Hi Cathy, FOSSology, WhiteSource, Black Duck these are few tools for this purpose.
FOSSology is an open-source tool that analyzes software packages and generates SBOMs. It can identify licenses, copyrights, and vulnerabilities associated with open-source components. It integrates with SPDX (Software Package Data Exchange) for generating standardized SBOMs.
WhiteSource is a comprehensive software composition analysis (SCA) tool that can generate SBOMs and identify open-source components in your software. It integrates with the NVD/CVE databases to provide vulnerability information.
Black Duck, now a part of Synopsys, offers an SCA solution for generating SBOMs and identifying open-source components. It provides vulnerability scanning capabilities by integrating with the NVD/CVE databases. It also offers license compliance management features.
------------------------------
Raje Devanathan
Amerisource Bergen
TPIreg, Innomar Strategies
Senior Manager - Regulatory Affairs, Medical Devices
rdevanathan@tpireg.com3470 Superior Court
Oakville ON L6L0C4
Canada
------------------------------
Original Message:
Sent: 05-Jul-2023 11:29
From: Cathy Wilburn
Subject: Recommendations for SBOM Tools
We are starting an evaluation of SBOM tools and wanted to see if anyone here had recommendations. We want a tool that does both SBOM generation and also checks for known vulnerabilities from the NVD/CVE databases.
Thanks!
------------------------------
Cathy Wilburn
Director, Quality Assurance & Compliance
Fishers IN
United States
------------------------------