Skip to main content

What is SBOM Workbench?

SBOM Workbench is a graphical user interface (GUI) desktop application that scans and audits source code using the SCANOSS API. It enables developers to identify open-source components in their projects, analyse licence compliance, detect vulnerabilities and cryptographic usage, and generate Software Bills of Materials (SBOMs).

Installation

  1. Download the installer.
  2. Select the appropriate installer for your platform:
    • macOS: .dmg file
    • Windows: .exe installer
    • Linux: .AppImage or .deb package
  3. Run the installer.

Initial Configuration

  1. Open SBOM Workbench.
sbom-wb-home
  1. Go to FileSettings.
file-settings
  1. Click the ”+” button next to Knowledgebase API.
api-settings
  1. Enter your API key and endpoint details. If you do not have an API key, leave the defaults in place to use the free tier with standard rate limits.
  2. Click AddSave.

Workspaces

Local Workspaces

By default, SBOM Workbench stores projects in a local workspace on your machine. This is where scan results, project configurations, and identification decisions are saved.

Shared Workspaces

SBOM Workbench supports shared workspaces, enabling teams to collaborate on projects from a common network location with centralised scan results and project configurations. Team members with read and write access can make identifications, add notes, and share decisions across the team. shared-workspace

Setting Up a Shared Workspace

To configure a shared workspace:
  1. Create a shared network folder using Samba, with read/write permissions configured for the relevant team members.
  2. Mount the network share on each team member’s machine using the operating system’s native file-sharing tools.
  3. In SBOM Workbench, go to My WorkspaceAdd New Workspace.
  4. Browse to the mounted share, select the workspace directory, and click Add.
The shared workspace will appear in your workspace list and can be selected at any time to access projects stored there. new-workspace

Getting Started with Your First Project

Once SBOM Workbench is configured, you can scan your first project. On the right-hand side of the home screen, select New Project, or use the dropdown arrow to choose from the following options: project-options

Project Options

  • New Project: Select the directory of the project you want to scan.
  • Import Workbench Project: Load a previously scanned project exported as a .zip file.
  • Import from WFP: Import a Winnowing fingerprint (.wfp) file.
  • Import from Raw Result File: Load the output from a previous scan saved as a .json file.

Scanning Your First Project

  1. Click New Project and select the root folder of your source code.
scan-settings
  1. After selecting your project folder, configure the scan settings as needed:
    • Project name: Enter a descriptive name for the project.
    • Default licence: Set a default licence for your project, if applicable.
    • SCANOSS API: Configure your API key and endpoint (see Initial Configuration).
    • SBOM Ledger: Enable integration with SBOM Ledger for advanced SBOM tracking, if required.
    • Decompress Archives: When enabled, compressed archives are decompressed and their contents scanned individually.
    • Obfuscate File Paths: When enabled, file paths are hashed before being transmitted to the SCANOSS API.
    • High Precision Snippet Matching (HPSM): When enabled, applies a more granular fingerprinting algorithm for increased match accuracy at the cost of additional scan time.
  2. Click Continue at the bottom right of the screen to start the scan.

Understanding the Scanning Process

When a project folder is selected, SBOM Workbench processes the source files through the following stages.

Filtering

The application first filters the project directory, excluding build artefacts, binary files, empty files, and common metadata files. Only source files eligible for analysis are passed to the subsequent stages.

Fingerprinting

SBOM Workbench generates fingerprints of the source files using the Winnowing algorithm. These fingerprints are transmitted to the SCANOSS API over an encrypted connection and matched against a database of open-source components. This approach allows the tool to detect reused code at both the file and snippet level.

Analysis

In parallel with fingerprinting, the tool parses dependency manifests and scans for cryptographic usage and known vulnerabilities.

Results

When the scan is complete, SBOM Workbench generates a report containing matched components, licences, vulnerabilities, and dependencies. Results are stored in your active workspace and can be exported in SPDX, CycloneDX, CSV, or HTML format.

Archive Support

SBOM Workbench can scan compressed and archived files by automatically decompressing them during the filtering stage. This behaviour is controlled by the Decompress Archives setting described above.

Next Steps

After scanning your project, you can:
  • Review scan results in the Reports tab.
  • Audit detected components and dependencies.
  • Export your SBOM in the required format.
  • Analyse vulnerabilities and cryptographic usage.
For detailed information on these workflows, refer to the relevant sections in this documentation.