Getting Started with SBOM data

If you're already using an existing Software Composition Analysis (SCA) platform, or are able to produce SBOMs from the software you work on, you can import them directly into dependency-management-data, without necessarily needing to look at different tooling to produce data that dependency-management-data can consume.

SBOMs are an excellent format, and are well integrated into dependency-management-data's supported features, and the supported formats and versions of SBOMs can be found on the features page.

Generating SBOM data

This is left as an exercise to the reader, as this is very dependent on the tool you're using. If you're having trouble, feel free to raise an issue and we can try and work towards it together.

Consuming SBOM data

Once produced, the resulting SBOMs can then be imported using dmd import bulk, for instance:

# set up the database
dmd db init --db dmd.db
dmd import bulk --db dmd.db repos.csv

This consumes a CSV of the following format:

# NOTE: no header should be provided, this is commented to indicate what's the columns are
# platform,organisation,repo,type,filename
github,snarfed,bridgy,sbom,example/sbom/snyk-bridgy-fed-cyclone.json

Alternatively, you can call the dmd import sbom, for instance:

# set up the database
dmd db init --db dmd.db
# whitespace added for readability only

# if you just have an SBOM, you can import it as-is
dmd import sbom --db dmd.db sbom/something-random.json
sqlite3 dmd.db 'select component_name, count(*) from sboms'
# ... or you can override the derived `component_name`
dmd import sbom --db dmd.db sbom/something-random.json \
  --component-name 'internal-service-v0.1.0'
sqlite3 dmd.db 'select component_name, count(*) from sboms'

# alternatively, this could be from a vendor
dmd import sbom --db dmd.db sbom/mux_gorilla_db9d1d0073d27a0a2d9a8c1bc52aa0af4374d265.json \
  --vendor ExampleCorp \
  --product 'Web Server' \
  # the version is optional
  --product-version 5.0.0

# if you know which repository an SBOM came from:
dmd import sbom --db dmd.db sbom/snyk-bridgy-fed-cyclone.json \
  --platform github \
  --organisation snarfed \
  --repo bridgy
dmd import sbom --db dmd.db sbom/snyk-dddem-web-spdx.json \
  --platform github \
  --organisation DDDEastMidlandsLimited \
  --repo dddem-web
dmd import sbom --db dmd.db sbom/snyk-pay-webhooks-container-cyclone.json \
  --platform github \
  --organisation alphagov \
  --repo pay-webhooks