SBOM (Software Bill of Material) scanning involves analyzing the components and dependencies of a software application to identify potential security vulnerabilities, license, and compliance issues. SBOMs are typically provided by third parties as a way to identify what components their software relies on. The main steps involved in SBOM scanning are:
- SBOM Document Analysis: SOOS inspects CycloneDX or SPDX SBOMs to identify the software and packages contained within the document.
- Dependency Tree Creation: After identifying directly referenced software and packages, SOOS’s patented dependency resolution builds the full dependency tree and catalogs introduction paths.
- Vulnerability Matching: Using the full set of packages and dependencies, SOOS matches packages to vulnerabilities. SOOS will call out if the vulnerabilities are: in the SBOM and found by SOOS, in the SBOM and not found by SOOS, or not in the SBOM but found by SOOS.
- License Matching: Using the full set of packages and dependencies, SOOS matches packages to licenses.
- Governance Policies: SOOS’s suite of governance policies may be run against the packages and licenses which were identified.
- Issue Creation: Issues are created for any vulnerabilities, governance policies, unknown packages, and more.
- Report Generation: Reports for each SBOM are created and accessible via the SOOS Developer, Legal, Security, and Compliance dashboards.