DevSecOps and Automation on Power

DevSecOps and Automation on Power

Connect, learn, share, and engage with IBM Power.

 View Only

Polyglot CycloneDX SBOM generator tool is now on Power!

By Gerrit Huizenga posted Tue December 05, 2023 11:45 AM

  

The popular CycloneDX SBOM generator tool called cdxgen (npm: @CycloneDX/cdxgen) is now available with support for Linux on Power (ppc64le)! This milestone was a collaboration between the developers of cdxgen and IBM, with additional contributions from the open-source community.

Why is this exciting for the Power community?

Generating a precise and comprehensive Software Bill-of-Materials (SBOM) for your application and container images is essential for risk identification and mitigation. Organizations can effortlessly meet the requirements defined by the National Telecommunications and Information Administration (NTIA) in response to U.S. Executive Order 14028 and mature into more sophisticated use cases such as vulnerability management, license compliance, vulnerability exploitability exchange, etc., over time.

Getting started

cdxgen is available as an npm package or as a container image for ppc64 architecture. To install the cdxgen tool, use the commands below.

For npm installation:

npm install -g @cyclonedx/cdxgen

For docker installation:

docker pull ghcr.io/cyclonedx/cdxgen-ppc64:latest

For podman installation:

podman pull ghcr.io/cyclonedx/cdxgen-ppc64:latest

Using cdxgen

cdxgen automatically detects your applications' programming languages and package managers, so the simplest invocation is often enough.

cdxgen -o bom.json

To specify the type, you can use the -t argument.

Create a SBOM for a Java application:

cdxgen -t java -o bom.json <source directory>

Create a SBOM for a container image:

cdxgen -t docker -o bom.json <container image>

The container image published as cdxgen-ppc64 bundles several build tools to simplify SBOM generation for languages such as Python and php.

The team is collaborating on developing support for additional languages such as C/C++ and BoM formats such as Software as a Service Bill-of-Materials (SaaSBOM) and Operations Bill-of-Materials (OBoM).

Join the discussion

Drop your questions and comments below and join the OWASP CycloneDX community on Slack to discuss your compliance and supply-chain needs and to help us extend the capabilities of cdxgen for Linux on Power.

0 comments
10 views

Permalink

https://community.ibm.com/community/user/blogs/gerrit-huizenga/2023/12/05/polyglot-cyclonedx-sbom-generator-tool-on-ibm-powe