SBOM - kunisuzaki/misc GitHub Wiki

SBOM: Software Bill of Materials

• Executive Order 14028 of May 12, 2021
• SBOM Case Studies in Japanese companies (Written by Japanese)

Specification

• SPDX: Software Package Data Exchange, ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1, supported by Linux Foundation
• CycloneDX, supported by OWASP
• SWID: Software Identification Tags, ISO/IEC 19770-2:2015 Information technology — IT asset management — Part 2: Software identification tag

SBOM Type defined by CISA (Cybersecurity and Infrastructure Security Agency, USA)

Types of Software Bill of Materials (SBOM) Publish DateApril 21, 2023

• Design
• Source
• Build
• Analyzed
• Deployed
• Runtime

Tools

• SigStore
• bom
• tools for CycloneDX
• SPIFFE(Secure Production Identity Framework For Everyone)
• Google's SLSA: Supply chain Levels for Software Artifacts
• In-toto
• syft
• Microsoft’s salus based on SPDX
• bomber an application that scans SBoMs for security vulnerabilities

Reltaed Research

• Software Aging
• Software Rejuvenation
• SCAP(Security Content Automation Protocol) & OVAL（Open Vulnerability and Assessment Language)