Creating SBOMs from Manifests -- syft, grype

Allan_Baker · July 26, 2025, 2:37pm

Has anyone used something like

or GitHub - anchore/grype: A vulnerability scanner for container images and filesystems

with Julia Packages?

I need to create SBOMs to get Julia and its packages approved. I think these are the tools they recommend using. I think ultimately I need a CycloneDX SBOM file.

Any work being done on this? Anyone else have this problem?

avik · July 26, 2025, 2:54pm

I believe Trivy can generate SBOMs from Pkg project and manifest files. Julia - Trivy

GunnarFarneback · July 26, 2025, 3:46pm

I have never needed or used it, but [ANN] PkgToSoftwareBOM v0.1.12: Options to include the package server and artifact build scripts in the SBOM should be of some relevance.

Topic		Replies	Views
[ANN] PkgToSoftwareBOM.jl: Generate an SBOM of your environment Package Announcements	2	555	May 22, 2023
[ANN] PkgToSoftwareBOM v0.1.8: Generate a Software BOM of your environment, now including artifacts! Package Announcements	1	430	January 3, 2024
[ANN] PkgToSoftwareBOM v0.1.10: Package License now included in the SBOM Package Announcements	0	232	April 12, 2024
[ANN] PkgToSoftwareBOM v0.1.12: Options to include the package server and artifact build scripts in the SBOM Package Announcements	0	86	September 14, 2024
Secure coding in Julia? General Usage security	18	1114	July 3, 2024

Creating SBOMs from Manifests -- syft, grype

Related topics