Skip to content

Latest commit

 

History

History
12 lines (6 loc) · 1.5 KB

README.md

File metadata and controls

12 lines (6 loc) · 1.5 KB

SBOM

A "Software Bill of Materials" (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. You can learn more about SBOM at https://www.ntia.gov/sbom. There are several links to community developed documents in the NTIA's website.

SwiftBOM a SBOM generator tool here is part of CERT's work in supporting SBOM generation efforts for Proof-of-Concepts and Demo purposes. This tool is currently being explored by Healthcare Proof of Concept teams for their PoC efforts.

The SwiftBOM has some live demo that you can run to see SBOM generation supported by the tool. The tool also has some limited import capability to accept SBOM input and provide multiple format outputs.

SBOM Formats

SwiftBOM currently generates SBOM in SPDX, CycloneDX and SWID formats. A tree graph is also generated by SwiftBOM that can be downloaded as a PNG file to quickly visualize relationships between components in an SBOM. Currently the tool uses CONTAINS as the default relationship mode (SWID Relationships)[https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/#71-relationship]. A generated SBOM in all three formats is currently a standalone document and does not support external relationships.