Tidelift has the ability to work with software bills of materials (SBOMs). Working with SBOMs allows for the option to import SBOMs generated from third party tools and/or those provided by vendors. Centralizing SBOMs in Tidelift provides a powerful way to understand and track your organization's software usage and risks. Tidelift supports SBOMs in both the CycloneDX and SPDX formats.
A SBOM can be uploaded into Tidelift by doing either of the following:
- Performing an alignment in a directory containing a SBOM with the Tidelift CLI
- Uploading a SBOM into Tidelift via the Tidelift UI
For a CycloneDX SBOM, the file must be named cyclonedx.json (JSON format) or cyclonedx.xml (XML format). For a SPDX SBOM, the file must have the file extension .spdx (example: myproject.spdx).
Generating a SBOM from docker
To generate a software bill of materials file for a container image (or for a vendor to create a SBOM file to send to your team), see https://github.com/anchore/syft#getting-started.
Uploading a SBOM into the Tidelift UI
Alternatively, you can upload any other CycloneDX file (cyclonedx.json, cyclonedx.xml) or SPDX file (somefile.spdx):
- Sign into Tidelift and click on Projects
- On the Projects page, select Create new project in the righthand corner
- After naming your project, select Next
- From the new dialogue window, you can upload your CycloneDX or SPDX formatted SBOM via the Upload files button