog/public/logos/cbomkit.png new file mode 100644 index 0000000..50d2e47 Binary files /dev/null and b/SBOM-Catalog/public/logos/cbomkit.png differ diff --git a/SBOM-Catalog/public/logos/cdx-central.png b/SBOM-Catalog/public/logos/cdx-central.png new file mode 100644 index 0000000..cd9a76e Binary files /dev/null and b/SBOM-Catalog/public/logos/cdx-central.png differ diff --git a/SBOM-Catalog/public/logos/cdxgen.png b/SBOM-Catalog/public/logos/cdxgen.png new file mode 100644 index 0000000..a9f54fa Binary files /dev/null and b/SBOM-Catalog/public/logos/cdxgen.png differ diff --git a/SBOM-Catalog/public/logos/chainloop-dev.png b/SBOM-Catalog/public/logos/chainloop-dev.png new file mode 100644 index 0000000..3238ce5 Binary files /dev/null and b/SBOM-Catalog/public/logos/chainloop-dev.png differ diff --git a/SBOM-Catalog/public/logos/chainloop.png b/SBOM-Catalog/public/logos/chainloop.png new file mode 100644 index 0000000..3238ce5 Binary files /dev/null and b/SBOM-Catalog/public/logos/chainloop.png differ diff --git a/SBOM-Catalog/public/logos/chelsea.png b/SBOM-Catalog/public/logos/chelsea.png new file mode 100644 index 0000000..aed5509 Binary files /dev/null and b/SBOM-Catalog/public/logos/chelsea.png differ diff --git a/SBOM-Catalog/public/logos/codenotary.png b/SBOM-Catalog/public/logos/codenotary.png new file mode 100644 index 0000000..9e2c595 Binary files /dev/null and b/SBOM-Catalog/public/logos/codenotary.png differ diff --git a/SBOM-Catalog/public/logos/coinbase.png b/SBOM-Catalog/public/logos/coinbase.png new file mode 100644 index 0000000..658d769 Binary files /dev/null and b/SBOM-Catalog/public/logos/coinbase.png differ diff --git a/SBOM-Catalog/public/logos/continuous-clearing.png b/SBOM-Catalog/public/logos/continuous-clearing.png new file mode 100644 index 0000000..e5854c9 Binary files /dev/null and b/SBOM-Catalog/public/logos/continuous-clearing.png differ diff --git a/SBOM-Catalog/public/logos/cosign.png b/SBOM-Catalog/public/logos/cosign.png new file mode 100644 index 0000000..0615f97 Binary files /dev/null and b/SBOM-Catalog/public/logos/cosign.png differ diff --git a/SBOM-Catalog/public/logos/CycloneDX-PHP-lib.png b/SBOM-Catalog/public/logos/cyclonedx-bom-repo-server.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-PHP-lib.png rename to SBOM-Catalog/public/logos/cyclonedx-bom-repo-server.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-Python-lib.png b/SBOM-Catalog/public/logos/cyclonedx-buildroot.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-Python-lib.png rename to SBOM-Catalog/public/logos/cyclonedx-buildroot.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-Python.png b/SBOM-Catalog/public/logos/cyclonedx-cli.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-Python.png rename to SBOM-Catalog/public/logos/cyclonedx-cli.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-Ruby-Gem.png b/SBOM-Catalog/public/logos/cyclonedx-cocoapods.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-Ruby-Gem.png rename to SBOM-Catalog/public/logos/cyclonedx-cocoapods.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-Rust-Cargo.png b/SBOM-Catalog/public/logos/cyclonedx-conan.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-Rust-Cargo.png rename to SBOM-Catalog/public/logos/cyclonedx-conan.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-Webpack-Plugin.png b/SBOM-Catalog/public/logos/cyclonedx-core-java.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-Webpack-Plugin.png rename to SBOM-Catalog/public/logos/cyclonedx-core-java.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-dotnet-lib.png b/SBOM-Catalog/public/logos/cyclonedx-dotnet-library.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-dotnet-lib.png rename to SBOM-Catalog/public/logos/cyclonedx-dotnet-library.png diff --git a/SBOM-Catalog/public/logos/CycloneDX-javascript-lib.png b/SBOM-Catalog/public/logos/cyclonedx-dotnet.png similarity index 100% rename from SBOM-Catalog/public/logos/CycloneDX-javascript-lib.png rename to SBOM-Catalog/public/logos/cyclonedx-dotnet.png diff --git a/SBOM-Catalog/public/logos/cyclonedx-editor-validator.png b/SBOM-Catalog/public/logos/cyclonedx-editor-validator.png new file mode 100644 index 0000000..257e3f5 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-editor-validator.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-go.png b/SBOM-Catalog/public/logos/cyclonedx-go.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-go.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-gomod.png b/SBOM-Catalog/public/logos/cyclonedx-gomod.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-gomod.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-gradle-plugin.png b/SBOM-Catalog/public/logos/cyclonedx-gradle-plugin.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-gradle-plugin.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-javascript-library.png b/SBOM-Catalog/public/logos/cyclonedx-javascript-library.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-javascript-library.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-maven-plugin.png b/SBOM-Catalog/public/logos/cyclonedx-maven-plugin.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-maven-plugin.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-node-module.png b/SBOM-Catalog/public/logos/cyclonedx-node-module.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-node-module.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-node-npm.png b/SBOM-Catalog/public/logos/cyclonedx-node-npm.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-node-npm.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-node-yarn.png b/SBOM-Catalog/public/logos/cyclonedx-node-yarn.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-node-yarn.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-npm-pipe.png b/SBOM-Catalog/public/logos/cyclonedx-npm-pipe.png new file mode 100644 index 0000000..efabc10 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-npm-pipe.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-php-composer.png b/SBOM-Catalog/public/logos/cyclonedx-php-composer.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-php-composer.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-php-library.png b/SBOM-Catalog/public/logos/cyclonedx-php-library.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-php-library.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-python-lib.png b/SBOM-Catalog/public/logos/cyclonedx-python-lib.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-python-lib.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-python.png b/SBOM-Catalog/public/logos/cyclonedx-python.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-python.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-ruby-gem.png b/SBOM-Catalog/public/logos/cyclonedx-ruby-gem.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-ruby-gem.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-rust-cargo.png b/SBOM-Catalog/public/logos/cyclonedx-rust-cargo.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-rust-cargo.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-web-tool.png b/SBOM-Catalog/public/logos/cyclonedx-web-tool.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-web-tool.png differ diff --git a/SBOM-Catalog/public/logos/cyclonedx-webpack-plugin.png b/SBOM-Catalog/public/logos/cyclonedx-webpack-plugin.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/cyclonedx-webpack-plugin.png differ diff --git a/SBOM-Catalog/public/logos/defenseunicorns.png b/SBOM-Catalog/public/logos/defenseunicorns.png new file mode 100644 index 0000000..e283412 Binary files /dev/null and b/SBOM-Catalog/public/logos/defenseunicorns.png differ diff --git a/SBOM-Catalog/public/logos/dependency-track-plugin.png b/SBOM-Catalog/public/logos/dependency-track-plugin.png new file mode 100644 index 0000000..8f9bdee Binary files /dev/null and b/SBOM-Catalog/public/logos/dependency-track-plugin.png differ diff --git a/SBOM-Catalog/public/logos/dependency-track.png b/SBOM-Catalog/public/logos/dependency-track.png new file mode 100644 index 0000000..3885d3c Binary files /dev/null and b/SBOM-Catalog/public/logos/dependency-track.png differ diff --git a/SBOM-Catalog/public/logos/devops-kung-fu.png b/SBOM-Catalog/public/logos/devops-kung-fu.png new file mode 100644 index 0000000..b9d1215 Binary files /dev/null and b/SBOM-Catalog/public/logos/devops-kung-fu.png differ diff --git a/SBOM-Catalog/public/logos/django-DefectDojo.png b/SBOM-Catalog/public/logos/django-DefectDojo.png new file mode 100644 index 0000000..6db2242 Binary files /dev/null and b/SBOM-Catalog/public/logos/django-DefectDojo.png differ diff --git a/SBOM-Catalog/public/logos/dtrack-audit.png b/SBOM-Catalog/public/logos/dtrack-audit.png new file mode 100644 index 0000000..633fdd5 Binary files /dev/null and b/SBOM-Catalog/public/logos/dtrack-audit.png differ diff --git a/SBOM-Catalog/public/logos/eBay.png b/SBOM-Catalog/public/logos/eBay.png new file mode 100644 index 0000000..86985af Binary files /dev/null and b/SBOM-Catalog/public/logos/eBay.png differ diff --git a/SBOM-Catalog/public/logos/eclipse-sw360.png b/SBOM-Catalog/public/logos/eclipse-sw360.png new file mode 100644 index 0000000..db0e3dc Binary files /dev/null and b/SBOM-Catalog/public/logos/eclipse-sw360.png differ diff --git a/SBOM-Catalog/public/logos/eclipse.png b/SBOM-Catalog/public/logos/eclipse.png new file mode 100644 index 0000000..3df734a Binary files /dev/null and b/SBOM-Catalog/public/logos/eclipse.png differ diff --git a/SBOM-Catalog/public/logos/engine.png b/SBOM-Catalog/public/logos/engine.png new file mode 100644 index 0000000..9c7a79c Binary files /dev/null and b/SBOM-Catalog/public/logos/engine.png differ diff --git a/SBOM-Catalog/public/logos/gh-dotnet-generate-sbom.png b/SBOM-Catalog/public/logos/gh-dotnet-generate-sbom.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/gh-dotnet-generate-sbom.png differ diff --git a/SBOM-Catalog/public/logos/gh-gomod-generate-sbom.png b/SBOM-Catalog/public/logos/gh-gomod-generate-sbom.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/gh-gomod-generate-sbom.png differ diff --git a/SBOM-Catalog/public/logos/gh-node-module-generatebom.png b/SBOM-Catalog/public/logos/gh-node-module-generatebom.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/gh-node-module-generatebom.png differ diff --git a/SBOM-Catalog/public/logos/gh-php-composer-generate-sbom.png b/SBOM-Catalog/public/logos/gh-php-composer-generate-sbom.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/gh-php-composer-generate-sbom.png differ diff --git a/SBOM-Catalog/public/logos/gh-python-generate-sbom.png b/SBOM-Catalog/public/logos/gh-python-generate-sbom.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/gh-python-generate-sbom.png differ diff --git a/SBOM-Catalog/public/logos/go-sona-types.png b/SBOM-Catalog/public/logos/go-sona-types.png new file mode 100644 index 0000000..aed5509 Binary files /dev/null and b/SBOM-Catalog/public/logos/go-sona-types.png differ diff --git a/SBOM-Catalog/public/logos/grype.png b/SBOM-Catalog/public/logos/grype.png new file mode 100644 index 0000000..ac58880 Binary files /dev/null and b/SBOM-Catalog/public/logos/grype.png differ diff --git a/SBOM-Catalog/public/logos/guac.png b/SBOM-Catalog/public/logos/guac.png new file mode 100644 index 0000000..346949f Binary files /dev/null and b/SBOM-Catalog/public/logos/guac.png differ diff --git a/SBOM-Catalog/public/logos/guacsec.png b/SBOM-Catalog/public/logos/guacsec.png new file mode 100644 index 0000000..346949f Binary files /dev/null and b/SBOM-Catalog/public/logos/guacsec.png differ diff --git a/SBOM-Catalog/public/logos/interlynk-io.png b/SBOM-Catalog/public/logos/interlynk-io.png new file mode 100644 index 0000000..7b2891a Binary files /dev/null and b/SBOM-Catalog/public/logos/interlynk-io.png differ diff --git a/SBOM-Catalog/public/logos/ittosai.png b/SBOM-Catalog/public/logos/ittosai.png new file mode 100644 index 0000000..b9d1215 Binary files /dev/null and b/SBOM-Catalog/public/logos/ittosai.png differ diff --git a/SBOM-Catalog/public/logos/jake.png b/SBOM-Catalog/public/logos/jake.png new file mode 100644 index 0000000..aed5509 Binary files /dev/null and b/SBOM-Catalog/public/logos/jake.png differ diff --git a/SBOM-Catalog/public/logos/jenkinsci.png b/SBOM-Catalog/public/logos/jenkinsci.png new file mode 100644 index 0000000..8f9bdee Binary files /dev/null and b/SBOM-Catalog/public/logos/jenkinsci.png differ diff --git a/SBOM-Catalog/public/logos/kbom.png b/SBOM-Catalog/public/logos/kbom.png new file mode 100644 index 0000000..2364ada Binary files /dev/null and b/SBOM-Catalog/public/logos/kbom.png differ diff --git a/SBOM-Catalog/public/logos/kernel.png b/SBOM-Catalog/public/logos/kernel.png new file mode 100644 index 0000000..9e1244d Binary files /dev/null and b/SBOM-Catalog/public/logos/kernel.png differ diff --git a/SBOM-Catalog/public/logos/ksoclabs.png b/SBOM-Catalog/public/logos/ksoclabs.png new file mode 100644 index 0000000..2364ada Binary files /dev/null and b/SBOM-Catalog/public/logos/ksoclabs.png differ diff --git a/SBOM-Catalog/public/logos/kubernetes-sigs.png b/SBOM-Catalog/public/logos/kubernetes-sigs.png new file mode 100644 index 0000000..c915cb8 Binary files /dev/null and b/SBOM-Catalog/public/logos/kubernetes-sigs.png differ diff --git a/SBOM-Catalog/public/logos/leanix.png b/SBOM-Catalog/public/logos/leanix.png new file mode 100644 index 0000000..b2b61bb Binary files /dev/null and b/SBOM-Catalog/public/logos/leanix.png differ diff --git a/SBOM-Catalog/public/logos/license-scanner.png b/SBOM-Catalog/public/logos/license-scanner.png new file mode 100644 index 0000000..2a11ab6 Binary files /dev/null and b/SBOM-Catalog/public/logos/license-scanner.png differ diff --git a/SBOM-Catalog/public/logos/macaron.png b/SBOM-Catalog/public/logos/macaron.png new file mode 100644 index 0000000..aabca1a Binary files /dev/null and b/SBOM-Catalog/public/logos/macaron.png differ diff --git a/SBOM-Catalog/public/logos/microsoft.png b/SBOM-Catalog/public/logos/microsoft.png new file mode 100644 index 0000000..9da91eb Binary files /dev/null and b/SBOM-Catalog/public/logos/microsoft.png differ diff --git a/SBOM-Catalog/public/logos/nancy.png b/SBOM-Catalog/public/logos/nancy.png new file mode 100644 index 0000000..aed5509 Binary files /dev/null and b/SBOM-Catalog/public/logos/nancy.png differ diff --git a/SBOM-Catalog/public/logos/netskopeoss.png b/SBOM-Catalog/public/logos/netskopeoss.png new file mode 100644 index 0000000..6f1f184 Binary files /dev/null and b/SBOM-Catalog/public/logos/netskopeoss.png differ diff --git a/SBOM-Catalog/public/logos/nexus-platform-plugin.png b/SBOM-Catalog/public/logos/nexus-platform-plugin.png new file mode 100644 index 0000000..8f9bdee Binary files /dev/null and b/SBOM-Catalog/public/logos/nexus-platform-plugin.png differ diff --git a/SBOM-Catalog/public/logos/openrewrite.png b/SBOM-Catalog/public/logos/openrewrite.png new file mode 100644 index 0000000..bfb6a9a Binary files /dev/null and b/SBOM-Catalog/public/logos/openrewrite.png differ diff --git a/SBOM-Catalog/public/logos/oracle.png b/SBOM-Catalog/public/logos/oracle.png new file mode 100644 index 0000000..aabca1a Binary files /dev/null and b/SBOM-Catalog/public/logos/oracle.png differ diff --git a/SBOM-Catalog/public/logos/ort.png b/SBOM-Catalog/public/logos/ort.png new file mode 100644 index 0000000..29a0701 Binary files /dev/null and b/SBOM-Catalog/public/logos/ort.png differ diff --git a/SBOM-Catalog/public/logos/oss-review-toolkit.png b/SBOM-Catalog/public/logos/oss-review-toolkit.png new file mode 100644 index 0000000..29a0701 Binary files /dev/null and b/SBOM-Catalog/public/logos/oss-review-toolkit.png differ diff --git a/SBOM-Catalog/public/logos/ozonru.png b/SBOM-Catalog/public/logos/ozonru.png new file mode 100644 index 0000000..633fdd5 Binary files /dev/null and b/SBOM-Catalog/public/logos/ozonru.png differ diff --git a/SBOM-Catalog/public/logos/parlay.png b/SBOM-Catalog/public/logos/parlay.png new file mode 100644 index 0000000..45c2216 Binary files /dev/null and b/SBOM-Catalog/public/logos/parlay.png differ diff --git a/SBOM-Catalog/public/logos/productaize.png b/SBOM-Catalog/public/logos/productaize.png new file mode 100644 index 0000000..04c6566 Binary files /dev/null and b/SBOM-Catalog/public/logos/productaize.png differ diff --git a/SBOM-Catalog/public/logos/protobom.png b/SBOM-Catalog/public/logos/protobom.png new file mode 100644 index 0000000..ea2422e Binary files /dev/null and b/SBOM-Catalog/public/logos/protobom.png differ diff --git a/SBOM-Catalog/public/logos/psastras.png b/SBOM-Catalog/public/logos/psastras.png new file mode 100644 index 0000000..ccf061e Binary files /dev/null and b/SBOM-Catalog/public/logos/psastras.png differ diff --git a/SBOM-Catalog/public/logos/retire.js.png b/SBOM-Catalog/public/logos/retire.js.png new file mode 100644 index 0000000..0ec1592 Binary files /dev/null and b/SBOM-Catalog/public/logos/retire.js.png differ diff --git a/SBOM-Catalog/public/logos/rewrite.png b/SBOM-Catalog/public/logos/rewrite.png new file mode 100644 index 0000000..bfb6a9a Binary files /dev/null and b/SBOM-Catalog/public/logos/rewrite.png differ diff --git a/SBOM-Catalog/public/logos/salus.png b/SBOM-Catalog/public/logos/salus.png new file mode 100644 index 0000000..658d769 Binary files /dev/null and b/SBOM-Catalog/public/logos/salus.png differ diff --git a/SBOM-Catalog/public/logos/sast-scan.png b/SBOM-Catalog/public/logos/sast-scan.png new file mode 100644 index 0000000..831670f Binary files /dev/null and b/SBOM-Catalog/public/logos/sast-scan.png differ diff --git a/SBOM-Catalog/public/logos/sbom-cli.png b/SBOM-Catalog/public/logos/sbom-cli.png new file mode 100644 index 0000000..e283412 Binary files /dev/null and b/SBOM-Catalog/public/logos/sbom-cli.png differ diff --git a/SBOM-Catalog/public/logos/sbom-rs.png b/SBOM-Catalog/public/logos/sbom-rs.png new file mode 100644 index 0000000..ccf061e Binary files /dev/null and b/SBOM-Catalog/public/logos/sbom-rs.png differ diff --git a/SBOM-Catalog/public/logos/sbom-scorecard.png b/SBOM-Catalog/public/logos/sbom-scorecard.png new file mode 100644 index 0000000..86985af Binary files /dev/null and b/SBOM-Catalog/public/logos/sbom-scorecard.png differ diff --git a/SBOM-Catalog/public/logos/sbom-tool.png b/SBOM-Catalog/public/logos/sbom-tool.png new file mode 100644 index 0000000..9da91eb Binary files /dev/null and b/SBOM-Catalog/public/logos/sbom-tool.png differ diff --git a/SBOM-Catalog/public/logos/sbom-utilities-pipe.png b/SBOM-Catalog/public/logos/sbom-utilities-pipe.png new file mode 100644 index 0000000..efabc10 Binary files /dev/null and b/SBOM-Catalog/public/logos/sbom-utilities-pipe.png differ diff --git a/SBOM-Catalog/public/logos/sbom-workbench.png b/SBOM-Catalog/public/logos/sbom-workbench.png new file mode 100644 index 0000000..9c7a79c Binary files /dev/null and b/SBOM-Catalog/public/logos/sbom-workbench.png differ diff --git a/SBOM-Catalog/public/logos/sbomasm.png b/SBOM-Catalog/public/logos/sbomasm.png new file mode 100644 index 0000000..7b2891a Binary files /dev/null and b/SBOM-Catalog/public/logos/sbomasm.png differ diff --git a/SBOM-Catalog/public/logos/sbt-bom.png b/SBOM-Catalog/public/logos/sbt-bom.png new file mode 100644 index 0000000..afd6978 Binary files /dev/null and b/SBOM-Catalog/public/logos/sbt-bom.png differ diff --git a/SBOM-Catalog/public/logos/scanoss.png b/SBOM-Catalog/public/logos/scanoss.png new file mode 100644 index 0000000..9c7a79c Binary files /dev/null and b/SBOM-Catalog/public/logos/scanoss.png differ diff --git a/SBOM-Catalog/public/logos/shiftleftcyber.png b/SBOM-Catalog/public/logos/shiftleftcyber.png new file mode 100644 index 0000000..efabc10 Binary files /dev/null and b/SBOM-Catalog/public/logos/shiftleftcyber.png differ diff --git a/SBOM-Catalog/public/logos/siemens.png b/SBOM-Catalog/public/logos/siemens.png new file mode 100644 index 0000000..e5854c9 Binary files /dev/null and b/SBOM-Catalog/public/logos/siemens.png differ diff --git a/SBOM-Catalog/public/logos/sigstore.png b/SBOM-Catalog/public/logos/sigstore.png new file mode 100644 index 0000000..0615f97 Binary files /dev/null and b/SBOM-Catalog/public/logos/sigstore.png differ diff --git a/SBOM-Catalog/public/logos/snyk.png b/SBOM-Catalog/public/logos/snyk.png new file mode 100644 index 0000000..45c2216 Binary files /dev/null and b/SBOM-Catalog/public/logos/snyk.png differ diff --git a/SBOM-Catalog/public/logos/sonar-cryptography.png b/SBOM-Catalog/public/logos/sonar-cryptography.png new file mode 100644 index 0000000..50d2e47 Binary files /dev/null and b/SBOM-Catalog/public/logos/sonar-cryptography.png differ diff --git a/SBOM-Catalog/public/logos/sonatype-nexus-community.png b/SBOM-Catalog/public/logos/sonatype-nexus-community.png new file mode 100644 index 0000000..aed5509 Binary files /dev/null and b/SBOM-Catalog/public/logos/sonatype-nexus-community.png differ diff --git a/SBOM-Catalog/public/logos/spdx-gradle-plugin.png b/SBOM-Catalog/public/logos/spdx-gradle-plugin.png new file mode 100644 index 0000000..f775ae8 Binary files /dev/null and b/SBOM-Catalog/public/logos/spdx-gradle-plugin.png differ diff --git a/SBOM-Catalog/public/logos/spdx-maven-plugin.png b/SBOM-Catalog/public/logos/spdx-maven-plugin.png new file mode 100644 index 0000000..f775ae8 Binary files /dev/null and b/SBOM-Catalog/public/logos/spdx-maven-plugin.png differ diff --git a/SBOM-Catalog/public/logos/spdx-online-tools.png b/SBOM-Catalog/public/logos/spdx-online-tools.png new file mode 100644 index 0000000..f775ae8 Binary files /dev/null and b/SBOM-Catalog/public/logos/spdx-online-tools.png differ diff --git a/SBOM-Catalog/public/logos/spdx.png b/SBOM-Catalog/public/logos/spdx.png new file mode 100644 index 0000000..f775ae8 Binary files /dev/null and b/SBOM-Catalog/public/logos/spdx.png differ diff --git a/SBOM-Catalog/public/logos/sw360.png b/SBOM-Catalog/public/logos/sw360.png new file mode 100644 index 0000000..db0e3dc Binary files /dev/null and b/SBOM-Catalog/public/logos/sw360.png differ diff --git a/SBOM-Catalog/public/logos/syft-bitbucket-pipe.png b/SBOM-Catalog/public/logos/syft-bitbucket-pipe.png new file mode 100644 index 0000000..efabc10 Binary files /dev/null and b/SBOM-Catalog/public/logos/syft-bitbucket-pipe.png differ diff --git a/SBOM-Catalog/public/logos/syft.png b/SBOM-Catalog/public/logos/syft.png new file mode 100644 index 0000000..ac58880 Binary files /dev/null and b/SBOM-Catalog/public/logos/syft.png differ diff --git a/SBOM-Catalog/public/logos/tools-java.png b/SBOM-Catalog/public/logos/tools-java.png new file mode 100644 index 0000000..f775ae8 Binary files /dev/null and b/SBOM-Catalog/public/logos/tools-java.png differ diff --git a/SBOM-Catalog/public/logos/tools-python.png b/SBOM-Catalog/public/logos/tools-python.png new file mode 100644 index 0000000..f775ae8 Binary files /dev/null and b/SBOM-Catalog/public/logos/tools-python.png differ diff --git a/SBOM-Catalog/public/logos/valaatech.png b/SBOM-Catalog/public/logos/valaatech.png new file mode 100644 index 0000000..9e1244d Binary files /dev/null and b/SBOM-Catalog/public/logos/valaatech.png differ diff --git a/SBOM-Catalog/public/logos/vcn.png b/SBOM-Catalog/public/logos/vcn.png new file mode 100644 index 0000000..9e2c595 Binary files /dev/null and b/SBOM-Catalog/public/logos/vcn.png differ diff --git a/SBOM-Catalog/public/logos/vsm-sbom-booster.png b/SBOM-Catalog/public/logos/vsm-sbom-booster.png new file mode 100644 index 0000000..b2b61bb Binary files /dev/null and b/SBOM-Catalog/public/logos/vsm-sbom-booster.png differ diff --git a/SBOM-Catalog/public/logos/xeedio.png b/SBOM-Catalog/public/logos/xeedio.png new file mode 100644 index 0000000..e79d236 Binary files /dev/null and b/SBOM-Catalog/public/logos/xeedio.png differ diff --git a/SBOM-Catalog/schemas/data.yaml b/SBOM-Catalog/schemas/data.yaml index ebc182f..730ba70 100644 --- a/SBOM-Catalog/schemas/data.yaml +++ b/SBOM-Catalog/schemas/data.yaml @@ -6,8 +6,10 @@ data_item: Name: str() Link: str() Publisher: str() - License: enum('OpenSource', 'Proprietary') + Summary: str() + License: enum('GPL-3.0', 'MIT', 'BSD-3-Clause', 'Apache-2.0', 'LGPL-3.0', 'NOASSERTION', 'MPL-2.0', 'No License', 'GPL-2.0', 'BSD-2-Clause', 'UPL-1.0') Standards: list(enum('CycloneDX', 'SPDX', 'SWID')) + Source: enum('AI-Generated', 'AI & human reviewed', 'Human written') Abilities: list(enum('Compare', 'Consume', 'Convert', 'Edit', 'Generate', 'Merge', 'Validate', 'Sign')) - Types: subset(enum('Design', 'Source', 'Build', 'Analyze', 'Deployed', 'Runtime', 'Container'), allow_empty=True) + Types: subset(enum('Design', 'Source', 'Build', 'Analyze', 'Deployment', 'Runtime', 'Container'), allow_empty=True) Languages: subset(str(), allow_empty=True) diff --git a/SBOM-Catalog/src/App.vue b/SBOM-Catalog/src/App.vue index 4e94cb9..d676f19 100644 --- a/SBOM-Catalog/src/App.vue +++ b/SBOM-Catalog/src/App.vue @@ -1,87 +1,38 @@