An SBOM is a detailed inventory of all components within a software application, including open-source libraries, third-party dependencies, licenses, and known vulnerabilities. It serves as a critical tool for managing software supply chain risks, ensuring compliance, and enhancing security.
Its becoming more common on desktop apps and we should adopt this to allow for easier use in enterprises that require a SBOM.
An SBOM is a detailed inventory of all components within a software application, including open-source libraries, third-party dependencies, licenses, and known vulnerabilities. It serves as a critical tool for managing software supply chain risks, ensuring compliance, and enhancing security.
Its becoming more common on desktop apps and we should adopt this to allow for easier use in enterprises that require a SBOM.
We should standardise on https://github.com/anchore/syft and use https://github.com/anchore/grype for the code scanning
Feedback from the team is that grype is identifying issues Sonar is missing.
The outputted sbom should be added as a release artifact artefact.