We want a consistent approach to creating a project or packages software bill of materials (SBOM).
From GitLab's Ultimate Guide to SBOMs
An SBOM is a nested inventory or list of ingredients that make up software components. In addition to the components themselves, SBOMs include critical information about the libraries, tools, and processes used to develop, build, and deploy a software artifact.
Which SBOM generating tool should we choose? And what should be our policy on publishing them (automatically)?
Context and Problem Statement
We want a consistent approach to creating a project or packages software bill of materials (SBOM).
From GitLab's Ultimate Guide to SBOMs An SBOM is a nested inventory or list of ingredients that make up software components. In addition to the components themselves, SBOMs include critical information about the libraries, tools, and processes used to develop, build, and deploy a software artifact.
Which SBOM generating tool should we choose? And what should be our policy on publishing them (automatically)?
My initial suggestion is Syft. It could be then be used in conjunction with Grype. SBOMs could also be signed (using perhaps cosign) and openly published like GitHub does for it's workflow runners.