2025-11-15 –, Hochschule München - R0.007
In recent years, SBOM became an emerging topic to address the need to understand and track the software supply chain and gather a better understanding of the software composition that is used in our modern infrastructure.
Often heard promises are to be able to much faster identify and address vulnerabilities in upstream dependencies like Log4j or to mitigate supply-chain attacks like the XZ Utils attack. But what can it look like to work with SBOMs?
This workshop introduces an orientation on the tools and standards at hand and provides practical examples of how and when to generate SBOMs, how to assess their quality, and how to merge and consume them.
The workshop will be structured as follows:
1. Introduction to SBOM
First, we will introduce the common SBOM standards SPDX and CycloneDX and take a look into their schemas and versioning to get a better understanding of what information we will find in an SBOM.
Next, we will take a look into common minimal requirements for an SBOM as they were published by the American NTIA / CISA, the German BSI, and the EU CRA.
Lastly, we will emphasize the lifecycle of an SBOM. While this workshop shows the whole lifecycle, we emphasize the different roles and domains that take part in this process.
2. Easy tools to get started
Next, we will start with a practical example, introducing the open-source tools Syft, Grype, and Grant to generate and consume SBOMs on the CLI.
- First, we will generate an SBOM for an example project with Syft in different schemas and file formats.
- Second, we will look for vulnerabilities in the SBOM using Grype.
- Lastly, we will look for license issues in the SBOM using Grant.
3. Integrate into Project Build Process
Looking at the SBOM generated by Syft, we will see that while they were easy to generate, they come with some quality issues. Therefore, we next show how to integrate SBOM plugins with the build process in the CI. Here, we will integrate the CycloneDX plugins for NPM and Gradle within the build process and show how to merge the results into a single SBOM with the CycloneDX-CLI.
4. The Pitfalls of converting SBOMs
While we now have produced an SBOM of high quality, we find that the CycloneDX plugins only support the CycloneDX schema. While there are several tools (like Syft) that offer to convert to another schema, this often comes with a loss of data.
In this exercise, we will use Syft to convert an SBOM to another schema and inspect the problems with the conversion.
5. SBOM at scale - Storing and Analyzing SBOMs
Lastly, we will switch sides from the provider of SBOMs to the consumer of SBOMs. Therefore, we will take a look at the open-source platform Dependency-Track, how to create projects, monitor, and mitigate issues.
6. (Optional) VEX - reducing the workload
While working with Dependency-Track, we found that quite a lot of issues are listed. Therefore, we introduce Vulnerability Exploitability Exchange (VEX). We briefly discuss what VEX is, how we can produce VEX information alongside our SBOM, and how we can consume this in Dependency-Track.
(Depending on time constraints, this might be an optional section.)
Summary
Lastly, we will conclude the workshop with some guidance on how to find additional tools that might fit special use cases that are not discussed, consulting the CycloneDX tool center or the SPDX tooling list. Also, we share the OpenSSF SBOM tooling catalog.
SBOM CycloneDX SPDX Software-Supply-Chain
Marius worked for 5 years at the German Patent and Trademark Office on the electronic patent and trademark filing systems. Since 2025, he has been working at the University of Applied Sciences Munich as a researcher and PhD student investigating the resiliency of operational technology at the HM-SecLab.
Since his master's degree in 2023, he has been working on SBOMs and is a regular contributor to SBOM projects. Mostly, he can be found with the SBOM-Everywhere Working Group at the OpenSSF. He is one of the maintainers and developers of the SBOM-Tooling Catalog hosted by the OpenSSF.