Software Bill of Materials (SBOM)
To understand and manage dependencies among your microservices, generate SBOM files and ingest them into SAP LeanIX using our API.
Early Adopter Release
This feature is currently in early adopter release and may not be available to all customers.
Introduction to SBOM
Software Bill of Materials (SBOM) files play a vital role in managing and understanding dependencies among microservices. These files, typically adhering to the widely-used System Package Data Exchange (SPDX) or CycloneDX format, provide a comprehensive inventory of all software components, libraries, and modules used by a microservice.
Using SBOMs offers a systematic approach to tracking and managing these components. This practice not only ensures compliance with licensing requirements but also aids in identifying potential security vulnerabilities. Furthermore, it offers a granular understanding of your software supply chain, contributing to more informed decision-making and risk management.
Maintaining accurate and up-to-date SBOMs is an industry best practice. It aids in software security and helps manage risks in the software supply chain. Additionally, in many regulations, SBOMs are required for regulatory compliance, making them an essential part of software packages.
Note
SAP LeanIX does not offer capabilities for automatic SBOM generation. You can generate SBOMs using a method of your choice and import them to SAP LeanIX using the Technology Standards API. To learn more about generating SBOMs, see Generating SBOMs.
Generating, Uploading, and Viewing SBOMs
To work with SBOMs in SAP LeanIX, follow these steps:
-
Generate SBOMs: You can generate SBOMs at various stages of your Software Development Lifecycle (SDLC), including container registries, CI/CD pipelines, security tooling, and Source Control Management (SCM) tools like GitLab, Bitbucket, and GitHub. For guidance on generating SBOMs, refer to Generating SBOMs.
-
Upload SBOMs into SAP LeanIX: Ingest your SBOMs into SAP LeanIX using the Technology Discovery API. The API integrates seamlessly with your build processes, allowing for automatic ingestion of SBOM data generated during your software's build process. This ensures a near real-time view of your software composition.
To upload a SBOM file and link it to a fact sheet, make a
POSTrequest to the/factSheets/{factSheetId}/sbomsendpoint. To learn how to authenticate your API requests, refer to Authentication to SAP LeanIX Services.Example request:
curl --request POST \ --url https://{SUBDOMAIN}.leanix.net/services/technology-discovery/v1/factSheets/{factSheetId}/sboms \ --header 'Authorization: Bearer {TOKEN}' \ --header 'content-type: multipart/form-data' \ --form 'sbom=@/Documents/SBOM.json;type=application/json' -
View SBOMs in the Explorer: View ingested SBOMs in the SBOM Explorer in SAP LeanIX. The SBOM Explorer helps you understand and manage your open-source dependencies within the business context, relating to your applications, teams, and other objects. It allows you to track these dependencies during cybersecurity incidents and take swift action to address risks and compliance issues. For more information, see SBOM Explorer.
By leveraging SBOMs within SAP LeanIX, you gain a comprehensive understanding of your software components, their dependencies, and potential vulnerabilities. This understanding empowers you to manage compliance, mitigate risks, and make informed decisions about your software supply chain. With the ability to generate, upload, and explore SBOMs, you can maintain a real-time view of your software inventory, enabling proactive management of your software development lifecycle.
Additional Resources
To learn more about SBOMs and explore available tools, refer to:
- awesome-sbom, providing a curated list of SBOM-related tools, frameworks, blogs, podcasts, and articles
- SBOM Resources Library from the Cybersecurity and Infrastructure Security Agency (CISA)
- CycloneDX
- SPDX
Updated 5 days ago