README.md

SBOM-in-a-Box

The SBOM-in-a-Box is a unified platform to promote the production, consumption, and utilization of Software Bills of Materials (SBOMs). This includes conversion between schemas, generation, comparision and evaluation of quality.

Purpose of SBOM-in-a-Box

SBOM-in-a-box has unique features including generation of SBOMs using multiple tools that allow for a more a complete SBOM to be created. There is also a feature within metrics, where the tool provides suggestions if there is a potential better way to showcase the attributes. There is also the ability to convert between SPDX and CycloneDX SBOM schemas, and to gain insight into vulnerabilities of software through SBOMs. These features allow for developers to create an SBOM that is the most relevant and suits their needs.

Latest Release: [v9.2.0-alpha] - (11/30/2023)

System Requirements

• Java 17.X.X
• Gradle 7.5.X
• Docker 24.X.X

Quick Start

Launch the API

1. docker compose up

Note: To launch the backend it will take at least 10 minutes, due to there being over 10 open source tools included.

Note: Due to installation of multiple tools, building of the container may take a long time, however it is less time than learning all tools individually.

Launch the GUI

1. Clone the GUI repo and follow the quickstart

If making changes to any source code, the Docker image(s) will need to be rebuilt. See Building the Image for detailed instructions. See SBOM-in-a-Box API for detailed API usage.

Features

SBOM-in-a-Box has a number of unique features to support:

• Open Source Integrated SBOM Generation: Makes use of open source SBOM Generator Tools to generate SBOMs
• SBOM Generation: Custom SBOM generation via source file and package manager file analysis
• Vulnerability Exploitability eXchange (VEX) Generation: Generate VEX documents from SBOMs
• SBOM Metrics: Grade SBOMs using a series of metric tests
• SBOM Comparison: Compare SBOMs to identify key differences between them
• SBOM Merging: Merge SBOMs into a single unified document

Currently, SBOM-in-a-Box Supports the following SBOM Types

Schema	JSON	XML	Tag:Value
SPDX 2.3	✅	❌	✅
CyloneDX 1.4	✅	✅	CycloneDX does not support Tag:Value

Contributors

Principal Investigator: Mehdi Mirakhorli

Senior Project Manager: Chris Enoch

Senior Developer Team Lead: Derek Garcia

Developer Team Leads

• Schuyler Dillon
• Tyler Drake
• Ian Dunn
• Kevin Laporte
• Matt London
• Dylan Mulligan
• Amanda Nitta

Developer Team

• Brian Baumann
• Asa Horn
• Justin Jantzi
• Henry Keena
• Hubert Liang
• Ping Liu
• Henry Lu
• Matthew Morrison
• Ethan Numan
• Henry Orsagh
• Juan Francisco Patino
• Max Stein
• Tom Roman
• Liam Wilkins
• Jordan Wong