# Top SBOM Tools

Open Source

- [Augur](#augur)
- [Bom](#bom)
- [Cosign](#cosign)
- [Trivy](#trivy)
- Dependency-Track
- FOSSology
- Github OSS Review Toolkit
- Orion
- SwiftBOM
- GitHub ScanCode-Toolkit
- SPDX SBOM Generator
- Syft
- Tern
- Yocto



Commercial

- [ANCHORE](#anchore)
- Aqua Security
- Condenotary
- Contrast Security
- Cybeats
- NowSecure
- Secure Software
- Snyk
- Sonatype
- SOOS
- Synopsys
- Tidelift
- WhiteSource

## Framework For Evaluating SBOM Tools

This is derived from [fossa](https://fossa.com/blog/framework-evaluating-sbom-tools/).

For each SBOM tool listed above we'll analyze several components.

1. What standards it supports (SPDX, Cyclone DX)
2. Compliance with the Cyber Security Executive Order
3. Data Field Coverage
4. Automation Support
5. Programming Language Support
6. Dependency Recognition Depth

## Open Source Tools

### [Augur](https://github.com/chaoss/augur-license)

**Language**: Python, **Supports:** SPDX, **Functions:** Generate, View

**Description:**  Scans source code destributions to produce SPDX information stored in a relational database and extract it in plain-text upon request

**Notes:** Requires sudo capabilities for installation.

### [Bom](https://github.com/kubernetes-sigs/bom)

**Language:** Go, **Supports:** SPDX, **Functions** Document, Generate, **License:** `Apache-2.0 license`

**Description:** Generate can create SBOMs from files, images, and docker archives.  

**Data Fields:**

This tool assumes project metadata from the repo including name and license.  It does identify find project version.

**Automation Support:**

This tool geneartes SBOM files in the tag/value (`.spdx`) format.

**Package Depth**

This tools does not identify any project dependencies

**Relationships**

This tool only identifies relationships between the project and its files.

### [Cosign](https://github.com/sigstore/cosign)

**Language:** Go

### [Trivy](https://github.com/aquasecurity/trivy)

**Support Specifications:** SPDX 2.3 and CycloneDX, **Formats:** json and Tag-Value, **Functions** Scan, Generate, **License:** `Apache-2.0 license`

**Description:** Generate SBOMs from container images and repos.

```
# From image
trivy image --list-all-pkgs --format {sbom-format} --output {output-file} {image}:{version}

# From repositoty
trivy repo --list-all-pkgs --format {sbom-format} --output {output-file} {repository}
```


**Data Fields:**

This tool assumes project metadata from the repo including name and license.  
It does identify find project version.

**Automation Support:**

This tool geneartes SBOM files in the tag/value (`.spdx`) format.

**Package Depth**

This tool can identify only top-level dependencies when it applied to repositories.

**Relationships**

When generating SBOM file in the SPDX specification, this tool only identifies relationships between the project and its files and top-level packages. However, when generating an SBOM in the CycloneDX specification for the PyTorch repository, it could generate dependencies between Ruby components based on the `Gemfile.lock`.



**Scan can detect:**

- Container Image
- Filesystem
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
- AWS

**Support programming languages:**
- Go
- Java
- JavaScript (Node.js)
- Python
- Ruby
- PHP
- C/C++
- Rust
-.NET (C#)

## Commercial Tools

### Anchore

**Supports:** SPDX, CycloneDX

**Description:** Commercial packaging of Syft

**Package Depth**
Identifies transitive dependencies at each stage in the dev process. 