Skip to main content

Open Source Tools for SBOM & Vulnerability Scanning

Meeting the Cyber Resilience Act's (CRA) requirements for creating a Software Bill of Materials (SBOM) and scanning for vulnerabilities doesn't have to be expensive. There is a rich ecosystem of open-source tools that can help software developers get the job done.

SBOM Generation Tools

These tools help you generate the list of all your software's dependencies, as required by Annex I, Part II, point (1).

  • CycloneDX Toolset: Maintained by the OWASP Foundation, the CycloneDX project provides a variety of command-line interface (CLI) tools and build-time integrations (e.g., for Maven, npm, Python) to generate SBOMs in the CycloneDX format.
  • SPDX Toolset: The SPDX project, under the Linux Foundation, offers tools for generating and working with the SPDX format, another industry-standard SBOM format.
  • Syft: An open-source CLI tool that generates an SBOM for container images and filesystems, useful for analyzing all dependencies in your deployed application.

Vulnerability Scanning Tools

These tools can take your code or your SBOM and check it against databases of known vulnerabilities.

  • OWASP Dependency-Check: A widely used tool that scans your project's dependencies and identifies any with publicly disclosed vulnerabilities. It can be run as a CLI tool or integrated into build systems like Maven and Gradle.
  • Trivy: An open-source scanner that can find vulnerabilities in container images, file systems, and Git repositories. It can also scan for vulnerabilities listed in your SBOM files.
  • Grype: Another open-source scanner for finding vulnerabilities in container images and filesystems, which works well with the Syft SBOM tool.

Key Takeway

You can start meeting the CRA's SBOM and vulnerability scanning requirements today using powerful, free, and open-source tools. Integrating tools like the CycloneDX toolset and OWASP Dependency-Check into your development pipeline is a practical first step.