Generating a Software Bill of Materials (SBOM) with Open Source Standards and Tooling

Every month there seems to be a new software vulnerability showing up on social media which causes open source program offices and security teams to start querying their inventories to see how FOSS components they use may impact their organizations.

Frequently this information is not available in a consistent format within an organization for automatic querying and may result in a significant amount of email and manual effort. By exchanging software metadata in a standardized software bill of materials SBOM format between organizations automation within an organization becomes simpler accelerating the discovery process and uncovering risk so that mitigations can be considered quickly.

In the last year weve also seen standards like OpenChain ISOIEC 53202020 gain adoption in the supply chain. Customers have started asking for a bill of materials from their suppliers as part of negotiation and contract discussions to conform to the standard. OpenChain has a focus on ensuring that there is sufficient information for license compliance and as a result expects metadata for the distributed components as well. A software bill of materials can be used to support the systematic review and approval of each components license terms to clarify the obligations and restrictions as it applies to the distribution of the supplied software and reduces risk.

...

Read Full Post

News Link: https://www.linux.com/news/generating-a-software-bill-of-materials-sbom-with-open-source-standards-and-tooling/.
RSS Link: https://www.linux.com/feed/.

Linux Chatter is a news aggregator service that curates some of the best Linux, Cloud, Technical Guides, Hardware and Security news. We display just enough content from the original post to spark your interest. If you like the topic, then click on the 'read full post' button to visit the author's website. Use Linux Chatter to find content from amazing authors!

Note: The content provided has been modified and is not displayed as intended by the author. Any trademarks, copyrights and rights remain with the source.

Disclaimer: Linux Chatter sources content from RSS feeds and personal content submissions. The views and opinions expressed in these articles are those of the authors and do not necessarily reflect those of Linux Chatter.