SBOM - kunisuzaki/misc GitHub Wiki
SBOM: Software Bill of Materials
Specification
- SPDX: Software Package Data Exchange, ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1, supported by Linux Foundation
- CycloneDX, supported by OWASP
- SWID: Software Identification Tags, ISO/IEC 19770-2:2015 Information technology — IT asset management — Part 2: Software identification tag
SBOM Type defined by CISA (Cybersecurity and Infrastructure Security Agency, USA)
Types of Software Bill of Materials (SBOM) Publish DateApril 21, 2023
- Design
- Source
- Build
- Analyzed
- Deployed
- Runtime
Tools
- SigStore
- bom
- tools for CycloneDX
- SPIFFE(Secure Production Identity Framework For Everyone)
- Google's SLSA: Supply chain Levels for Software Artifacts
- In-toto
- syft
- Microsoft’s salus based on SPDX
- bomber an application that scans SBoMs for security vulnerabilities
Reltaed Research
- Software Aging
- Software Rejuvenation
- SCAP(Security Content Automation Protocol) & OVAL(Open Vulnerability and Assessment Language)