Commercial (Proprietary) Tools

These are tools offered by Commercial Vendors which are not open sourced.

CybeatsvSBOM Studio

Company Contact Cybeats Technologies Inc.
SPDX Support Produce(Analyze), Consume(Import), Transform(Translate), Transform(Merge), Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)
Additional Support Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)
Functionality Cybeats SBOM Studio is a cybersecurity software inventory analysis platform. It is built for the pre-market stages of IoT firmware development and helps device makers with mapping, management and design, and enrichment for IoT device’s firmware. Cybeats SBOM Studio generates SBOMs with the runtime data information for more precise identification of vulnerabilities and exploits abilities. The solution models and translates the data into enriched SBOMs. SBOM Studio exports and imports SPDX/CycloneDX formats and enriches the model with vulnerability and context based exploitability data providing visibility into threat modeling and threat intelligence angle of the device.
Location Website: https://cybeats.com
Installation instructions Contact: info@cybeats.com for demo
How to use:

Analyze: (Linux) Agent operating on device can scan and inventory system content and information

Import: Model your solution in SBOM Studio and import source and binary SBOM files in SPDX or CycloneDX formats.

Export: Export and share security signed SBOMS in SPDX and CycloneDX formats.

Versions supported: SPDX 2.2

CyberProtek

Company Contact MediSAO
SPDX Support Produce(Analyze), Consume(Import), Transform(Translate)
Functionality CyberProtek is an SBOM generation and translation tool  for IoT that scans code metadata to create SBOMs, translates between SWID/SPDX/CycloneDx and manages vulnerabilities.
Location Website: https://cyberprotek.com
Installation instructions Entirely web based. Contact MedISAO for demo.
How to use

To import: Upload or paste SBOM into Import tab, or use supported scanning tool in development environment

To export:Download SPDX from SBOM export tab as a text file.from web portal.

versions supported: SPDX 2.1, SPDX 2.2 (WIP)?

FACT

Company aDolus Technology Inc.
Product FACT
SPDX Support Produce(Analyze)
Functionality Generates SBOMs for Industrial Control System (ICS) software and analyzes the created SBOMs to detect vulnerabilities, obsolescence, and malware.
Location Website: https://www.adolus.com/
https://fact.adolus.com/Files/Analyze
Installation instructions Contact aDolus for demo
How to use Through website, API, or local install of tool
Version Supported SPDX 2.2

FOSSID  → Synk

Company Contact FOSSID AB
SPDX Support Produce(Analyze), Consume(View), Consume(Diff), Consume(Import)
Functionality FOSSID is a Software Composition Analysis tool that scans your code for open source licenses and vulnerabilities, and gives you full transparency and control of your software products and services.
Location Website: https://fossid.com/
Installation instructions Contact FOSSID
How to use Contact FOSSID
versions supported: SPDX 2.1, SPDX 2.2 (WIP)

Hub-SPDX (Black Duck Hub Report Utility)

Company Contact Synopsys
SPDX Support Produce(Analyze)
Functionality Download a report in SPDX format from Black Duck Hub
Location

Website: https://github.com/blackducksoftware/hub-spdx

https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/622899/Black+Duck+SPDX+Report+Utility

Installation instructions Download the hub-spdx-1.0.0.jar file from the github repository
How to use

Run with Java (1.8 or higher)

java -jar hub-spdx-<version>.jar –hub.url=<Hub URL>

–hub.username=<Hub username> \

–hub.password=<Hub password> \

–hub.project.name=<Hub project name> \

–hub.project.version=<Hub project version> \

–output.filename=<path to report file> \

–include.licenses=true

versions supported: SPDX 2.1, SPDX 2.2 (please contact your Synopsys representative to access this update)

MedScan

Company Medsec
Product MedScan
Support Consume
Functionality Consumes SBOM’s for helping hospitals manage medical device assets
Location Website: https://medsec.com/medscan.html
Installation instructions Virtualized appliance inside hospital, Webportal for user, Contact MedSec for demo
How to use

To import:Locate the device profile relevant to the SBOM, and select ‘add SBOM’

To export: locate the device profile desired and select ‘Download SBOM’

Version supported Contact MedScan

Software Assurance Guardian Point Man (SAG-PM)

Company Contact Reliable Energy Analytics LLC
SPDX Support Consume(Import)
Functionality Processes spdx SBOM’s as part of a seven step software supply chain risk assessment
Location https://reliableenergyanalytics.com/products
Installation instructions Contained in Company provided Documentation
How to use Sag comprehensive {software install pkg}  {Evidence output loc}
versions supported: SPDX 2.2 in .spdx format

SourceAuditor

Company Contact SourceAuditor
SPDX Support Produce(Analyze), Consume(View), Consume(Diff, Consume(Import), Transformation(Translate)
Functionality Supports SPDX document exports for full audit analysis of source and binaries.  Supports consuming SPDX documents for incremental code audits.
Location Website: https://sourceauditor.com/compliance/
Installation instructions Contact gary@sourceauditor.com
How to use Primarily used by consultants to generate SPDX documents for source code analysis and audits.
versions supported: SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2 (WIP)

TrustSource

Company Contact TrustSource
SPDX Support Produce(Analyze),
Functionality Contact TrustSource
Location Website: https://www.trustsource.io/en/trustsource-home/
Installation instructions Contact TrustSource
How to use Primarily used by consultants to generate SPDX documents for source code analysis and audits.
versions supported: SPDX 2.1(WIP), ?

Vigilant-ops

Company Vigilant Ops
Product InSight Platform
SPDX Support Produce(Analyze), Consume (View), Transform (Translate), Transform(Tool Support)
Functionality Vigilant Ops InSight is a cloud-based platform utilized by both Medical Device Manufacturers (MDM) and Healthcare Delivery Organizations (HDO). MDMs use the platform for generating, maintaining, and securely sharing medical device Cybersecurity Bill of Materials (CBOM) with HDOs. The InSight platform leverages advanced technology, artificial intelligence, and machine learning algorithms to continuously monitor public data sources for component vulnerability updates.
Location Website: https://vigilant-ops.com/
Installation instructions Web based platform. Visit https://vigilant-ops.com/ to request a demo OR email info@vigilant-ops.com
How to use

To Import: Import of SPDX not currently supported.

To Export: Medical Device Manufacturers (MDM) can generate a CBOM in Vigilant Ops encrypted format using the CBOM Generator. This CBOM can then be uploaded to the web based InSight MDM application using the “Upload CBOM” option. The CBOM can then be exported in SPDX format using the “Export” menu option in the MDM application.

Version supported SPDX 2.1