BOM Physician is a free, GitHub-hosted software created by Sonatype to scan software program payments of supplies (SBOMs) and determine vulnerabilities and authorized points.
BOMs are extensively utilized in conventional provide manufacturing to trace the components that compose a given product, with the goal of creating it straightforward to determine merchandise affected by defects present in any of its components. For software program, a BOM lists all libraries which might be utilized by a program, together with their dependency tree and any accessible details about recognized vulnerabilities and licensing.
Sonatype BOM Physician lets you submit an SBOM or a GitHub repo URL to examine. The software can generate each an SBOM graph or a report together with a listing of all dependencies annotated with any authorized dangers or recognized vulnerabilities and their severity.
The generated report could be downloaded and shared with the remainder of your workforce.
An SBOM is a key software to stop malicious provide chain assaults, say Sonatype, because it permits to replace any weak dependencies in a well timed method so you may cut back the time spent on transforming code.
Whereas producing an SBOM for an open-source mission is a comparatively straightforward process for any group needing that data, an SBOM is the one technique to inform what’s inside a proprietary product and assess its safety or authorized dangers.
SBOMs will not be but a authorized necessities, however they’re included within the pointers launched in September 2022 by the Nationwide Safety Company (NSA), the Cybersecurity and Infrastructure Safety Company (CISA), and the Workplace of the Director of Nationwide Intelligence (ODNI) in addition to in different official paperwork that may very well be included within the necessities established by the Zero Belief Cybersecurity initiative.
Along with BOM Physician, Sonatype gives a few different free instruments to assist with provide chain safety, together with Sonatype Security Ranking, and the code evaluation platform Sonatype Raise.