Ask HN: Open-source SBOM generation tools?

[riyakhanna1983]

One of the compliance requirements of the recent Cybersecurity EO order is to track software bill of materials (SBOM). Curious to know what open-source tools exist to generate SBOM and how accurate they are.

[derkoe]

Currently the best one I know of is https://github.com/anchore/syft. It finds most dependencies even within built artifacts.

You can also check out the comments in https://news.ycombinator.com/item?id=32104805 - the release announcement of Salus (Microsoft)

[jupenur]

We weren't happy with what was already out there, so we built our own -- https://github.com/mattermost/gobom

[jasonrojas]

We use this - https://dependencytrack.org/

[chintler]

This[0] was posted a few days ago here.

[0] https://devblogs.microsoft.com/engineering-at-microsoft/micr...