Compatible tools and ecosystem

MOSK provides its Software Bill of Materials (SBOM) in the CycloneDX format, an industry standard built for high interoperability. This section outlines common industry tools that can ingest SBOM data to automate security scanning, license audits, and inventory management.

Vulnerability and risk management

These solutions analyze the components shipped in a software bundle against known vulnerability databases, such as the NVD or GitHub Advisories, to identify security risks and prioritize remediation without requiring access to the original source code:

  • OWASP Dependency-Track

    An intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain. It is specifically designed to consume CycloneDX SBOMs and monitor them continuously for new vulnerabilities.

  • Grype (by Anchore)

    A vulnerability scanner for container images and filesystems. It takes a CycloneDX SBOM as input to perform a static scan, matching the inventory against its internal vulnerability database.

  • Trivy (by Aqua Security)

    A comprehensive security scanner that supports CycloneDX ingestion. It is often used in CI/CD pipelines to verify that the components listed in an SBOM meet security thresholds before deployment.

License and compliance

The below tools can help ensure that the open-source components within MOSK align with organization’s legal and regulatory requirements:

  • FOSSA

    A commercial platform that automates license compliance and vulnerability management. It can import third-party CycloneDX SBOMs to provide a full audit of license obligations and potential legal risks.

  • Mend (formerly WhiteSource)

    An enterprise-grade Software Composition Analysis (SCA) tool that uses SBOM data to track direct and transitive dependencies, ensuring compliance with internal policies.

Visualization and utilities

These utilities enable the exploration of dependency graphs and the validation of specific artifacts:

  • CycloneDX CLI

    The official tool for validating, querying, and merging SBOMs. Can be used to validate that MOSK SBOM data adheres to official schema specifications, which include v1.6 and v1.7.

  • Sunshine

    An open-source visualization tool that generates interactive dependency graphs from CycloneDX files. It provides a clear mapping of how subsystems, such as Ceph or OpenStack, relate to their underlying libraries and dependencies.

Enterprise platform integrations

Many centralized security and development platforms can process MOSK SBOMs within existing workflows. For example:

  • GitLab

    Supports CycloneDX reports for Dependency Scanning and License Compliance within the Security & Compliance dashboard.

  • Snyk

    Ingests CycloneDX files to manage the security posture of third-party artifacts within the Snyk AppSec platform.

  • Wiz

    Uses SBOM data to map cloud-native vulnerabilities and supply-chain risks across Kubernetes clusters.