AJR/TechradarDev
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: add SBOM to assess

Browse Source
This commit is contained in:
Simon Becker
2023-07-28 14:57:06 +02:00
committed by Stefan Rotsch
parent be41a7d98c
commit ac5f63076e
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
radar/2023-09-01/sbom.md Normal file
View File

@@ -0,0 +1,25 @@
---
title: "Software Bill of Materials (SBOM)"
ring: assess
quadrant: platforms-and-aoe-services
tags: [devops, security]
---
A Software Bill of Materials (SBOM) is an artifact that consolidates information about the dependencies of a software.
Multiple standards that define the contents and format of SBOMs exist.
The most prominent open-source formats include:
- [CycloneDX](https://cyclonedx.org/) (OWASP): designed in 2017 with the goal to identify vulnerabilities in the software supply chain.
- [SPDX](https://spdx.dev/) (Linux Foundation): mainly focused on license compliance in the context of open source software. Support for tracking security vulnerabilities has been added in 2016 with SPDX 2.1.
While the goals of these SBOM formats vary, they both support
- automated generation of SBOMs from source code and
- machine-readable output to enable automated processing of SBOMs.
We see potential for SBOMs to improve software supply chain security by facilitating
- transparency regarding direct and transitive software dependencies,
- automated detection of software dependencies with known vulnerabilities and
- interoperability of security tools that support the same SBOM standards.