How to retrieve or generate SBOMs
from almost any piece of software ?
To get started, you will need to generate SBOMs using one of the different tools depending on the system or application to track. Our dependency track SaaS solution gives you the single aggregate view to monitor them in a central location.
Going the extra step of automating the SBOM generation will make sure your software inventory remains always up to date and facilitate your software transparency journey. Further information regarding SBOM transfer automation can be found on this documentation page.
As retrieving SBOMs is an always evolving subject with tools appearing or disappearing over time, we will do our best to keep this page up to date and reflect current open-source community standing.
Contact us to share additional great tools you have found to facilitate the SBOM generation process, we will review and include it here to help the others.Now let’s get practical…
Extract SBOM at build stage
Applications built through its source code should ideally generate its SBOM as an additional step within the CI/CD.
Many different tools and plugins will help you based on the underlying technology of your applications:
- Angular Webpack
- C / C++ Conan
- Dockerfile
- Erlang / Elixir Mix or Rebar3
- Go modules or an older alternative
- .NET core nuGet
- Node npm
- Java Maven, Gradle
- Javascript Bower or Webpack
- Objective-C / Swift CocoaPods
- PHP Composer
- Python Conda or buildroot
- React Webpack
- Ruby Gem
- Rust Cargo
- Scala sbt
Or you might prefer to use cdxgen which is a multi purpose SBOM generator compatible with pretty much every programming languages, package managers and operating systems.
Extract SBOM at deployment stage
Ideally you should obtain the SBOM for any third party solution directly from its provider. Yet still many providers are not prepared for that. So while the industry is maturing in this area, you might have to generate the SBOM of third party applications yourself.
Luckily this can still be fully automated and integrated in your deployment pipeline. We will show you in this section the tools to use for this extraction.
Applications installed through package managers
SBOM for applications installed through package managers can be scanned quite easily using tools such as syft or spdx. In the below examples, we will focus on syft since it does not requires any conversion and is slightly more mature than spdx.
Linux / MacOS
The scanning can be performed on every distribution using:
# Install syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
# Scan the whole host
sudo /usr/local/bin/syft scan dir:/--output cyclonedx-json > "$HOSTNAME.sbom.json"Or if you have docker on that machine and prefer running syft without prior installation to scan the host, you will simply run:
docker run --rm -a stdout -v /:/host:ro anchore/syft scan dir:/host --output cyclonedx-json > "$HOSTNAME.sbom.json"Windows
Similarly for Windows, the latest Syft binary can be downloaded from the release page. Sometimes the Windows version is published after the Linux and Darwin versions, either take a previous binary release or run the Linux version in WSL or the Docker version if you prefer to have the latest without waiting.
To run the Windows version, adapt the following command to your need in an admin command prompt:
syft scan dir:"c:" --output cyclonedx-json > "%ComputerName%.sbom.json"Virtual environments
Docker containers
If you have the docker sbom cli plugin (installed by default on Windows) you can use the command
# Replace placeholder {{container:tag}}
docker sbom {{container:tag}} --format cyclonedx-json --output {{container:tag}}.sbom.jsonOn Linux, you can avoid the hassle of the management of docker plugins and have access to more features by using our simple syft.sh script shown below.
#!/bin/bash
docker run --rm
-v /:/host:ro
-v ${PWD}:/out
-v /var/lib/docker/volumes:/var/lib/docker/volumes:ro
-v /var/run/docker.sock:/var/run/docker.sock:ro
-a stdin -a stdout -a stderr
-i anchore/syft "$@"It can be used in many different ways (check all possibilities using syft.sh --help). For example, to scan existing images you would use:
# Replace placeholder {{container:tag}}
syft.sh scan registry:{{container:tag}} --format cyclonedx-json > {{container:tag}}.sbom.jsonOperating system / Virtual Machine / Other applications
Applications installed manually including close source applications are more challenging to scan as of now. You can scan for applications installed through package managers using syft as shown in the section above or you might possibly cover additional scenarios with cdxgen.
# Scan only OS packages with syft (eg: debian)
syft scan dir:/var/lib/dpkg --output cyclonedx-json > "$HOSTNAME.sbom.json"
# Scan everything with syft (can be slow)
syft scan dir:/ --output cyclonedx-json > "$HOSTNAME.sbom.json"Binaries / Mobile App
Analyzing binaries, such as mobile app packages (APK for Android and IPA for iOS), poses significant challenges. However, it remains a crucial\ practice, particularly in cases where the vendor has not yet furnished a Software Bill of Materials (SBOM). cve-bin-tool might come handy to extract some informations for those use cases:
cve-bin-tool --sbom-type cyclonedx --sbom-output application.sbom.json Application.apkConclusion
The community provides many different tools to extract and generate SBOM. Hopefully with this page we helped you select the most appropriate ones for your case.
SBOMs are already the standard when delivering software to the US government. We trust that this practice will also develop around the world and that SBOM will become a standard delivery artifact that helps the industry improve the supply chain transparency.
Generating SBOM is only the first step of your journey, the cloud solution Dependency Track SaaS based on the open-source solution of the same name is the most versatile and enterprise ready solution to organize and monitor them centrally.
To read next, we suggest our SBOM transfer automation page.
Still unsure how to extract SBOM ?
Get in touch today !