Eclipse jbom was initially created to create Runtime SBOMs (Software Bill of Materials). There are significant weaknesses creating SBOMs from static analysis of code repos or binaries. Runtime SBOMs capture library and service information directly from a running application using instrumentation, ensuring only truly deployed libraries are included, including platform and appserver libraries not available statically. Jbom was later extended to support remote SBOM generation as well as binary static SBOMs.
Eclipse Jbom generates Runtime and Static SBOMs for local and remote Java apps. The project focuses on making fast and highly accurate SBOMs as easy as possible.
Every software project ideally should create a Software Bill of Materials (SBOM) and make it available to the public, so that people know the exact version and other details about libraries leveraged by the project.
Eclipse jbom generates "Runtime SBOM" by directly measuring library use in a running application (both local and remote). This is the most accurate approach as it captures the exact libraries used by the application, even if they are in the platform, appserver, plugins, or anywhere else. This approach also include details of services invoked and which libraries are active. Eclipse jbom also offers the possibility to generate static SBOMs both from source and binaries.
Eclipse jbom:
- offers a fast, complete, and accurate SBOM generator
- produces standard CycloneDX SBOM in JSON format
- works on both running apps/APIs and binaries
- finds all libraries, including platform, appserver, plug-in, and dynamic sources
- doesn't report test or other libraries not present at runtime
- handles nested jar, war, ear, and zip files (including Spring)
- handles jars using common shaded and relocation techniques
- no source code required
No issues.
We believe that all software should be delivered with a complete and accurate software bill of materials. We think the Eclipse Foundation is a good organization to help promote software transparency and make it easily accessible to all developers.
The project roadmap includes enhancing SBOMs with library usage information, service information, and other details. Promotional activities include talks such as this one at OWASP London - https://www.youtube.com/watch?v=B3CvDsnGnXI&ab_channel=OWASPLondon. We welcome both issues and contributions.
Initial contribution is ready today.
The OWASP CycloneDX project has listed JBOM as a supporting tool.
https://github.com/Contrast-Security-OSS/jbom
- Log in to post comments