➹ New Feature implementation request

Is your feature request related to a problem?

Currently the secureCodeBox serves as a security scanner and always generates findings. The same architecture can be leveraged to generate software bills of materials (SBOMs), to catalogue the software and components used. This is especially useful when combined with the auto discovery to automatically create an inventory of the running infrastructure.

Describe the solution you'd like

The secureCodeBox should be able to generate SBOMs, initially for containers.

Tests and comparisons have shown that trivy and syft are the best tools to generate SBOMs for containers (most feature complete, easy to use, formats supported, components detected).

Since trivy is already integrated as a scanner, a first proof of concept can use trivy to generate SBOMs using the CycloneDX format, because then they can be sent to Dependency-Track using a hook. Support for SPDX and xml formats can be added later if needed.

Describe alternatives you've considered

Ideally SBOMs are created at build-time when the information available is the most accurate. For most languages detecting dependenies in a container is accurate enough though. The environment the secureCodeBox is used in also usually does not have access to the software at build-time.

Formats (SPDX or xml) could be flexibly configured, this can be added later.

Additional context

There are some issues regarding trivy SBOMs and vulnerability detection in Dependency-Track, trivy only generates package urls (purls) for components, but Dependency-Track can only match issues in the NVD with common platform enumerations (CPEs). Issues not listed in other sources (OSS Index or the GitHub Advisory Database) will then not be found.

Syft generates CPEs, so it might make sense to also integrate syft in the future.