Tech Stack Discovery from SBOMs

🚧

Early Adopter Release

This feature is currently in early adopter release and may not be available to all customers.

Introduction

SAP LeanIX facilitates the automated discovery of technology stacks from ingested SBOMs. This operation is conducted automatically in the background, eliminating the need for additional configurations.

SAP LeanIX uses a curated reference catalog to match detailed SBOM components with corresponding tech stack frameworks. When a library matches a tech stack, an IT component is created and linked to the relevant microservice. If multiple libraries match a single tech stack, they are consolidated. Currently, tech stack discovery supports the identification of frameworks and databases.

This automatic and continuous detection and cataloging of tech stacks aid in streamlining your organization's technology stack. The tech radar report further supports this effort by offering a comprehensive visual representation of your technology landscape. For more information, refer to Radar Report.

📘

Note

We’re working on enhancing tech stack discovery capabilities and need your feedback. If you’d like to share your use case, please contact your Customer Success Manager.

The following image illustrates how tech stack discovery works.

Discovering and Creating IT Components

Currently, IT components that don’t provide lifecycle information are discovered and created as fact sheets in SAP LeanIX. This process helps you understand and inform tech stack standardization. We plan to implement the discovery of IT components with lifecycle information, in combination with the reference catalog. This enhancement will allow you to manage obsolescence risks effectively.

The following image illustrates how the process of discovering IT components currently works.

To analyze SBOM components that you uploaded, you can use the SBOM explorer. To learn more, see SBOM Explorer.

Technical Details

The process of automatically discovering tech stacks from ingested SBOMs involves the following steps:

1. You call the Technology Discovery API to ingest SBOMs into SAP LeanIX. Here’s an example API request:

   cURL

   curl --request POST \
     --url https://{SUBDOMAIN}.leanix.net/services/technology-discovery/v1/factSheets/{factSheetId}/sboms \
     --header 'Authorization: Bearer {TOKEN}' \
     --header 'Content-Type: multipart/form-data' \
     --form 'sbom=@/Documents/SBOM.json;type=application/json'
   

2. The system parses individual SBOM components to produce the SBOM view.

3. Asynchronously, the backend processes the SBOM components provided as part of the SBOM. It matches them against the tech stack catalog using the core purl.

   There might be a delay of a few seconds between SBOM ingestion through the API and tech stack creation. This delay occurs because we use eventing for library processing. Learn more about eventual consistency.

   Example: For the incoming purl pkg:maven/org.springframework.boot/[[email protected]](mailto:[email protected]), here's the matched IT component:

   JSON

   {
     "name": "Spring Boot",
     "purl": "pkg:maven/org.springframework.boot/spring-boot-starter",
     "description": "Spring Boot makes it easy to create stand-alone, production-grade Spring based Applications that you can 'just run'. It simplifies Spring configuration."
   }
   

4. If the system finds a match, it uses the microservice ID from step 1 to create an IT component of subtype software for the microservice fact sheet.