Skip to content
/ SBOM Public

Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data

License

Notifications You must be signed in to change notification settings

CERTCC/SBOM

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
 
 
 
 
 
 
 
 

Repository files navigation

SBOM

A "Software Bill of Materials" (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. You can learn more about SBOM at https://www.ntia.gov/sbom. There are several links to community developed documents in the NTIA's website.

SwiftBOM a SBOM generator tool here is part of CERT's work in supporting SBOM generation efforts for Proof-of-Concepts and Demo purposes. This tool is currently being explored by Healthcare Proof of Concept teams for their PoC efforts.

The SwiftBOM has some live demo that you can run to see SBOM generation supported by the tool. The tool also has some limited import capability to accept SBOM input and provide multiple format outputs.

SBOM Formats

SwiftBOM currently generates SBOM in SPDX, CycloneDX and SWID formats. A tree graph is also generated by SwiftBOM that can be downloaded as a PNG file to quickly visualize relationships between components in an SBOM. Currently the tool uses CONTAINS as the default relationship mode (SWID Relationships)[https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/#71-relationship]. A generated SBOM in all three formats is currently a standalone document and does not support external relationships.