Consuming CycloneDX BOMs
Consuming CycloneDX BOMs can be done efficiently using various tools specifically designed to ingest and analyze BOMs. In general, there are three classifications of tools. They are:
- BOM Tools: This classification of tool is generally small, purpose-built, and often a command-line utility. These types of tools generally focus on vulnerability scanning, license compliance, or dependency analysis. While there are many tools that provide this functionality, a few honorable open source mentions are Bomber, dep-scan, Grype, and Trivy. All these tools can accept CycloneDX BOMs as input and analyze them for known security risk.
- BOM Platforms: These higher complexity tools offer robust and collaborative features and are generally purpose-built for BOM consumption. They typically consume BOMs from CI/CD pipelines or external systems, such as procurement. Notable open source projects in this category are GUAC, a supply chain intelligence platform, and OWASP Dependency-Track, a reference platform for BOM consumption and analysis.
- Enterprise Platforms: Often times these are large CMDB’s or similar systems that provide a wide-range of IT, procurement, and business applications. These platforms are typically more general-purpose, capable of a wide range of use cases, including SBOM consumption.
For a list of known tools that support the CycloneDX standard, visit the CycloneDX Tool Center.