Skip to main content
  • Log in
  • Manage Cookies
projects.eclipse.org
Download
  • Projects
  • Working Groups
  • Members
  • Community
    • Marketplace
    • Events
    • Planet Eclipse
    • Newsletter
    • Videos
    • Blogs
  • Participate
    • Report a Bug
    • Forums
    • Mailing Lists
    • Wiki
    • IRC
    • Research
  • Eclipse IDE
    • Download
    • Learn More
    • Documentation
    • Getting Started / Support
    • How to Contribute
    • IDE and Tools
    • Newcomer Forum
  • More
      • Community

      • Marketplace
      • Events
      • Planet Eclipse
      • Newsletter
      • Videos
      • Blogs
      • Participate

      • Report a Bug
      • Forums
      • Mailing Lists
      • Wiki
      • IRC
      • Research
      • Eclipse IDE

      • Download
      • Learn More
      • Documentation
      • Getting Started / Support
      • How to Contribute
      • IDE and Tools
      • Newcomer Forum
  1. Home
  2. Projects
  3. Eclipse Technology
  4. Eclipse jbom
  5. Eclipse jbom
×

Informative message

This proposal has been approved and the Eclipse jbom project has been created.
Visit the project page for the latest information and development.

Go to Project

Eclipse jbom

Basics
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Parent Project: 
Eclipse Technology
Background: 

Eclipse jbom was initially created to create Runtime SBOMs (Software Bill of Materials).  There are significant weaknesses creating SBOMs from static analysis of code repos or binaries.  Runtime SBOMs capture library and service information directly from a running application using instrumentation, ensuring only truly deployed libraries are included, including platform and appserver libraries not available statically.  Jbom was later extended to support remote SBOM generation as well as binary static SBOMs.

Scope: 

Eclipse Jbom generates Runtime and Static SBOMs for local and remote Java apps. The project focuses on making fast and highly accurate SBOMs as easy as possible.

Description: 

Every software project ideally should create a Software Bill of Materials (SBOM) and make it available to the public, so that people know the exact version and other details about libraries leveraged by the project.

Eclipse jbom generates "Runtime SBOM" by directly measuring library use in a running application (both local and remote). This is the most accurate approach as it captures the exact libraries used by the application, even if they are in the platform, appserver, plugins, or anywhere else. This approach also include details of services invoked and which libraries are active. Eclipse jbom also offers the possibility to generate static SBOMs both from source and binaries.

Eclipse jbom:

  • offers a fast, complete, and accurate SBOM generator
  • produces standard CycloneDX SBOM in JSON format
  • works on both running apps/APIs and binaries
  • finds all libraries, including platform, appserver, plug-in, and dynamic sources
  • doesn't report test or other libraries not present at runtime
  • handles nested jar, war, ear, and zip files (including Spring)
  • handles jars using common shaded and relocation techniques
  • no source code required
Why Here?: 

We believe that all software should be delivered with a complete and accurate software bill of materials.  We think the Eclipse Foundation is a good organization to help promote software transparency and make it easily accessible to all developers.

Licenses: 
Apache License, Version 2.0
Legal Issues: 

No issues.

Project Scheduling: 

Initial contribution is ready today. 

Future Work: 

The project roadmap includes enhancing SBOMs with library usage information, service information, and other details.  Promotional activities include talks such as this one at OWASP London - https://www.youtube.com/watch?v=B3CvDsnGnXI&ab_channel=OWASPLondon.  We welcome both issues and contributions.

People
Project Leads: 
Jeff Williams
Committers: 
planetlevel
JoeBeeton
Mentors: 
Jonah Graham
Interested Parties: 

The OWASP CycloneDX project has listed JBOM as a supporting tool. 

 

Source Code
Initial Contribution: 

https://github.com/Contrast-Security-OSS/jbom

Source Repository Type: 
GitHub
Source Repositories: 
https://github.com/Contrast-Security-OSS/jbom
  • Sign in to post comments.
Incubating - Eclipse jbom

Related Projects

Project Hierarchy:

  • Eclipse Technology
  • Eclipse jbom

Eclipse Foundation

  • About Us
  • Contact Us
  • Donate
  • Members
  • Governance
  • Code of Conduct
  • Logo and Artwork
  • Board of Directors

Legal

  • Privacy Policy
  • Terms of Use
  • Copyright Agent
  • Eclipse Public License
  • Legal Resources

Useful Links

  • Report a Bug
  • Documentation
  • How to Contribute
  • Mailing Lists
  • Forums
  • Marketplace

Other

  • IDE and Tools
  • Projects
  • Working Groups
  • Research@Eclipse
  • Report a Vulnerability
  • Service Status

Copyright © Eclipse Foundation. All Rights Reserved.

Back to the top