Re: Topic for discussion: how do we link different Bill of Materials?

Jacob Wilson

This is a great point, and one which I believe has been evolving over time. SAST, DAST, IAST, and RASP outputs similarly all show code analysis at different stages of the software build and distribution process. I would say for storage a Software Artifact Repository is the industry standard for code scanning and will most likely continue for SBOM results, but the combination of results will vary based on organizational policies, procedures, regulators, and other market factors. 

If I put my computer forensics hat on, traceability and non-tampered evidence collection are paramount. Having the same piece of information at multiple stages of the software build and distribution process is informative in itself. Combination of the results may harm the overall goal. From a pragmatic perspective this is a significant data storage and analysis challenge.

Tying things together, I believe the SBOM consideration material you have made is great and brings light to an important issue. I also believe it fits together remarkably well with the 'SCA tooling evaluation metrics' project mentioned in yesterday's monthly call. Perhaps these stakeholders can work together?

On Tue, Nov 15, 2022 at 6:47 AM Shane Coughlan <scoughlan@...> wrote:
Kobota San has raised an interesting topic for discussion. Attached see slides with an overview.

Summary: there are various different types of SBOM involved in preparing various types of product. For example, Build SBOM, Binary SBOM, Source SBOM.

What is the best way to combine these for final records?

Thoughts and suggestions?

Join to automatically receive all group messages.