From ed433ce5f984f4aa5eeab93fad5918388a0c1681 Mon Sep 17 00:00:00 2001 From: Jose Augusto Date: Fri, 4 Oct 2024 09:12:26 -0300 Subject: [PATCH] Add SBOM generation section with details on sub-dependencies and license detection; clarify the use of Syft --- docs/security-suite/conviso-sbom/conviso-sbom.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/security-suite/conviso-sbom/conviso-sbom.md b/docs/security-suite/conviso-sbom/conviso-sbom.md index 84d82f2..e81f1c4 100644 --- a/docs/security-suite/conviso-sbom/conviso-sbom.md +++ b/docs/security-suite/conviso-sbom/conviso-sbom.md @@ -42,6 +42,14 @@ SBOMs (Software Bill of Materials) describe the components, dependencies, and me - **Supplier**: Entity providing the software. - **Dependency Relationships**: How components depend on each other. +## Sub-dependencies and License Detection in SBOM Generation +When generating a Software Bill of Materials (SBOM), it's crucial to track both direct and sub-dependencies (transitive dependencies). The tools used in SBOM generation, such as the one we employ, aim to provide a comprehensive list of software components. However, the ability to detect sub-dependencies varies across different ecosystems and package managers. In some cases, sub-dependencies may not always be fully captured, depending on how the tool integrates with the specific technology stack. + +In addition to dependency tracking, detecting licenses is a critical aspect of SBOM generation. Our tool supports the detection of various licenses, helping ensure compliance with open-source and proprietary software requirements. However, complete license detection is not always possible, particularly for packages that lack clear metadata or license information. Despite these limitations, our approach provides significant visibility into both dependencies and their licenses, helping to manage legal and security risks. + +## Use of Syft +To achieve this level of detail in our SBOM generation, we use Syft, a powerful tool that scans container images and filesystems for dependencies and licenses. + ## How to generate and view components in Conviso Platform An SBOM file will be generated and sent to the respective asset each time you run `conviso ast run` or `conviso sca run`.