A comprehensive web-based application for generating, managing, and analyzing Software Bill of Materials (SBOM) with vulnerability tracking and license compliance in accordance with CERT-In Technical Guidelines v2.0.
โ
Phase 1: Foundation - Complete
โ
Phase 2: Core Scanner - Complete
โ
Phase 3: Vulnerability & License Tracking - Complete
โ
Phase 4: Export, Authentication & Docker - Complete
๐ Production Ready! Full Docker deployment with authentication and comprehensive export capabilities.
- 5 Ecosystem Support: Node.js, Python, Java, Go, Rust
- 12 File Formats: package.json, package-lock.json, requirements.txt, Pipfile, Pipfile.lock, pyproject.toml, pom.xml, build.gradle, build.gradle.kts, go.mod, go.sum, Cargo.toml, Cargo.lock
- ๐ Multi-File Upload: Upload multiple dependency files in a single scan with drag-and-drop support
- Mixed Ecosystems: Combine files from different package managers (e.g., package.json + requirements.txt)
- Smart Deduplication: Automatically merges components from multiple files
- File Validation: Real-time validation and ecosystem detection for uploaded files
- SPDX 2.3 Compliant: Full specification support with validation
- CERT-In Compliance: All 21 minimum data fields included
- ๐ Auto-Enrichment: Automatic CPE, PURL, SWID, and dependency relationship population via NVD API
- Automatic Scanning: Background vulnerability scanning after SBOM generation
- NVD API Integration: National Vulnerability Database with CVSS scores
- OSV API Fallback: Open Source Vulnerabilities for faster results
- Smart Caching: 24-hour cache to avoid rate limits
- Version Matching: Intelligent version range detection
- Severity Classification: Critical, High, Medium, Low, None
- Real-Time Dashboard: Live vulnerability summaries across all projects
- SPDX License Mapping: 14+ common licenses with automatic normalization
- Policy Engine: 4 built-in policies (Commercial, Permissive, Open Source, Unrestricted)
- Risk Scoring: Automatic risk level assignment (Low, Medium, High)
- Policy Violations: Real-time alerts for non-compliant licenses
- Compatibility Checking: Verify license compatibility across dependencies
- System Health Monitoring: Database and API status
- Vulnerability Summary Cards: Color-coded by severity
- License Breakdown: Risk distribution and top licenses
- Policy Violation Alerts: Expandable alerts with component details
- Recent Projects: Quick navigation to project details
- JWT Authentication: Secure token-based auth with 7-day expiry
- User Management: Email/password registration and login
- Protected Routes: All app features require authentication
- Password Security: bcrypt hashing with validation
- Session Management: Automatic token refresh and logout
- CSV Export: Components and vulnerabilities in tabular format
- Excel (.xlsx): Multi-sheet workbooks with summary data
- JSON Export: Native SBOM Manager format with full data
- SPDX 2.3: Industry-standard SBOM format
- CycloneDX 1.5: OWASP Bill of Materials format
- Authenticated Downloads: Secure token-based file access
- One-Command Setup:
docker compose upfor full stack - Multi-Service Architecture: Frontend, Backend, Database, Reverse Proxy
- Health Monitoring: Automated health checks for all services
- Auto-Migration: Database schema updates on startup
- Production Ready: Optimized multi-stage builds
- Data Persistence: PostgreSQL volumes for data retention
- Frontend: React 18 + TypeScript + Vite + Tailwind CSS + shadcn/ui + TanStack Query
- Backend: Node.js 20 + Hono + Drizzle ORM
- Database: PostgreSQL 14+
- External APIs: NVD (vulnerabilities), OSV (vulnerabilities fallback)
sbom-manager/
โโโ backend/
โ โโโ src/
โ โ โโโ db/ # Database schema & migrations
โ โ โโโ routes/ # API routes (REST)
โ โ โโโ services/ # Business logic
โ โ โ โโโ vulnerability-service.ts # NVD/OSV integration
โ โ โ โโโ license-service.ts # License policy engine
โ โ โโโ scanner/ # SBOM generation
โ โ โ โโโ parsers/ # Ecosystem parsers (npm, python, etc.)
โ โ โ โโโ generators/ # SPDX generator
โ โ โโโ index.ts # Main server
โ โโโ drizzle/ # SQL migrations
โโโ frontend/
โ โโโ src/
โ โ โโโ components/ # React components
โ โ โโโ pages/ # Page components
โ โ โ โโโ Dashboard.tsx # Enhanced with vuln/license
โ โ โ โโโ ProjectDetail.tsx # Vuln scanning & summaries
โ โ โ โโโ Scanner.tsx # File upload & directory scan
โ โ โ โโโ Projects.tsx # Project management
โ โ โโโ lib/
โ โ โ โโโ api.ts # API client with all endpoints
โ โ โ โโโ utils.ts # Utilities
โ โ โโโ App.tsx
โ โโโ public/
โโโ test-projects/ # Sample projects for testing
โโโ docker-compose.yml # PostgreSQL container
โโโ PRD.md # Product Requirements Document
โโโ PHASE1_COMPLETE.md # Phase 1 documentation
โโโ PHASE2_COMPLETE.md # Phase 2 documentation
โโโ PHASE3_COMPLETE.md # Phase 3 documentation
- Node.js >= 20.0.0 (Install Node.js)
- npm >= 10.0.0 (comes with Node.js)
- Docker (for PostgreSQL) OR PostgreSQL >= 14 installed locally
- (Optional) NVD API Key for faster vulnerability scanning (Get API Key)
# Clone the repository
git clone https://github.com/screwgoth/sbom-manager.git
cd sbom-manager
# (Optional) Configure JWT secret
cp .env.example .env
# Edit .env and set JWT_SECRET to a secure random string
# Start the entire stack
docker compose up -d
# Verify deployment
./verify-deployment.sh
# Access the app
open http://localhostThat's it! The application is now running with:
- โ Frontend on http://localhost
- โ Backend API on http://localhost:3000
- โ PostgreSQL database with auto-migration
- โ Nginx reverse proxy
First Steps:
- Open http://localhost
- Click "Create an account"
- Register with email/password
- Start generating SBOMs!
For detailed Docker deployment guide, see DOCKER_SETUP.md.
# Clone the repository
git clone https://github.com/screwgoth/sbom-manager.git
cd sbom-manager
# Install all dependencies
npm install# Using Docker (recommended)
docker compose up -d
# Verify
docker compose ps# Backend
cd backend
cp .env.example .env
# Edit .env:
# DATABASE_URL=postgresql://sbom_user:sbom_password@localhost:5432/sbom_manager
# NVD_API_KEY=your_nvd_api_key_here # Optional but recommended
# Frontend
cd ../frontend
cp .env.example .env
# Edit .env:
# VITE_API_URL=http://localhost:3000/apicd backend
npm run db:migrateOption A: Both servers together
# From project root
npm run devOption B: Separate terminals
# Terminal 1: Backend
cd backend && npm run dev
# Terminal 2: Frontend
cd frontend && npm run dev- Frontend: http://localhost:5173
- Backend API: http://localhost:3000
- Health Check: http://localhost:3000/api/health
- Navigate to Scanner: Click "Scanner" in the navigation bar
- Select Mode:
- Upload Files: Upload dependency files (package.json, requirements.txt, etc.)
- Scan Directory: Enter path to project directory on server
- Fill Project Details:
- Project name
- Version
- Author (optional)
- Start Scan: Click "Start Scan"
- View Results: After scan completes, click "View Results" to see SBOM
Automatic Scanning:
- Vulnerability scan automatically triggers after SBOM generation
- Results appear in Dashboard and Project Detail within 30-60 seconds
Manual Scanning:
- Go to Project Detail page
- Expand SBOM details
- Click "Scan Vulnerabilities" button
- Wait for scan to complete (shows loading spinner)
- Vulnerability summary updates automatically
-
Dashboard View:
- See aggregated license risk distribution
- View policy violations across all projects
- Check top licenses used
-
Project Detail View:
- Expand SBOM to see per-SBOM license summary
- View components with risk-based license badges
- Identify policy violations
Policies are configurable in the API. Default is "Commercial" policy which:
- โ Allows: MIT, Apache-2.0, BSD, ISC (Permissive licenses)
- โ Blocks: GPL-2.0, GPL-3.0, AGPL-3.0 (Strong copyleft)
โ ๏ธ Warns: LGPL, MPL, EPL (Weak copyleft)
To change policy, update API calls with ?policy=permissive or ?policy=open-source.
| Ecosystem | Files Supported | Parser Status | PURL Format |
|---|---|---|---|
| Node.js | package.json, package-lock.json | โ | pkg:npm/name@version |
| Python | requirements.txt, Pipfile, Pipfile.lock, pyproject.toml | โ | pkg:pypi/name@version |
| Java | pom.xml, build.gradle, build.gradle.kts | โ | pkg:maven/group/artifact@version |
| Go | go.mod, go.sum | โ | pkg:golang/module@version |
| Rust | Cargo.toml, Cargo.lock | โ | pkg:cargo/crate@version |
cd backend
npm run dev # Start dev server with hot reload
npm run build # Build for production
npm run start # Start production server
npm run db:generate # Generate new migrations
npm run db:migrate # Run pending migrations
npm run db:studio # Open Drizzle Studio (DB GUI)cd frontend
npm run dev # Start Vite dev server
npm run build # Build for production
npm run preview # Preview production build
npm run lint # Run ESLint# Test scanner with sample projects
cd /path/to/sbom-manager
node test-scanner.js
# Test specific parser
cd backend
npx tsx src/scanner/parsers/npm.tsGET /api/health- System health checkGET /api/projects- List all projectsPOST /api/projects- Create projectGET /api/projects/:id- Get project detailsGET /api/sboms/project/:projectId- Get SBOMs for projectGET /api/components/sbom/:sbomId- Get components for SBOM
POST /api/scanner/scan/upload- Upload and scan filesPOST /api/scanner/scan/directory- Scan directory pathPOST /api/scanner/detect- Detect ecosystem from files
Vulnerabilities:
POST /api/analysis/vulnerabilities/scan/:sbomId- Trigger vuln scanGET /api/analysis/vulnerabilities/summary/:sbomId- Get summaryGET /api/analysis/vulnerabilities/component/:componentId- Component vulns
Licenses:
GET /api/analysis/licenses/summary/:sbomId?policy=commercial- License summaryGET /api/analysis/licenses/component/:componentId?policy=commercial- Component licenseGET /api/analysis/licenses/policies- Available policies
See PHASE3_COMPLETE.md for detailed API documentation.
- NVD API:
- Without key: 6 seconds between requests
- With key: 0.6 seconds between requests
- OSV API: No rate limit (open source)
- Vulnerability data cached for 24 hours
- Cache stored in memory (lost on restart)
- Cache hit rate: ~80% after initial scan
- NVD API key stored in environment variable (never exposed to frontend)
- Only package names and versions sent to external APIs
- No proprietary source code transmitted
# Check if PostgreSQL is running
docker compose ps
# View logs
docker compose logs postgres
# Reset database (WARNING: deletes all data)
docker compose down -v
docker compose up -d
cd backend && npm run db:migrate- Check NVD API Key: Make sure
NVD_API_KEYis set inbackend/.env - Check Rate Limiting: Without API key, scans are slower (6s per component)
- Check Logs: Run backend with
npm run devand watch console output - Verify Network: Ensure server can reach
services.nvd.nist.govandapi.osv.dev
# Change backend port
# Edit backend/.env: PORT=3001
# Change frontend port
# Edit frontend/vite.config.ts: server: { port: 5174 }
# Update frontend API URL
# Edit frontend/.env: VITE_API_URL=http://localhost:3001/api# Clear cache and reinstall
rm -rf node_modules backend/node_modules frontend/node_modules package-lock.json
npm install
# Rebuild backend
cd backend && npm run build
# Rebuild frontend
cd frontend && npm run build- PRD.md - Product Requirements Document
- PHASE1_COMPLETE.md - Foundation implementation
- PHASE2_COMPLETE.md - Scanner implementation
- PHASE3_COMPLETE.md - Vulnerability & license tracking
- ๐ MULTI_FILE_UPLOAD.md - Multi-file upload feature guide
- SPDX Specification 2.3
- CERT-In SBOM Guidelines
- NVD API Documentation
- OSV API Documentation
- PURL Specification
- Phase 1: Foundation (Database, API, UI framework)
- Phase 2: Core Scanner (5 ecosystem parsers, SPDX generation)
- Phase 3: Vulnerability & License Tracking (NVD/OSV integration, policy engine)
- CSV export for components and vulnerabilities
- Excel export with formatted sheets and conditional formatting
- SPDX JSON/XML export
- CycloneDX JSON/XML export
- Report customization UI
- Dark mode toggle
- Responsive mobile design
- User authentication (optional)
- Email notifications for critical vulnerabilities
- Production deployment guide
- CI/CD integration (GitHub Actions, GitLab CI)
- Container image scanning
- Dependency graph visualization
- Historical vulnerability tracking
- Team collaboration features
- RBAC (Role-Based Access Control)
- SBOM signing and verification
- Scheduled background scans
- Redis cache for distributed systems
| Phase | Backend LOC | Frontend LOC | Total |
|---|---|---|---|
| Phase 1 | ~800 | ~400 | ~1,200 |
| Phase 2 | ~1,200 | ~350 | ~1,550 |
| Phase 3 | ~1,157 | ~865 | ~2,022 |
| Total | ~3,157 | ~1,615 | ~4,772 |
- โ 5 ecosystem parsers
- โ 12 dependency file formats
- โ SPDX 2.3 generation and validation
- โ 21 CERT-In minimum data fields
- โ NVD + OSV vulnerability scanning
- โ 14+ SPDX license mappings
- โ 4 license policy templates
- โ 20+ API endpoints
- โ 6 UI pages with responsive design
Contributions are welcome! Please read the PRD and existing phase documentation before submitting PRs.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License. See LICENSE file for details.
- ScrewMolt - Initial development and architecture
- CERT-In for SBOM guidelines
- SPDX community for specifications
- NVD and OSV for vulnerability data
- Open source community for ecosystem parsers
Status: Phase 3 Complete โ | Ready for Phase 4 ๐
For detailed implementation notes, see phase documentation: