In this blog, we explore generating a Software Bill of Materials (SBOM) for the Erlang/Elixir (Hex) ecosystem and discuss the importance of Software Composition Analysis (SCA) in maintaining the security and integrity of Erlang and Elixir projects.


An Overview of SBOMs and SCA Tools

A Software Bill of Materials (SBOM) is a detailed inventory of all software components and dependencies within a project.

In the Erlang/Elixir ecosystem, maintaining an accurate SBOM is essential due to the dynamic nature of Hex packages and dependencies.

Software Composition Analysis (SCA) tools help identify and manage vulnerabilities in these components, ensuring your projects remain secure.


What is Hex, Erlang, and Elixir?

Hex is the package manager for the Erlang ecosystem, including languages like Erlang and Elixir. Erlang is a general-purpose programming language and runtime environment, and Elixir is a dynamic, functional language designed for building scalable and maintainable applications.


Generating an SBOM for Erlang/Elixir with Syft

Syft is our chosen tool for generating SBOMs. In our testing, Syft generated the most well formed SBOM.


Steps to Generate an SBOM with Syft:

  1. Download and Install Syft:
`curl -sSfL | sh -s -- -b /usr/local/bin v1.3.0`
  1. Change Directory to Your Project/Application Directory
  2. Fetch Dependencies:
`mix deps.get`
  1. Generate SBOM:
`syft scan dir:./ --select-catalogers elixir,erlang -o cyclonedx-json=hackage.json`


Generating a Vulnerability Report with Vigiles

Vigiles is a comprehensive SBOM management, vulnerability monitoring, and remediation tool offered by Timesys.

To view the SBOM generated by Syft and generate a vulnerability report: Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.

`vigiles -k </path/to/key> manifest upload </path/to/sbom>`

Note: You need an active Vigiles Enterprise subscription.


Sample SBOM WebUI View

In the Vigiles WebUI, you can view the SBOM component details such as name, version, and license information.


Sample Vulnerability View

In this view, you can see all the vulnerabilities associated with each package and available fixes.


Vigiles pulls from multiple security advisories, including but not limited to NVD, OSV (GitHub Security Advisory, PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, RConsortium Advisory).



At the time of writing, Syft does not contain all the elements prescribed in the NTIA minimum elements for an SBOM. Below are the missing fields in the CycloneDX JSON format:

  • Supplier
  • License information


Get Started with Vigiles Today

Experience the full benefits of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.



Tools Evaluated