This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Generating an SBOM with Open Source Tools

Explains how to generate an SBOM for each environment using general-purpose open source tools.

    If you are not comfortable setting up a tool environment and you have Docker installed, consider reviewing BomLens first.

    Tool Selection Guide

    graph TD
        A{{"Classify the supplied software"}}
    
        subgraph G1["Software delivery"]
          direction LR
          T1["Source code / app<br>(e.g., OSS/BSS, portals, middleware)"]
          T2["Executable / library<br>(e.g., .jar, .dll, .so)"]
          T3["Firmware with no OS<br>(e.g., bare-metal / RTOS devices)"]
        end
    
        subgraph G2["Delivery including an OS (e.g., Linux)"]
          direction LR
          T4["Container image<br>(e.g., CNF, containerized network function)"]
          T5["Server / VM image<br>(e.g., VNF, server appliance)"]
          T6["Firmware with an embedded OS<br>(e.g., base stations, routers, OLT/ONT, set-top boxes)"]
        end
    
        %% Left: source-code scan with an inner box
        subgraph M1["Scan the source code"]
          M1_Sub["cdxgen or BomLens"]
        end
    
        %% Right: source + OS image scan with inner boxes (stacked vertically)
        subgraph M2["Scan source + OS image"]
          direction TB
          M2_Top["OS (e.g., Linux) scan<br>(Syft or Trivy)"]
          M2_Bottom["Source code scan<br>(cdxgen or BomLens)"]
        end
    
        A --> G1
        A --> G2
        
        %% Connect only to the group borders (one arrow per box)
        G1 --> M1
        G2 --> M2
        
        %% Groups flow to the next step
        M1 --> P(["Submit the SBOM"])
        M2 --> P
    
        classDef start fill:#F2F2F2,stroke:#171717,color:#171717,stroke-width:1.5px
        classDef typebox fill:#ffffff,stroke:#c8c8c8,color:#171717,stroke-width:1px
        classDef submit fill:#F2F2F2,stroke:#171717,color:#171717,stroke-width:1.5px
        
        %% White inner-box styles (left/right border colors)
        classDef subwhite_left fill:#ffffff,stroke:#00A651,color:#171717,stroke-width:1px
        classDef subwhite_right fill:#ffffff,stroke:#68127A,color:#171717,stroke-width:1px
    
        class A start
        class T1,T2,T3,T4,T5,T6 typebox
        class M1_Sub subwhite_left
        class M2_Top,M2_Bottom subwhite_right
        class P submit
    
        style G1 fill:#F1FAF5,stroke:#00A651,stroke-width:1px,color:#0A5A32
        style G2 fill:#FAF4FB,stroke:#68127A,stroke-width:1px,color:#4A0D57
        
        %% Outer group boxes keep their fill and border colors
        style M1 fill:#D9F0E4,stroke:#00A651,stroke-width:1px,color:#0A5A32
        style M2 fill:#EEDCF3,stroke:#68127A,stroke-width:1px,color:#4A0D57

    Source code and apps, executables or libraries, and firmware with no OS are all scanned from the source code you developed with cdxgen or BomLens. Scanning a finished binary directly yields no package manager metadata, so purls are omitted and the SBOM is rejected.

    When you ship an OS or base image as part of the delivery (a container image, a server, or firmware with an embedded OS), split it into two layers and scan each. Scan the image or rootfs as shipped with Syft or Trivy for the OS layer, scan the source code (the app layer) with cdxgen or BomLens, then merge and submit. The OS-layer scan target is not the original base image you received but the image or rootfs actually delivered after the build, because it must include the OS packages installed during the build. For the full procedure, see Server SBOM.

    Statically linked libraries and manually vendored binaries are a blind spot that none of the scans above catch. For how to handle this case, see the statically linked libraries section of Server SBOM.

    If you supply commercial software or a finished product made by a third party and have no access to the source code, obtain the SBOM from the manufacturer instead of scanning. See Commercial Software.

    Major Tools

    Automatically analyzes projects in various languages such as Java, Python, Node.js, and Go, and generates an SBOM in CycloneDX format.

    cdxgen statically parses lockfiles and manifests. For accurate results, run it when dependencies are installed or resolved (a lockfile is present, or after a build). Scanning pure source without resolved dependencies may omit some components or purls.

    Analyzes built container images and build artifacts that include package manager metadata to identify both OS packages and application libraries. Supports CycloneDX and SPDX formats.

    A server that delivers an application on top of an OS (such as CentOS) is generated as two layers — OS (rootfs/image) and application — with statically linked libraries covered separately, then merged. As the warning above notes, the OS layer must target a rootfs or image that has a package database. For the full procedure, see Server SBOM.

    Trivy (container image analysis)

    An all-in-one tool that can perform container image analysis and vulnerability scanning together.

    Language-Specific Dedicated Plugins

    Using a build tool plugin lets you extract more accurate dependency information.

    Language/Build ToolPlugin/ToolOfficial Documentation
    Java (Maven)cyclonedx-maven-pluginLink
    Java (Gradle)cyclonedx-gradle-pluginLink
    Pythoncyclonedx-bomLink
    Node.js@cyclonedx/cyclonedx-npmLink
    Gocyclonedx-gomodLink

    Common Precautions

    Verify the following before using a tool.

    • Transitive dependency inclusion: Generate the SBOM after the build (package installation) is complete so that transitive dependencies are included. Missing dependencies are grounds for rejection; for the per-language build commands to run first, see the dependency scope section of the Submission Requirements.
    • PURL inclusion: Verify that the generated SBOM includes a purl field for every component. SK Telecom’s system maps vulnerabilities based on PURL. For the verification commands and the regeneration procedure, see the Validation Checklist.
    • Output format: CycloneDX JSON format is recommended. (Use -o cyclonedx-json or an equivalent option)
    • Project information: Verify that the metadata accurately records the name and version of the delivered project.
    • Server SBOM: How to generate and merge the layers of a server that combines an OS, an application, and static-link libraries
    • Submission Requirements: The required data fields that must be included in the SBOM
    • Validation Checklist: Items to verify before submission
    • BomLens: SK Telecom’s SBOM generation tool