AJR/TechradarDev
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: set v7 release date

Browse Source
This commit is contained in:
Stefan Rotsch
2023-11-01 09:14:16 +01:00
committed by Stefan Rotsch
parent 6bcd574eaf
commit d2ee09f387
58 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
radar/2023-11-01/sbom.md Normal file
View File

@@ -0,0 +1,24 @@
---
title: "Software Bill of Materials (SBOM)"
ring: assess
quadrant: platforms-and-aoe-services
tags: [devops, security]
---
A Software Bill of Materials (SBOM) is an artifact that consolidates information about the dependencies of a software.
Several standards exist that define the contents and format of SBOMs. The most prominent open-source formats include:
- [CycloneDX](https://cyclonedx.org/) (OWASP): designed in 2017 with the goal of identifying vulnerabilities in the software supply chain.
- [SPDX](https://spdx.dev/) (Linux Foundation): primarily focused on license compliance in the context of open source software. Support for tracking security vulnerabilities was added in 2016 with SPDX 2.1.
While the goals of these SBOM formats vary, they both support:
- Automated generation of SBOMs from source code.
- Machine-readable output to enable automated processing of SBOMs.
We see the potential for SBOMs to enhance software supply chain security by:
- Providing transparency regarding direct and transitive software dependencies.
- Automating the detection of software dependencies with known vulnerabilities.
- Promoting interoperability of security tools that support the same SBOM standards.