SBOM (Software Bill of Material) scanning involves analyzing the components and dependencies of a software application to identify potential security vulnerabilities, license, and compliance issues. SBOMs are typically provided by third parties as a way to identify what components their software relies on. The main steps involved in SBOM scanning are:

  • SBOM Document Analysis: SOOS inspects CycloneDX or SPDX SBOMs to identify the software and packages contained within the document.
  • Dependency Tree Creation: After identifying directly referenced software and packages, SOOS’s patented dependency resolution builds the full dependency tree and catalogs introduction paths.
  • Vulnerability Matching: Using the full set of packages and dependencies, SOOS matches packages to vulnerabilities. SOOS will call out if the vulnerabilities are: in the SBOM and found by SOOS, in the SBOM and not found by SOOS, or not in the SBOM but found by SOOS.
  • License Matching: Using the full set of packages and dependencies, SOOS matches packages to licenses.
  • Governance Policies: SOOS’s suite of governance policies may be run against the packages and licenses which were identified.
  • Issue Creation: Issues are created for any vulnerabilities, governance policies, unknown packages, and more.
  • Report Generation: Reports for each SBOM are created and accessible via the SOOS Developer, Legal, Security, and Compliance dashboards.