Use this command to install SCANOSS SBOM Workbench:
winget install --id=Scanoss.SBOM-Workbench -e
Graphical user interface to scan and audit source code using SCANOSS API.
The SCANOSS SBOM Workbench is a graphical user interface designed to simplify scanning and auditing of source code using the SCANOSS API. This tool streamlines license compliance by enabling users to scan directories, identify open-source components, and generate an SPDX-Lite software bill of materials (SBOM) effortlessly.
Key Features:
Scan Directories: Automatically detect and analyze open-source components within your project.
Generate SBOMs: Create detailed SBOMs in the SPDX-Lite format with just a button press.
Multi-Language Support: Operate seamlessly across various languages to accommodate diverse teams.
Advanced Configuration: Adjust scanner parameters, such as concurrency limits and timeouts, to optimize performance. Configure proxy settings and include certificates for secure network communication.
Local Cryptography Detection: Identify cryptographic algorithms and libraries within your codebase when an API key is provided.
Audience & Benefit:
Ideal for developers, compliance officers, and security teams managing open-source projects, the SCANOSS SBOM Workbench enhances license compliance, improves supply chain transparency, and reduces security risks. It simplifies audits by providing clear insights into project dependencies and their associated licenses.
Available for installation via winget on multiple platforms, this tool is a valuable asset for organizations seeking to enhance software transparency and security.
The SBOM Workbench is a graphical user interface to scan and audit source code using SCANOSS API.
Auditing your source code for license compliance has never been easier. Simply scan your source code directory to find and identify open source components. Generate your SPDX-Lite software bill of materials (SBOM) with the press of a button.
We strongly recommend handling your node versions using nvm
Install
npm install --legacy-peer-deps
Please note that you should include the --legacy-peer-deps parameter in the installation command. This is because @mui/styles is not compatible with React 18. You can find more information about this at https://mui.com/system/styles/basics/.
Troubleshooting
SBOM Workbench uses node-gyp to compile SQLite3 native module.
This module uses "node-pre-gyp" to download the prebuilt binary for your platform instead you need build from source.
In case it does not exist for your platform, node-gyp going to build it.
SBOM Workbench support advanced settings. All the configurations needs to be included in the global config file ~/.scanoss/sbom-workbench-settings.json
Scanner parameters
"SCANNER_CONCURRENCY_LIMIT": ""
Number of threads to use while scanning (optional - default 5)
"SCANNER_POST_SIZE": ""
Number of kilobytes to limit the post to while scanning (optional - default 16)
"SCANNER_TIMEOUT": ""
Timeout (in seconds) for API communication (optional - default 300)
Proxy settings
You might need to specify proxy settings depending on how your network is configured
"PROXY": ":"
If your network is using a proxy with SSL interception you can include your certificate in the configuration
"CA_CERT": ""
You can disable any SSL errors, to do so you can change this option to true
"IGNORE_CERT_ERRORS": true
Local Cryptography Detection in SBOM-Workbench
Overview
Local cryptography can be detected by SBOM-Workbench when an API key is configured. This feature enables the detection of cryptographic algorithms and libraries within a codebase.
Default and Custom Detection Rules
Default rules are provided for the detection of cryptographic algorithms and libraries. However, custom rules may be defined at the root of the project to be scanned.
Custom Rule Files
Custom rules can be defined through the following JSON files at the project root:
The structure of scanoss-crypto-library-rules.json should be formatted as follows:
[
{
"id": "library/webcrypto",
"name": "Web Cryptography API",
"description": "A JavaScript API for performing basic cryptographic operations in web applications.",
"keywords": [
"window.crypto.subtle",
"crypto.subtle.",
"crypto.getRandomValues",
"NodeWebCrypto",
"WebCryptoAPI"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API",
"category": "library",
"purl": "pkg:generic/webcrypto",
"tags": [
"JavaScript"
]
}
]
SCANOSS Settings File
SCANOSS provides a settings file to customize the scanning process. The settings file is a JSON file that contains project information and BOM (Bill of Materials) rules. It allows you to include, remove, or replace components in the BOM before and after scanning.
Settings
The scanoss.json object allows you to configure various aspects of the scanning process. Currently, it provides control over which files should be skipped during scanning through the skip property.
BOM Rules
The bom section defines rules for modifying the BOM before and after scanning. It contains three main operations:
1. Include Rules
Rules for adding context when scanning. These rules will be sent to the SCANOSS API meaning they have more chance of being considered part of the resulting scan.
Rules for removing files from results after scanning. These rules will be applied to the results file after scanning. The post processing happens on the client side.
Rules for replacing components after scanning. These rules will be applied to the results file after scanning. The post processing happens on the client side.
The SBOM Workbench includes support for a collaborative workspace, a feature designed to enhance teamwork. View more details here.
Contributing
SBOM Workbench is an open source project, and we love to receive contributions from our community. There are many ways to contribute. For more information see the Contributing Guide and Code of Conduct.
Docs
This project was made using Electron React Boilerplate
