Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Repository for SBOM files?
-
Just curious if Inedo has any thoughts about sboms (software bill of materials) and how they can be stored outside of a service which tracks dependencies.
I'm starting to see a need for a service that makes it easy to find a sbom from somewhere, similar to how a package repository works.
Case:
You have created a new application or updated the application, and you've created a bom file.
The bom file isn't necessarily pushed automatically to a service (such as dependency-track), but put in a repository which then can be pulled when the application is finally pushed to QA or Production.
-
Hi @harald-somnes-hanssen_2204 ,
Just some random thoughts here...
ProGet has the Package Consumers feature, but that's not quite a traceable a BOM.
We largely see BuildMaster's artifacts and metadata serving as the BOM (several customers implemented it like that), though we don't necessarily call it "software bill of materials". We probably should from a marketing/positioning standpoint :)
There is no format/standard for a SBOM file, but an Asset Directory (and it's directory- and file-level metadata) could severe as such a repository. Universal Packages could as well, but I would imagine a SBOM would be like a XML or JSON file or something.
Steve
-
There is a lightweight standard for bom called cyclonedx though (https://cyclonedx.org/).
Cyclonedx can be output as either xml or json, which can be consumed in an application such as dependency-track. The problem though, is that dependency-track consumes the bom file and does not keep it.Of course, it's possible to Asset Directory could be used as a bom repository, though pushing files to a git repository might be better in that regard, since it's easier to download the whole repo and compare files.
