|
| 1 | +# Introducing a Catalog for SBOMs |
| 2 | + |
| 3 | +For the last year now the SBOM Everywhere SIG was working on a Catalog for tooling thats related to SBOMs. The goal of this catalog is to provide a landscape of tools in a structured way that can be searched and filtered for specific properties. The catalog is available under the following link: [https://sbom-catalog.openssf.org/catalog](https://sbom-catalog.openssf.org/catalog) |
| 4 | + |
| 5 | +### Checking out the Catalog: |
| 6 | +The idea behind the Catalog was to make it easy and interactive to use, so someone can discover tools that are interesting for them. On the left are the controls for view, mode and enabled filters. A detailed description of each tool is provided on the right side after selected. Here we provide some structured data about the tools and also a basic description of the tool. |
| 7 | + |
| 8 | + |
| 9 | + |
| 10 | +### Selecting the filters: |
| 11 | +The filter cards on the left describe the layers of the Plot. It is possible to enable or disable them or also drag and drop them in order to change the layer order. |
| 12 | + |
| 13 | +**The Standards** describe the Standards that the tools are compatible with. Currently we have tools that are compatible with SPDX and CycloneDX. |
| 14 | + |
| 15 | +**License** describes the license of the tools we could find for the tool. This is not applicable for all tools as some don't use a standardized license or have a proprietary background. |
| 16 | + |
| 17 | +**The Abilities** describe the capabilities of the tool. In what part of the software development lifecycle can the tool be used? The following abilities are supported: |
| 18 | +- **Compare** - *Can compare two SBOMs* |
| 19 | +- **Consume** - *Can use a provided SBOM in some form* |
| 20 | +- **Convert** - *Can Convert between formats (SPDX, CycloneDX), versions or file-formats (json, xml)* |
| 21 | +- **Edit** - *Can somehow edit the contents of a SBOM* |
| 22 | +- **Generate** - *Can automatically generate a SBOM* |
| 23 | +- **Merge** - *Can merge several SBOMs* |
| 24 | +- **Validate** - *Can validate a SBOM against the file schema or requirements like defined by the NTIA* |
| 25 | +- **Sign** - *Can sign a SBOM (according to the signage process of the schema)* |
| 26 | + |
| 27 | +**The Type** Describes in which phase of the software development lifecycle is applicable. We described the diffrent phases in the following blog in more detail https://sbom-catalog.openssf.org/sbom-types.html. The following types are currently supported: |
| 28 | +- Design |
| 29 | +- Source |
| 30 | +- Build |
| 31 | +- Analyze |
| 32 | +- Deployed |
| 33 | +- Runtime |
| 34 | +- Container |
| 35 | + |
| 36 | +**The publisher** refers to the company or institution maintaining the tool. |
| 37 | + |
| 38 | +**The Language** describes the programming language or ecosystem the tool can handle. |
| 39 | + |
| 40 | +### Selecting a view: |
| 41 | + |
| 42 | +The catalog provides three different views on the data, a circle Plot, a Tree Plot and a Table view. Each plot is interactive. The circle view can be discoverd by zooming in and inspect the data as groups and subgroups. Similar the Tree were the diffrent branches group the tools. |
| 43 | + |
| 44 | +| Circle | Tree | List | |
| 45 | +|--------|------|------| |
| 46 | +|  |  |  | |
| 47 | + |
| 48 | +### Switching between an Normalized view and an Aggregated view: |
| 49 | +Switching between the normalized and aggregated view desides if tools should be listed several times in different categories, or if tools are grouped in a certain category that describes their properties. I.e. if a tool like Syft is compatible with SPDX and CycloneDX it would be displayed in both categories in the normalized view. In the aggregated view there would be a group that are compatible with both groups. |
| 50 | + |
| 51 | +| Normalized | Aggregated | |
| 52 | +|------------|------------| |
| 53 | +|  |  | |
| 54 | + |
0 commit comments