Re: Topic for discussion: how do we link different Bill of Materials?
For anyone who can attend FOSDEM in Brussels on 5 February 2023, we have a track (“devroom”) on Software Bills of Materials, where a number of SBOM-related topics will be discussed.
The Call for Participation is currently open, till 28 November:
Hope to see you there!
From: main@... <main@...>
On Behalf Of Norio Kobota
Hi Jacob, Shane and all,
Thank you for sharing my thought and your interesting response.
Now some of the OpenChain Japan Sub workgroup member started
discussing about SBOM deeply from the perspective how to use SBOM
effectively in the complex supply chains and what is the problem to use it.
We are still in the early stages of discussions, but we will be sharing our
discussions and materials publicly in the future, so could you give us some advice?
And it might be difficult to participate because the language barriers and
time zones, but if you know similar discussion opportunities elsewhere,
please let me know.
I would like to participate as much as possible.
This is a great point, and one which I believe has been evolving over time. SAST, DAST, IAST, and RASP outputs similarly all show code analysis at different stages of the software build and distribution process. I would say for storage a Software Artifact Repository is the industry standard for code scanning and will most likely continue for SBOM results, but the combination of results will vary based on organizational policies, procedures, regulators, and other market factors.
If I put my computer forensics hat on, traceability and non-tampered evidence collection are paramount. Having the same piece of information at multiple stages of the software build and distribution process is informative in itself. Combination of the results may harm the overall goal. From a pragmatic perspective this is a significant data storage and analysis challenge.
Tying things together, I believe the SBOM consideration material you have made is great and brings light to an important issue. I also believe it fits together remarkably well with the 'SCA tooling evaluation metrics' project mentioned in yesterday's monthly call. Perhaps these stakeholders can work together?
On Tue, Nov 15, 2022 at 6:47 AM Shane Coughlan <scoughlan@...> wrote:
Intel Deutschland GmbH