BOM Doctor is a free, GitHub-hosted tool created by Sonatype to scan software bills of materials (SBOMs) and identify vulnerabilities and legal issues.
BOMs are widely used in traditional supply manufacturing to track the parts that compose a given product, with the aim of making it easy to identify products affected by defects found in any of its parts. For software, a BOM lists all libraries that are used by a program, along with their dependency tree and any available information about known vulnerabilities and licensing.
Sonatype BOM Doctor allows you to submit an SBOM or a GitHub repo URL to inspect. The tool can generate both an SBOM graph or a report including a list of all dependencies annotated with any legal risks or known vulnerabilities and their severity.
The generated report can be downloaded and shared with the rest of your team.
An SBOM is a key tool to prevent malicious supply chain attacks, say Sonatype, since it allows to update any vulnerable dependencies in a timely manner so you can reduce the time spent on reworking code.
While generating an SBOM for an open-source project is a relatively easy task for any organization needing that information, an SBOM is the only way to tell what's inside a proprietary product and assess its security or legal risks.
SBOMs are not yet a legal requirements, but they are included in the guidelines released in September 2022 by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) as well as in other official documents that could be included in the requirements established by the Zero Trust Cybersecurity initiative.
In addition to BOM Doctor, Sonatype provides a couple of other free tools to help with supply chain security, including Sonatype Safety Rating, and the code analysis platform Sonatype Lift.