This repository contains a variant of the original SwiftBOM demo tool supporting enhanced SPDX component input.
A "Software Bill of Materials" (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. You can learn more about SBOM at https://www.ntia.gov/sbom. There are several links to community developed documents in the NTIA's website.
SwiftBOM a SBOM generator tool here is part of CERT's work in supporting SBOM generation efforts for Proof-of-Concepts and Demo purposes. This tool is currently being explored by Healthcare Proof of Concept teams for their PoC efforts.
To start SwiftBOM either download the sources or run it via the following link SwiftBOM.
- Support for importing one or multiple files with automatic reference solving based on SPDXIDs.
- Output is restricted to supported tags. Any additional tags are discarded on export.
- In case input doesn't include SPDXID entries these will be filled with GUID values.
- Relationship support restricted to 'CONTAINS' and 'DEPENDS_ON'.
- The UI can only show a single parent per component. If multiple exist only one will be shown.
- No support for file level information beyond package file names and their checksums.
- Experimental support for files with extension rdf
- Creator field not filled automatically.
- Creator and supplier fields not filled automatically.
- Not supported.
SwiftBOM currently generates SBOM in SPDX, CycloneDX SWID formats. A tree graph is also generated by SwiftBOM that can be downloaded as a PNG file to quickly visualize relationships between components in an SBOM. Currently the tool uses CONTAINS as the default relationship mode (SWID Relationships)[https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/#71-relationship]. A generated SBOM in all three formats is currently a standalone document and does not support external relationships.