Authoritative Guide to SBOM

Implement and Optimize use of Software Bill of Materials

Generation Data Components DOWNLOAD GUIDE CONTENTS

Consuming CycloneDX BOMs

Consuming CycloneDX BOMs can be done efficiently using various tools specifically designed to ingest and analyze BOMs. In general, there are three classifications of tools. They are:

BOM Tool Ladder

  1. BOM Tools: This classification of tool is generally small, purpose-built, and often a command-line utility. These types of tools generally focus on vulnerability scanning, license compliance, or dependency analysis. While there are many tools that provide this functionality, a few honorable open source mentions are Bomber, dep-scan, Grype, and Trivy. All these tools can accept CycloneDX BOMs as input and analyze them for known security risk.
  2. BOM Platforms: These higher complexity tools offer robust and collaborative features and are generally purpose-built for BOM consumption. They typically consume BOMs from CI/CD pipelines or external systems, such as procurement. Notable open source projects in this category are GUAC, a supply chain intelligence platform, and OWASP Dependency-Track, a reference platform for BOM consumption and analysis.
  3. Enterprise Platforms: Often times these are large CMDB’s or similar systems that provide a wide-range of IT, procurement, and business applications. These platforms are typically more general-purpose, capable of a wide range of use cases, including SBOM consumption.

For a list of known tools that support the CycloneDX standard, visit the CycloneDX Tool Center.