Automating SBOM uploads when a new product version is installed

[logicaloud]

Does anybody know of a tool that can automate SBOM uploads to Dependency Track outside of a CI pipeline? The use case scenario I'm looking at is this:

A product generates SBOMs for several product modules as part of the CI pipeline. The product, including SBOMs, is installed at the customer site, possibly without Internet connection for the product itself. The customer uses a local Dependency Track installation to monitor the specific version of the product that is installed. When a new product version is installed at the customer site, then Dependency Track should automatically be updated with the new SBOMs.

In this scenario it would be useful to have a tool that monitors a number of folders in the file system (or some local URLs) for updated SBOM files; if any are found then the Dependency Track API could be used to upload the SBOMs.

It sounds like a common problem - is there already a tool/solution/best practice for this?

Any other ideas or suggestions are welcome! Thank you.

[logicaloud]

Maybe there is no such tool available or possibly it is not a common problem?

Would there be any general interest in such a tool?

[blazmrak]

This depends on a bunch of things, but it's hard to say with the vagueness of the setup. If it's on a single machine and you can see the version deployed, you can run a simple bash script in a crontab that checks the version and if it changes, uploads SBOM and updates the product version last synced. If it's on multiple I'm guessing they have some sort of deployment process. Whatever it is, at the end of it, you upload the SBOM to the destination.

You have to get the SBOM somehow, I'm guessing you'd want to bundle it in the build output and ship it along. The alternative is for the customer to somehow build the SBOM themselves...

[riteshnoronha]

@logicaloud, take a look at sbommv. We're currently building an output adapter for Dependency-Track (DT).

We've faced this requirement ourselves, so we initially built an adapter for our own platform. However, there's been demand for DT integration, which we're actively working on. We have a ton on input/output adapters in mind too.

Key Requirements:
✅ Works outside CI/CD – sbommv is a standalone OSS utility.
🔲 Watches folders (or local URLs) – Not yet, but it's on the roadmap. Currently, it can process all SBOMs in a given folder and upload them.
✅ Automatically uploads SBOMs to DT – Coming in v0.0.3.
✅ Supports offline environments – Yes.
✅ Tracks product versions – Should be a trivial addition.

Let me know what you think! 🚀

[riteshnoronha]

@logicaloud we just release sbommv version 0.0.3 which now supports sbom uploads to DT. In the next version we are releasing folder monitoring, which will be awesome. Will update this thread once we have folder monitoring released.

[logicaloud]

@riteshnoronha Apologies, I thought I had replied already to your first message but apparently haven't. This (with the folder option) is the kind of tool I was after. Looking forward to your next update.

[riteshnoronha]

Awesome will keep u posted. Here are details for v0.0.3 release https://www.linkedin.com/pulse/github-releases-where-sboms-goto-die-vivek-kumar-sahu-etppc/

[riteshnoronha]

@logicaloud here you go v0.0.4 of the tool has been released with folder monitoring. Would love your feedback. https://www.linkedin.com/feed/update/urn:li:activity:7315427861840941057/ . This has been a great feature suggestion, we use it almost daily internally now.