Generating SBOMs
Explore the requirements for SBOM files and get an overview of the methods for generating them.
Early Adopter Release
This feature is currently in early adopter release and may not be available to all customers.
Requirements for SBOMs
- Libraries must have a valid
purl
(package URL), as specified in the Package URL Specification. - For the CycloneDX format, only SBOM components of the type library can be processed.
Note
SAP LeanIX does not offer capabilities for automatic SBOM generation. You can generate SBOMs using a method of your choice and import them to SAP LeanIX using the Technology Discovery API. In this context, SAP LeanIX is a downstream consumer, not producer.
SAP LeanIX does not check the quality or sanitize your SBOMs. To evaluate their quality, you can use any third-party tools such as sbomqs.
Methods for Generating SBOMs
Generating SBOMs can be achieved through various methods, each with its unique strengths and weaknesses. These methods can be broadly categorized into centralized and decentralized approaches.
Regardless of the method chosen, our Technology Discovery API supports seamless import of SBOMs from any source, allowing you to choose the method that best fits your organization's needs and workflows.
Note
Ensure that you generate SBOMs following your organization's security and compliance guidelines. SAP LeanIX does not provide these guidelines.
Centralized Methods
Centralized methods involve generating SBOMs from a central point in the software development lifecycle. These methods typically provide a holistic view of the software components.
-
CI/CD pipeline: SBOMs can be generated as part of the build process in your CI/CD pipeline. This method ensures that the SBOM is always up-to-date with the latest version of your software. For more information, see Generating SBOMs in Your CI/CD Pipeline.
-
Container registry: If your organization uses a container registry, you can generate SBOMs directly from the images stored in the registry. This method is particularly useful for organizations that use containerized applications heavily.
-
Security tooling: Many security tools, particularly those focused on Software Composition Analysis (SCA), can generate SBOMs. These tools can provide additional insights into potential security vulnerabilities within your software components.
-
Vendor-specific tools: Some software vendors provide tools or features for SBOM generation as part of their products. For example, Microsoft provides an SBOM feature as part of its Software Assurance program.
-
Third-party services: There are also third-party services that can generate an SBOM for your software. These services typically use a combination of automated scanning and manual review to ensure the SBOM is accurate and complete.
Decentralized Methods
Decentralized methods involve generating SBOMs at various stages or points in the software development lifecycle. These methods can provide more granular insights into the software components.
-
Software scanning tools: These tools can automatically scan a codebase to identify all the components and their dependencies. They can generate an SBOM that includes information about each component, such as its version, license, and any known vulnerabilities.
-
Package managers: Many programming languages have package managers (like npm for JavaScript, pip for Python, or Maven for Java) that keep track of all the packages used in a project and their dependencies. These package managers can often generate an SBOM as part of their functionality.
-
Build tools: Build tools like Gradle or Ant can also generate an SBOM as part of the build process. They have a complete view of the software components used in the build and can output this information in a suitable format.
-
Open source tools: There are open source tools available specifically for SBOM generation, such as CycloneDX and SPDX tools. These tools are designed to create SBOMs that adhere to specific standards, making it easier to share and analyze this information.
-
Manual creation: While less common and more time-consuming, SBOMs can also be created manually. This method might be used in smaller projects or in cases where automated tools are not available or suitable.
Generating SBOMs in Your CI/CD Pipeline
Integrating the generation of SBOM files into the development process can be achieved through a variety of methods. However, one of the most prevalent and effective approaches is creating SBOM files within CI/CD pipelines. This practice is widely recognized as an industry best practice due to its efficiency and reliability.
This approach integrates the generation of SBOM files directly into the build process. As a result, with each iteration of a new build, a corresponding SBOM is concurrently created and preserved as a build artifact. This method ensures that the SBOM is continuously updated to reflect the latest build, thereby maintaining its relevance and accuracy.
The exact process of generating SBOM files depends on the programming language and tools you're using.
Note
SAP LeanIX supports both SPDX and CycloneDX formats for SBOM files. To automate the generation of these files in your CI/CD pipeline during the build process, we recommend using trusted CycloneDX or SPDX plug-ins, depending on your preference.
CycloneDX
To view a list of available CycloneDX plug-ins for various programming languages, visit the CycloneDX project. For plug-in installation and SBOM generation instructions, refer to the respective plug-in documentation. The following table contains links to CycloneDX plug-ins for some popular programming languages.
Language | CycloneDX Plug-In |
---|---|
Java | CycloneDX Maven Plugin |
Java/Kotlin | CycloneDX Gradle Plugin |
.NET | CycloneDX module for .NET |
Javascript | cyclonedx-npm |
Python | CycloneDX Python SBOM Generation Tool |
Go | cyclonedx-gomod |
Ruby | CycloneDX Ruby Gem |
SPDX
To view a list of available SPDX plug-ins for various programming languages, visit the SPDX project. For plug-in installation and SBOM generation instructions, refer to the respective plug-in documentation. The following table contains links to SPDX plug-ins for some popular programming languages.
Language | SPDX Plug-In |
---|---|
Java | SPDX Maven Plugin |
Java/Kotlin | SPDX Gradle Plugin |
Python | SPDX Tools Python |
Go | SPDX Tools Golang |
Generic (CLI) | SPDX SBOM Generator |
Additional Resources
In addition to the methods discussed in this guide, there are several other tools available that you can use to generate your SBOM files. These tools offer different features and capabilities, and you may find some of them better suited to your specific needs.
Updated 12 days ago