Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Q: What's the best way to get insights from the SBOMs in your company? #39

Open
artemptushkin opened this issue Sep 20, 2024 · 2 comments

Comments

@artemptushkin
Copy link

There is a concept of SBOM that's implemented with different standards and one of them is CycloneDX looking the most popular these days.

There is a repository of all the SBOM-related tools and links.

Let's say I have many services that expose their SBOM at /actuator/sbom/application or they push to an arbitrary repository.

I want a tool/platform where I can provide insights and statistics regarding dependencies usage company-wide, for example, which Spring Boot version is used mostly or any other library.

What could I use these days? I passed from the tools in that awesome page and I can not find anything related.

I wonder how others get global dependencies insights.


The copy of this my SOF question

@anthonyharrison
Copy link
Contributor

What you need is a tool which ingests SBOMs of either format (SPDX and CycloneDX) and then start analysing the SBOMs to look at all of the components. I might be developing such a tool :-). Of course the big challenges is that many of the SBOM generators (I won't name names...) don't have enough information to allow for this to be reliably done.

@artemptushkin
Copy link
Author

@anthonyharrison ah good to know, it would be helpful to let here know if you have a ready one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants