Set up an automated generation of SBOM files within your deployment lifecycle.
This feature is currently in early adopter release and may not be available to all users.
Overview
In the complex world of microservices, understanding and managing dependencies is crucial. This guide walks you through the process of mapping microservice dependencies using Software Bill of Materials (SBOM) files. These files, adhering to the common Software Package Data Exchange (SPDX) or CycloneDX format, offer a detailed inventory of all software components, libraries, and modules used by your microservice.
By leveraging Software Bill of Materials (SBOMs), you can efficiently track and manage these components. This not only ensures compliance with licensing requirements but also helps identify potential security vulnerabilities. Additionally, it provides an in-depth understanding of your software supply chain.
Software Bill of Materials (SBOMs) can be sourced from multiple stages or systems within your deployment lifecycle. This could include your container registry, Continuous Integration and Continuous Deployment (CI/CD) pipeline, or security tooling. The flexibility of our API supports this diverse sourcing, which lets you import SBOMs from any source seamlessly.
This guide assumes you have solid understanding of:
Generating SBOM Files in Your CI/CD Pipeline
Integrating the generation of Software Bill of Materials (SBOM) into the development process can be achieved through a variety of methods. However, one of the most prevalent and effective approaches is creating SBOM files within CI/CD pipelines. This practice is widely recognized as an industry best practice due to its efficiency and reliability.
This approach integrates the generation of SBOM files directly into the build process. As a result, with each iteration of a new build, a corresponding SBOM is concurrently created and preserved as a build artifact. This method ensures that the SBOM is continuously updated to reflect the latest build, thereby maintaining its relevance and accuracy.
The exact process of generating SBOM files depends on the programming language and tools you're using.
Note
LeanIX supports both SPDX and CycloneDX formats for SBOM files. To automate the generation of these files in your CI/CD pipeline during the build process, we recommend using trusted CycloneDX or SPDX plug-ins, depending on your preference.
CycloneDX
To view a list of available CycloneDX plug-ins for various programming languages, visit the CycloneDX project. For plug-in installation and SBOM generation instructions, refer to the respective plug-in documentation. The following table contains links to CycloneDX plug-ins for some popular programming languages.
| Language | CycloneDX Plug-In |
|---|---|
| Java | CycloneDX Maven Plugin |
| Java/Kotlin | CycloneDX Gradle Plugin |
| .NET | CycloneDX module for .NET |
| Javascript | cyclonedx-npm |
| Python | CycloneDX Python SBOM Generation Tool |
| Go | cyclonedx-gomod |
| Ruby | CycloneDX Ruby Gem |
SPDX
To view a list of available SPDX plug-ins for various programming languages, visit the SPDX project. For plug-in installation and SBOM generation instructions, refer to the respective plug-in documentation. The following table contains links to SPDX plug-ins for some popular programming languages.
| Language | SPDX Plug-In |
|---|---|
| Java | SPDX Maven Plugin |
| Java/Kotlin | SPDX Gradle Plugin |
| Python | SPDX Tools Python |
| Go | SPDX Tools Golang |
| Generic (CLI) | SPDX SBOM Generator |
Resources
In addition to the methods discussed in this guide, there are several other tools available that you can use to generate your Software Bill of Materials (SBOMs). These tools offer different features and capabilities, and you may find some of them better suited to your specific needs.