FatBOM

fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.

Installation

Download the latest release archive from Github Releases for your os and arch.

Example

curl -L  -o fatbom.tar.gz  https://github.com/sbs2001/fatbom/releases/download/v0.0.1/fatbom_0.0.1_Linux_x86_64.tar.gz
sudo tar xvf fatbom.tar.gz -C /usr/local/bin/ fatbom

Usage

fatbom -s /path/to/scan

This command will create 2 files

• merged_sbom.json : It's a standard JSON SPDX SBOM, made by combining output of all SBOM tools.
• semi_merged_sbom.json. It contains SBOM generated by each tool.

Example SBOMs

• SBOM for last release
• Semi Merged SBOM for last release

Tools Used

• microsoft/sbom-tool
• kubernetes-sigs/bom
• opensbom-generator/spdx-sbom-generator
• anchore/syft