- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-13-2022 06:59 AM
I have a requirement to keep SBOM data related to the Business applications and application services in CMDB with proper relationship in a way that meets the legal requirements.
Does ServiceNow have any OOTB table or tables to store and maintain this data?
Solved! Go to Solution.
- Labels:
-
Data Foundations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-13-2022 11:16 PM - edited ‎10-25-2023 01:38 AM
Update 25.10.2023:
Attention: Since the tokyo release ServiceNow published a new data model for SBOM. There is a plug in "SBOM Core" available. Unfortunately I did not yet had the time to check, how this data model will interact with CSDM. Because I just received a helpful mark, I just want to mention it. (@Starr thanks for mention it here too)
Hi Flavio,
In my understanding you could try to build a solution with the SDLC components. The definition from ServiceNow is:
"The SDLC component is a configuration item that represents a unique code development effort. The purpose of the SDLC component is to represent the parts of a larger business application or digital product broken down into its individually developed components. An SDLC component is a software part or element of a larger whole for an application or technology." (By SDLC Component view)
And the definition from @Mark Bodman is:
"It's best to think of the SDLC components as versioned ingredients used by build teams to construct App Service in CSDM V4. They are the assembly of instances of other products such as hardware, commercial and internally built software, config files, API's and other piece-parts used in the construction of Application Services that are managed and consumed." (Community Post)
For me both definitions could be connected to a SBOM-Item. The naming is just different. That you can use the SDLC component as a SBOM, you should create a related list at the business application based on the relationships. And you need to define a clear configuration process for these components based on the legal requirements.
Please keep me up to date, if you will use this approach for your solution.
Thanks & Regards Sebastian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-13-2022 07:12 AM
Hi Flavio,
There is no OOTB table which is actually tracking SBOM data.
But you can check the architecture for App service and Business application :https://community.servicenow.com/community?id=community_question&sys_id=f4f8421cdbeb04d014d6fb243996...
Mark my answer correct & Helpful, if Applicable.
Thanks,
Sandeep
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-13-2022 11:16 PM - edited ‎10-25-2023 01:38 AM
Update 25.10.2023:
Attention: Since the tokyo release ServiceNow published a new data model for SBOM. There is a plug in "SBOM Core" available. Unfortunately I did not yet had the time to check, how this data model will interact with CSDM. Because I just received a helpful mark, I just want to mention it. (@Starr thanks for mention it here too)
Hi Flavio,
In my understanding you could try to build a solution with the SDLC components. The definition from ServiceNow is:
"The SDLC component is a configuration item that represents a unique code development effort. The purpose of the SDLC component is to represent the parts of a larger business application or digital product broken down into its individually developed components. An SDLC component is a software part or element of a larger whole for an application or technology." (By SDLC Component view)
And the definition from @Mark Bodman is:
"It's best to think of the SDLC components as versioned ingredients used by build teams to construct App Service in CSDM V4. They are the assembly of instances of other products such as hardware, commercial and internally built software, config files, API's and other piece-parts used in the construction of Application Services that are managed and consumed." (Community Post)
For me both definitions could be connected to a SBOM-Item. The naming is just different. That you can use the SDLC component as a SBOM, you should create a related list at the business application based on the relationships. And you need to define a clear configuration process for these components based on the legal requirements.
Please keep me up to date, if you will use this approach for your solution.
Thanks & Regards Sebastian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-08-2023 04:23 AM
Hello Flavio,
There is now a dedicated feature integrated with Vancouver release (VR 19.0). Docs: VancouverSecurity
OOTB tables with prefix 'sn_sbom_' are added when SBOM Core, SBOM Response and Data Model for SBOM plugins are installed. See also SBOM workspace with functionalities beyond legal requirements.
Regards, Tomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-24-2023 11:50 AM
There is also an API that can be used to pull in a CycloneDX formatted SBOM file... Still in the early stages and I don't think it is totally working yet, but it is a start.
