I’ve been diving into Software Bill of Materials (SBOMs) recently. Since this artifact will gain a lot of importance in the EU starting next year and it seemed like an easy thing to create, I just went for it.
The road was bumpier than expected, so I decided to write some documentation about it. I'm posting here to see if anyone could be helped by it—trying to generate their own SBOMs instead of relying on paid solutions.
Goal of the series
Create your own SBOM engine for .NET & Node that:
- Collects source files & dependency data (multi-stack: .NET + Node)
- Pulls in vulnerability data (top-level & nested)
- Builds a full dependency graph with nested components
- Digitally signs and wraps it in an envelope along with a Public Key for verification
Currently, I've finished 3 of 6 posts, with 2 well on the way:
- Part I: Introduction to the concepts
- Part II: Source file Aggregation & Gathering Dependency Data
- Part III: The Engine, Trade-offs & Production of the SBOM
I’d love to hear if anyone here has tackled SBOM generation in-house! How do you handle signing, storage, or integrating vulnerability feeds? Any lessons learned you can share?
Next installments will be about post-processing the artifact (digital signing, encryption, etc) and presenting the gathered information on visual dashboards.
Top comments (0)