Open planetf1 opened 2 years ago
planetf1
commented
2 years ago Observation: Sonatype Life (which scans our code) can generate CycloneDX SBOMs with vulnarability information. See https://lift.sonatype.com/results/github.com/odpi/egeria/01G5PTAEMBCH6PTJ4F8GFTVQAV?tab=dependencies
github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.
github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.
planetf1
commented
1 year ago See also https://github.blog/2023-03-28-introducing-self-service-sboms/ & referenced actions
Is there an existing issue for this?
Please describe the new behavior that that will improve Egeria
SBOMs (Software Bill of Materials) can include information about
vulnarabilities
as part of the information on the software supply chain. See https://en.wikipedia.org/wiki/Software_supply_chain
SBOMs should be associated with each deliverable - for example maven artifact, distribution, container. They also must be signed
The two main formats are:
Tooling is available for a variety of languages, though it is still very much work in progress.
Organizations are increasingly focussing on software supply chain, so we need to look at what some (small) steps are that we can take in Egeria to make this easier.
Creation of SBOMs has been one suggestion - this may involve either build-time creation through a maven/gradle plugin, or use of external tools.
Alternatives
No response
Any Further Information?
No response
Would you be prepared to be assigned this issue to work on?