Final Thesis: Defining a Framework for Automated Software-BOM Generation from Package Metadata in a CI/CD Environment 

Abstract: With modern applications growing in complexity, an increasing reliance on third party components can be observed across the industry. Such reuse of Free/Libre Open Source Software (FLOSS) or Commercial off-the-shelf (COTS) artifacts can help reduce time to market and enable faster release cycles. At the same time, managing a large toolbox of dependencies presents developers with new challenges, both in terms of license compliance and vulnerability monitoring. Package managers like npm can help with these tasks by providing at-a-glance information about the dependencies present in a project. However, these tools are often tailored to specific technologies or use-cases and require domain knowledge to be used effectively. As an alternative, this thesis proposes and subsequently implements a new, plugin-based toolchain that provides an abstraction layer on top of existing tools and can be deployed as part of a Continuous Integration (CI) pipeline to generate a Software Bill of Materials (SBOM) from package metadata. To allow for future extensibility, the framework offers a Remote Procedure Call (RPC) interface that allows plugins to exchange data across process and technology boundaries. 

Keywords: Open source, dependency analysis, software bill of materials, license compliance

PDF: Bachelor Thesis

Reference: Alexander Gschrei. Defining a framework for automated Software-BOM generation from package metadata in a CI/CD environment. Bachelor Thesis. Friedrich-Alexander-Universität Erlangen-Nürnberg: 2022.