The Linux Foundation Projects
Skip to main content

Commercial (Proprietary) Tools

These are tools offered by Commercial Vendors which are not open sourced.

Black Duck SCA

Company Contact

Synopsys

SPDX Support

Produce, Import, Analyze

Functionality

Identify application dependencies, and export SPDX SBOM. Import SPDX documents. Analyze dependencies listed in SPDX documents. 

Versions Supported

2.2 and 2.3. Support for v3.0 in progress

BlackBerry® Jarvis™

Company Contact

BlackBerry Limited

SPDX Support

Produce (Analyze)

Functionality

BlackBerry Jarvis is a cloud based SCA and SAST tool for analyzing binary software images. It produces SBOM documents in SPDX format.

Installation Instructions

Cloud based platform. Contact BlackBerry for a trial or demo.

How to Use

Upload a binary software image using the Web interface or API.

Select “Download SPDX Report” in the scan results.

Versions Supported

SPDX 2.2

Cybeats SBOM Studio

Company Contact

Cybeats Technologies Inc.

SPDX Support

Produce(Analyze), Consume(Import), Transform(Translate), Transform(Merge)

Additional Support

Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)

Functionality

Cybeats SBOM Studio is a cybersecurity software inventory analysis platform. It is built for the pre-market stages of IoT firmware development and helps device makers with mapping, management and design, and enrichment for IoT device’s firmware. Cybeats SBOM Studio generates SBOMs with the runtime data information for more precise identification of vulnerabilities and exploits abilities. The solution models and translates the data into enriched SBOMs. SBOM Studio exports and imports SPDX/CycloneDX formats and enriches the model with vulnerability and context based exploitability data providing visibility into threat modeling and threat intelligence angle of the device.

Location

Installation Instructions

Contact info@cybeats.com for demo

How to Use

Analyze: (Linux) Agent operating on device can scan and inventory system content and information

Import: Model your solution in SBOM Studio and import source and binary SBOM files in SPDX or CycloneDX formats.

Export: Export and share security signed SBOMS in SPDX and CycloneDX formats.

Versions Supported

SPDX 2.2

CyberProtek

Company Contact

MediSAO

SPDX Support

Produce(Analyze), Consume(Import), Transform(Translate)

Functionality

CyberProtek is an SBOM generation and translation tool for IoT that scans code metadata to create SBOMs, translates between SWID/SPDX/CycloneDx and manages vulnerabilities.

Location

Installation Instructions

Entirely web based. Contact MedISAO for demo.

How to Use

To import: Upload or paste SBOM into Import tab, or use supported scanning tool in development environment

To export:Download SPDX from SBOM export tab as a text file.from web portal.

Versions Supported

SPDX 2.1, SPDX 2.2

DejaCode

Company Contact

nexB Inc.

SPDX Support

Produce (Analyze, Edit)

Functionality

DejaCode is an enterprise-level open source compliance application, powered by ScanCode. You can generate an SPDX 2.3 SBOM from your Product definitions.

Location

Installation Instructions

Options include: 

  • Sign up for a free evaluation
  • Become a DejaCode SaaS customer
  • Install DejaCode on-premises

How to Use

Define (review, approve) the details of your Product in DejaCode. Use the Share option to generate an SPDX 2.3 SBOM in .json format.

Versions Supported

SPDX 2.3

FACT

Company Contact

aDolus Technology Inc.

SPDX Support

Produce(Analyze)

Functionality

Generates SBOMs for Industrial Control System (ICS) software and analyzes the created SBOMs to detect vulnerabilities, obsolescence, and malware.

Installation Instructions

Contact aDolus for demo

How to Use

Through website, API, or local install of tool

Versions Supported

SPDX 2.2

Fortress File Integrity Assurance (FIA)

Company Contact

Fortress

SPDX Support

Produce (Analyze), Consume (Import, View, Diff), Transform (Translate)

Functionality

FIA can create SBOMs from binary or archive, consume externally provided SBOMs, enrich SBOMs with Fortress risk analysis, compare SBOM versions, and track components to support continuous monitoring.

Installation Instructions

SaaS based application. Contact Fortress for a trial or demo.

Versions Supported

SPDX 2.2

FOSSID

Company Contact

FOSSID AB

SPDX Support

Produce(Analyze), Consume(View), Consume(Diff), Consume(Import)

Functionality

FOSSID is a Software Composition Analysis tool that scans your code for open source licenses and vulnerabilities, and gives you full transparency and control of your software products and services.

Location

Installation Instructions

Contact FOSSID

How to Use

Contact FOSSID

Versions Supported

SPDX 2.1, SPDX 2.2 (WIP)

Interlynk

Company Contact

Interlynk Inc.

SPDX Support

Produce(Build), Consume(Import), Transform(Edit, Sign, Merge)

Additional Support

Enrich (Security, Licensing), Share (Secure, Trackable), End-to-end Automation

Functionality

Interlynk makes it possible to achieve automated SBOM compliance in real time. Interlynk SBOM Platform builds, collects, patches, signs, and maintains SBOM as soon as a product release is created. The capabilities include fixing common issues, merging part SBOMs into product SBOMs, and finalizing SBOMs for external sharing. The Platform also supports automated delivery to trusted partners and customers with complete and granular control over the SBOM data. A complete audit trail of release and access log of all SBOM compliance activities per partner makes it ideal for sensitive workflows.

Location

Installation Instructions

Contact Interlynk: hello@interlynk.io

How to Use

SaaS platform with API support for CI/CD automation

Versions Supported

SPDX 2.2, SPDX 2.3

Manifest

Company Contact

Manifest Cyber, Inc.

SPDX Support

Produce (Build), Produce (Analyze), Consume(Import), Consume (Diff), Consume(View), Transform(Merge), Transform (Tool Integration)

Additional Support

Enrich (Security Enrichment and Remediation), Share (Signing and Secure Sharing)

Functionality

Manifest is an enterprise solution built to solve the entire SBOM lifecycle. The platform offers SBOM generation, solicitation, management, and secure sharing of both first- and third-party SBOMs in SPDX and CycloneDX formats. Other SBOM workflows include component analysis, license investigation, vulnerability scanning, monitoring, alerting, risk reporting, fix recommendations, and remediation ticketing. Manifest also empowers users to manage VEX documents, and easily integrates with other tools via flexible APIs.

Location

Installation Instructions

Reach out to info@manifestcyber.com for a demo and to learn more.

How to Use

Manifest offers a web-based application, open APIs, a command line interface (CLI), and flexible CI/CD pipeline integration.

Versions Supported

SPDX 2.X

MedScan

Company Contact

Medsec

SPDX Support

Consume

Functionality

Consumes SBOMs for helping hospitals manage medical device assets.

Installation Instructions

Virtualized appliance inside hospital, Webportal for user, Contact MedSec for demo

How to Use

To import:Locate the device profile relevant to the SBOM, and select ‘add SBOM’

To export: locate the device profile desired and select ‘Download SBOM’

Versions Supported

Revenera

Company Contact

SPDX Support

  • Produce (build, analyze, diff, translate, merge)
  • Consume (import, analyze, diff, translate, merge)

Functionality

  • Construction of SBOMs via automated scanning & optional manual analysis for a complete and accurate SBOM beyond top-level components and declared dependencies in manifest files (including third-party and commercial)
  • Export SBOM data in SPDX/CycloneDX formats along with human readable Excel/HTML
  • Import third-party SPDX/CycloneDX SBOMs and normalize data into a single view of SBOM parts across the organization
  • Analyze SBOM parts for compliance with legal and security policies
  • Alerts for new security vulnerabilities for existing SBOM parts
  • Advanced search using various criteria to identify impact across system

Installation Instructions

How to Use

SBOM Construction

  • Perform scans as part of CI/CD pipeline or regular cadence/ad-hoc
  • Analyze results for SBOM parts beyond package manager declarations (including third-party and commercial)
  • Publish findings for review (automated via policy or manual)
  • Generate SBOMs in various formats

SBOM Import

  • Import third-party SPDX/CycloneDX SBOMs to normalized SBOM parts into a unified view across system

Common Capabilities

  • Analyze SBOM parts for compliance with legal and security policies
  • Alerts for new security vulnerabilities for existing SBOM parts
  • Advanced search using various criteria to identify impact across system
  • Generate reports for various stakeholders (legal, security, engineering, release management, product management, OSPO)
  • Rich API

Versions Supported

v2.2, v2.3, v3.0 (WIP)

RKVST SBOM Hub

Company Contact

Jitsuin Inc.

SPDX Support

Distribute

Functionality

RKVST SBOM HUB is the first place to find and fetch public or private SBOMs.

Installation Instructions

Free to access SaaS

How to Use

https://support.rkvst.com/hc/en-gb/articles/4412493236241

Versions Supported

SBOM Observer

Company Contact

Bitfront AB

SPDX Support

Import, Analyze

Functionality

SBOM Observer provides a comprehensive SBOM workflow to help you manage your software supply chain. Leverage the powerful combination of the Policy Engine and Operational Model to guarantee the security and compliance of your software.

Installation Instructions

SBOM Observer is a SaaS Platform

How to Use

SBOM Observer is a SaaS Platform with free live demo, to get started see: Using SBOM Observer

Versions Supported

SPDX 2.1, SPDX 2.2, SPDX 2.3

Snyk

Company Contact

Snyk

SPDX Support

Produce(Build, Analyze), Consume(Import, View)

Functionality

Snyk is a developer security platform for the enterprise.

Through its Software Composition Analysis (SCA) products and integrations, Snyk supports the identification of packages and dependencies to produce an SBOM at various points in the SDLC — which can then be exported in SPDX format.

Produce SPDX format SBOMs for container images, manifest files in a file system, or for projects being monitored by Snyk. Snyk can import SPDX format SBOMs to analyze packages and dependencies for known vulnerabilities present in its vulnerability database.

Location

Website – https://snyk.io

Installation Instructions

How to Use

Snyk offers public APIs, a command line interface (CLI), integrations, and a web-based platform. Import and export of Software Bill of Materials is integrated with several parts of the Snyk platform.

Versions Supported

SPDX 2.3

Software Assurance Guardian Point Man (SAG-PM)

Company Contact

Reliable Energy Analytics LLC

SPDX Support

Consume(Import)

Functionality

Processes SPDX SBOMs as part of a seven step software supply chain risk assessment

Installation Instructions

Contained in Company provided Documentation

How to Use

Sag comprehensive {software install pkg}  {Evidence output loc}

Versions Supported

SPDX 2.2

SourceAuditor

Company Contact

SourceAuditor

SPDX Support

Produce(Analyze), Consume(View), Consume(Diff, Consume(Import), Transform(Translate)

Functionality

Supports SPDX document exports for full audit analysis of source and binaries.  Supports consuming SPDX documents for incremental code audits.

Installation Instructions

How to Use

Primarily used by consultants to generate SPDX documents for source code analysis and audits.

Versions Supported

SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3

TrustSource

Company Contact

TrustSource

SPDX Support

Produce(Analyze)

Functionality

Installation Instructions

How to Use

Primarily used by consultants to generate SPDX documents for source code analysis and audits.

Versions Supported

SPDX 2.1 (WIP)

Vigilant Ops InSight

Company Contact

Vigilant Ops

SPDX Support

Produce(Analyze), Consume(View), Transform(Translate), Transform(Tool Support)

Functionality

Vigilant Ops InSight is a cloud-based platform utilized by both Medical Device Manufacturers (MDM) and Healthcare Delivery Organizations (HDO). MDMs use the platform for generating, maintaining, and securely sharing medical device Cybersecurity Bill of Materials (CBOM) with HDOs. The InSight platform leverages advanced technology, artificial intelligence, and machine learning algorithms to continuously monitor public data sources for component vulnerability updates.

Location

Installation Instructions

Web based platform. Visit https://vigilant-ops.com/ to request a demo OR email info@vigilant-ops.com

How to Use

To Import: Import of SPDX not currently supported.

To Export: Medical Device Manufacturers (MDM) can generate a CBOM in Vigilant Ops encrypted format using the CBOM Generator. This CBOM can then be uploaded to the web based InSight MDM application using the “Upload CBOM” option. The CBOM can then be exported in SPDX format using the “Export” menu option in the MDM application.

Versions Supported

SPDX 2.1 

Vulert

Company Contact

info@vulert.com

SPDX Support

Import, Analyze

Functionality

Vulert is a cloud-based SCA solution that proactively monitors the SBOM files for vulnerable dependencies. No installations are required. It provides real-time alerts and supports API integration for seamless CI/CD automation. Additionally, it is compatible with all major Security Information and Event Management (SIEM) tools.

Installation Instructions

Web-based platform.

How to Use

To use Vulert, first register on the platform and integrate it with your applications—no code access or installations necessary. Set up your alert preferences for real-time vulnerability notifications and, if using CI/CD pipelines, incorporate the Vulert API for automated security checks. Ensure compatibility with your SIEM tool of choice for a holistic security overview.

Versions Supported

SPDX 2.1 , 2.2, and 2.3