Practical Memo for Extracting an SBOM

Software bill of material or SBOM are normalized descriptions of your software, similar to how a recipe describes a meal. SBOMs include a list of all direct and transitive components of the software, along with their respective version numbers and license models. They serve as input for the Dependency-Track software vulnerability scanner and enable the analysis of each software component in your IT infrastructure. Since SBOMs provide a precise and comprehensive description of your software, a software vulnerability scanner like Dependency-Track does not require any connection to your IT system.

How to retrieve or generate SBOMs
from almost any piece of software ?

To get started, you will need to generate SBOMs using one of the different tools depending on the system or application to track.

Going the extra step of automating the SBOM generation will make sure your software inventory remains always up to date and facilitate your software transparency journey. Further information regarding SBOM transfer automation can be found on this documentation page.

As retrieving SBOMs is an always evolving subject with tools appearing or disappearing over time, we will do our best to keep this page up to date and reflect current open-source community standing.

Contact us to share additional great tools you have found to facilitate the SBOM generation process, we will review and include it here to help the others.

Now let’s get practical…

Extract SBOM at build stage

Applications built through its source code should ideally generate its SBOM as an additional step within the CI/CD.

Many different tools and plugins will help you based on the underlying technology of your applications:

Or you might prefer to use cdxgen which is a multi purpose SBOM generator compatible with pretty much every programming languages, package managers and operating systems.

Extract SBOM at deployment stage

Ideally you should obtain the SBOM for any third party solution directly from its provider. Yet still many providers are not prepared for that. So while the industry is maturing in this area, you might have to generate the SBOM of third party applications yourself.

Luckily this can still be fully automated and integrated in your deployment pipeline. We will show you in this section the tools to use for this extraction.

Applications installed through package managers

SBOM for applications installed through package managers can be scanned quite easily using tools such as syft or spdx. In the below examples, we will focus on syft since it does not requires any conversion and is slightly more mature than spdx.

Linux / MacOS

The scanning can be performed on every distribution using:

# Install syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin

# Scan the whole host
sudo /usr/local/bin/syft scan dir:/ --output cyclonedx-json > "$HOSTNAME.sbom.json"

Or if you have docker on that machine and prefer running syft without prior installation to scan the host, you will simply run:

docker run --rm -a stdout -v /:/host:ro anchore/syft scan dir:/host --output cyclonedx-json > "$HOSTNAME.sbom.json"

Windows

Similarly for Windows, the latest Syft binary can be downloaded from the release page. Sometimes the Windows version is published after the Linux and Darwin versions, either take a previous binary release or run the Linux version in WSL or the Docker version if you prefer to have the latest without waiting.

To run the Windows version, adapt the following command to your need in an admin command prompt:

syft scan dir:"c:" --output cyclonedx-json > "%ComputerName%.sbom.json"

Virtual environments

Docker containers

We recommend to use our simple syft.sh script shown below.

#!/bin/bash

docker run --rm 
  -v /:/host:ro 
  -v ${PWD}:/out 
  -v /var/lib/docker/volumes:/var/lib/docker/volumes:ro 
  -v /var/run/docker.sock:/var/run/docker.sock:ro 
  -a stdin -a stdout -a stderr 
  -i anchore/syft "$@"

It can be used in many different ways (check all possibilities using syft.sh --help). For example, to scan existing images you would use:

# Replace placeholder {{container:tag}}
syft.sh scan registry:{{container:tag}} --output cyclonedx-json > {{container:tag}}.sbom.json

Operating system / Virtual Machine / Other applications

Applications installed manually including close source applications are more challenging to scan as of now. You can scan for applications installed through package managers using syft as shown in the section above or you might possibly cover additional scenarios with cdxgen.

# Scan only OS packages with syft (eg: debian)
syft scan dir:/var/lib/dpkg --output cyclonedx-json > "$HOSTNAME.sbom.json"

# Scan everything with syft (can be slow)
syft scan dir:/ --output cyclonedx-json > "$HOSTNAME.sbom.json"

Binaries / Mobile App

Analyzing binaries, such as mobile app packages (APK for Android and IPA for iOS), poses significant challenges. However, it remains a crucial\ practice, particularly in cases where the vendor has not yet furnished a Software Bill of Materials (SBOM). cve-bin-tool might come handy to extract some informations for those use cases:

cve-bin-tool --sbom-type cyclonedx --sbom-output application.sbom.json Application.apk

Conclusion

The community provides many different tools to extract and generate SBOM. Hopefully with this page we helped you select the most appropriate ones for your case.

SBOMs are already the standard when delivering software to the US government. We trust that this practice will also develop around the world and that SBOM will become a standard delivery artifact that helps the industry improve the supply chain transparency.

Generating an SBOM is just the first step in your journey. For easier integration and simplified management, we offer a managed version of Dependency-Track as a cloud solution.

To read next, we suggest our SBOM transfer automation page.

Still unsure how to extract SBOM ?
Get in touch today !