One of the compliance requirements of the recent Cybersecurity EO order is to track software bill of materials (SBOM). Curious to know what open-source tools exist to generate SBOM and how accurate they are.
Currently the best one I know of is <a href="https://github.com/anchore/syft" rel="nofollow">https://github.com/anchore/syft</a>. It finds most dependencies even within built artifacts.<p>You can also check out the comments in <a href="https://news.ycombinator.com/item?id=32104805" rel="nofollow">https://news.ycombinator.com/item?id=32104805</a> - the release announcement of Salus (Microsoft)
We weren't happy with what was already out there, so we built our own -- <a href="https://github.com/mattermost/gobom" rel="nofollow">https://github.com/mattermost/gobom</a>
This[0] was posted a few days ago here.<p>[0] <a href="https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/" rel="nofollow">https://devblogs.microsoft.com/engineering-at-microsoft/micr...</a>