SBOMgen

Creating CBOMs Using the IBM Cbomkit Application

Introduction

This tutorial illustrates how to create a cryptography bill of materials (CBOM) from git projects using the IBM CBOMkit application.

Requirements

• git
• docker-compose

Installation

Install CBOMkit by cloning its repository by running the following:

git clone https://github.com/IBM/cbomkit

Navigate and initiate the application by running:

cd cbomkit
make production

Navigate to http://localhost:8001 on your browser. You should see a page akin to the following:

Usage

To create a CBOM, navigate to the “Generate a new CBOM” section:

Then, paste the URL of the git repo in question. Then, click “Scan”.

Advanced settings are accessed via clicking the “Advanced options” checkbox. The advanced options are:

• Scan: Where specific branches and folders can be specified.

  

• Authentication: Where repo authentication can be specified via username and password or through a personal access token (PAT).

  

After the scan is completed, the output will look similar to the following:

To download the created CBOM, navigate to the “Download CBOM” button on the right hand side and click on it:

The generated cbom.json file will be downloaded to your system’s default downloads folder.

Notes

• The requirement docker-compose is separate to the subcommand, docker compose.

Example SBOM

The following section illustrates a CycloneDX Cryptographic Bill of Materials (CBOM) of the keycloak codebase, created with IBM CBOMkit.

keycloak

References

• IBM. (2024, November 21). GitHub - IBM/cbomkit: A toolset for dealing with Cryptography Bill of Materials (CBOM). GitHub. https://github.com/IBM/cbomkit.

• Keycloak. (n.d.). GitHub - keycloak/keycloak: Open Source Identity and Access Management For Modern Applications and Services. GitHub. https://github.com/keycloak/keycloak.

This site is open source. Improve this page.