This proposal has been approved and the Eclipse jbom project has been created.
Visit the project page for the latest information and development.

Eclipse jbom

Sunday, March 20, 2022 - 12:33 by Jeff Williams
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Project
Parent Project
Proposal State
Created
Background

Eclipse jbom was initially created to create Runtime SBOMs (Software Bill of Materials).  There are significant weaknesses creating SBOMs from static analysis of code repos or binaries.  Runtime SBOMs capture library and service information directly from a running application using instrumentation, ensuring only truly deployed libraries are included, including platform and appserver libraries not available statically.  Jbom was later extended to support remote SBOM generation as well as binary static SBOMs.

Scope

Eclipse Jbom generates Runtime and Static SBOMs for local and remote Java apps. The project focuses on making fast and highly accurate SBOMs as easy as possible.

Description

Every software project ideally should create a Software Bill of Materials (SBOM) and make it available to the public, so that people know the exact version and other details about libraries leveraged by the project.

Eclipse jbom generates "Runtime SBOM" by directly measuring library use in a running application (both local and remote). This is the most accurate approach as it captures the exact libraries used by the application, even if they are in the platform, appserver, plugins, or anywhere else. This approach also include details of services invoked and which libraries are active. Eclipse jbom also offers the possibility to generate static SBOMs both from source and binaries.

Eclipse jbom:

  • offers a fast, complete, and accurate SBOM generator
  • produces standard CycloneDX SBOM in JSON format
  • works on both running apps/APIs and binaries
  • finds all libraries, including platform, appserver, plug-in, and dynamic sources
  • doesn't report test or other libraries not present at runtime
  • handles nested jar, war, ear, and zip files (including Spring)
  • handles jars using common shaded and relocation techniques
  • no source code required
Why Here?

We believe that all software should be delivered with a complete and accurate software bill of materials.  We think the Eclipse Foundation is a good organization to help promote software transparency and make it easily accessible to all developers.

Future Work

The project roadmap includes enhancing SBOMs with library usage information, service information, and other details.  Promotional activities include talks such as this one at OWASP London - https://www.youtube.com/watch?v=B3CvDsnGnXI&ab_channel=OWASPLondon.  We welcome both issues and contributions.

Project Scheduling

Initial contribution is ready today. 

Project Leads
Committers
Interested Parties

The OWASP CycloneDX project has listed JBOM as a supporting tool. 

 

Initial Contribution

https://github.com/Contrast-Security-OSS/jbom

Source Repository Type