Cloud-Based Software Bill of Materials Generation and Vulnerability Analysis Solution

The Air Force is seeking a cloud-based solution to automate the generation of Software Bill of Materials (SBOM), perform vulnerability analysis, and seamlessly integrate with existing DevSecOps pipelines to support Platform One operations. The required enterprise-level software must be capable of creating automated SBOMs, analyzing container images, detecting vulnerabilities, and integrating into CI/CD workflows via API or CLI during the build process. Integration with standard vulnerability databases and the ability for users to mark or override false positives, as well as provide context for false negatives, is essential.

The solution should track software changes over time to detect new vulnerabilities affecting previous versions, examine file content, and evaluate policy rules based on that content. Configuration of alert channels such as email, Slack, or webhook is required to notify stakeholders when new vulnerabilities are discovered in existing SBOMs. A dashboard must provide a clear overview of vulnerability statuses, license compliance, and overall risk across multiple projects.

Security and usability are key: the software must include role-based access control (RBAC), support for single sign-on (SSO) with secure authentication protocols such as OAuth and SAML, and present an intuitive web interface accessible to non-technical stakeholders for viewing SBOMs, vulnerabilities, and generating reports. Robust automated testing should ensure the accuracy of SBOM generation, vulnerability detection, and reporting.