Software Bill of Material Generator¶
The Software Bill of Material Generator extension generates SBOM documents for OCM artefacts. It is configured under the sbom_generator key.
Configuration Example¶
sbom_generator:
interval: 86400 # 24 hours
on_unsupported: warning
generation_mode: syft # or 'bdba'
output_format: cyclonedx # or 'spdx', 'bdio'
create_new_scan_if_missing: false # BDBA mode only
processing_mode: force_upload # or 'rescan' (BDBA mode)
mappings:
- prefix: 'acme.org/product-a'
group_id: 1234 # Required for BDBA mode
aws_secret_name: aws-account-prod
- prefix: '' # catch-all
group_id: 9999
aws_secret_name: aws-account-default
Top-Level Options¶
Option |
Type |
Default |
Description |
|---|---|---|---|
|
int (seconds) |
|
Maximum time before an artefact is re-scanned. |
|
string |
|
Behaviour when artefact kind/type/access is unsupported. Options: |
|
string |
|
SBOM generation tool: |
|
string |
|
Output format: |
|
bool |
|
BDBA mode: create new scan if none exists. |
|
string |
|
BDBA mode: |
|
list |
|
Per-prefix component mappings. See mapping fields below. |
Mapping Fields¶
Each entry in the mappings list supports the following fields:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Component name prefix. Use |
|
int |
conditional |
BDBA group ID (required when |
|
string |
no |
Name of the AWS secret used to access S3 artefacts. |
Configuration Details¶
interval¶
The maximum time (in seconds) before a component’s artefacts are rescanned. Default is 86400 seconds (24 hours).
on_unsupported¶
Defines the behaviour when an artefact kind, type, or access method is not supported:
fail: Raise an exception and stop processingignore: Silently skip the unsupported artefactwarning(default): Skip the artefact and log a warning message
generation_mode¶
Specifies which tool to use for SBOM generation:
syft(default): Uses Syft for fast, local SBOM generationbdba: Retrieves SBOMs from BDBA scan results
When using bdba mode, additional fields (group_id, create_new_scan_if_missing, processing_mode) become relevant.
output_format¶
Specifies the SBOM format to generate:
cyclonedx(default): Generates CycloneDX format SBOMsspdx: Generates SPDX format SBOMsbdio: Generates Black Duck I/O format (BDBA mode only)
create_new_scan_if_missing¶
Only applicable when generation_mode: bdba. When true, creates a new BDBA scan
if no existing scan is found. When false (default), skips SBOM generation if no
scan exists.
processing_mode¶
Only applicable when generation_mode: bdba. Determines how existing BDBA scans are handled:
rescan: Reuse the previously uploaded binary and retrieve updated resultsforce_upload(default): Always re-upload the binary and retrieve updated results
mappings¶
Allows per-component-prefix configuration. This is particularly useful when:
Different components require different AWS credentials for S3 access
You need to handle components from different sources differently
Prefix Matching¶
The prefix field uses simple string prefix matching:
prefix: 'acme.org'matchesacme.org/productandacme.org/another-productprefix: ''(empty string) matches all components (use as a catch-all)
Multiple mappings are evaluated in order, and the first matching prefix is used.
AWS Secret Configuration¶
When scanning S3 resources, the SBOM-Generator needs AWS credentials. The
aws_secret_name field specifies which AWS secret to use from your ODG
secrets configuration.
Example with multiple prefixes:
sbom_generator:
output_format: cyclonedx
interval: 86400
mappings:
- prefix: 'acme.org/product-a'
aws_secret_name: aws-account-prod
- prefix: 'acme.org'
aws_secret_name: aws-account-dev
- prefix: ''
aws_secret_name: aws-account-default