Skip to main content
Simply scan your source code directory to find and identify open source components. Generate your SPDX-Lite software bill of materials (SBOM) with the press of a button.

Installation

  1. Visit SBOM Workbench releases
  2. Download the installer for your platform:
    • macOS: .dmg file
    • Windows: .exe installer
    • Linux: .AppImage or .deb package
  3. Run the installer

Getting Started

Add or Import Your Project

In the Home tab, click the New project to add a new project from the source code itself, or click on the arrow to display te dropdown menu to add a new project from a WFP file or import an existing project in the state it was exported. sbom-wb-home If you choose the option to add a new project, either from sources or WFP file, you will be taken to the Project settings screen. project-setting Here, you can customize the following things:
  • Project name
  • License
  • API connections
  • Scanner settings
You can provide a context file scanoss.json declaring known components to get the most accurate results.
After you add and configure your project settings, the SBOM Workbench will automatically go through various stages: scanning your project, detecting licenses, analysing for dependencies, searching for vulnerabilties and so on.

Reports Dashboard

After you add and scan your project, the results will appear in the Reports tab. The Reports tab provides an overview of detected components, licenses, dependencies, and vulnerabilities identified. workbench-reports

Detected Vulnerabilities

Clicking on Vulnerabilities displays detected security vulnerabilities (CVEs) for each component. workbench-vulnerabilities-dashboard

Detected Components

For this step, navigate to the Detected Components tab. detected-components Use this tab to automatically identify detected components and dependencies, or manually provide their details: name, version, license, optional URL, PURL, and usage (file, snippet, or prerequisite). To access all actions, click the component. If needed, you can restore it to its original state to correct the identification.
You can mark components as Original, but there is no option to ignore components, as this would conflict with the principles of an SBOM.
After finishing the identification process, you can review it in the Identified components tab. identified-components

Identified Components

Go to the Identified view in the Reports tab for a final project review (compare it with the Detected view if needed), then click Export to select your SBOM format. identified After selecting your preferred format and specifying the export path, the SBOM will be downloaded to that location.