diff --git a/DIALOG.md b/DIALOG.md
index 1f09005..f58606d 100644
--- a/DIALOG.md
+++ b/DIALOG.md
@@ -8,18 +8,15 @@ Are you interested in this tool?
# RNU: Demo -> Show demo app
Unfortunately, I am only a hobby developer and still need some support before I can bring the tool to market.
-Fortunately, Marc is helping me with this. He already prepared something and is now going to show us...
-
+Fortunately, Marc is helping me with this. He already prepared something and is now going to show us...
Raffi: Hey Marc, thanks for having a look at my tool. You already mentioned that we should create an SBOM for it. What exactly is an SBOM?
Marc: Great question, Raffi! An SBOM stands for Software Bill of Materials. It’s essentially a detailed inventory of all the components that make up a piece of software.
Raffi: Oh, like a list of ingredients for a recipe?
-
Marc: Exactly! Just like you’d want to know what goes into your food, an SBOM tells you what’s inside your software, including proprietary and open-source components, their versions, licenses, and dependencies.
Raffi: Can you show me such an ingredients list and how to create it?
-
Marc: Sure! -> Show SBOM file, tell about standardized formats
# Marc: Demo -> show how to create an SBOM for a .NET application on you device
@@ -27,25 +24,24 @@ Marc: Sure! -> Show SBOM file, tell about standardized formats
dotnet CycloneDX ./demo-app/TravelDestinationRecommender.sln --out ./
## Known standards
+
1. **SPDX** (Software Package Data Exchange): A standard supported by the Linux Foundation.
2. **CycloneDX**: A lightweight format specifically designed for security use cases.
3. **SWID Tags** (Software Identification Tags): An ISO standard for software identification.
Raffi: Why is it so important to have this "ingredient list" for software?
-
Marc: There are a few reasons. First, transparency. With an SBOM, you can clearly see what components are being used, which is especially helpful when you’re working with third-party or open-source software.
Raffi: That makes sense. But transparency is not so important to me, do I have other advantages?
-
Marc: An SBOM helps identify vulnerabilities. If a specific version of a library or tool is found to have a security flaw, you can quickly check your SBOM to see if your software uses it. It’s a crucial part of vulnerability management.
Raffi: Got it. So, it’s like spotting an expired ingredient in your fridge before it causes problems.
-
Marc: Exactly! Plus, it’s useful for compliance. An SBOM includes licensing details, so you can ensure your software complies with all relevant licenses and avoid legal trouble.
Raffi: I have seen that OWASP has published a tool that also maintains an inventory of my software. May I show you this solution?
# Raffi: Demo -> Generate and upload SBOM
+
# Raffi: Demo -> Dependency Track UI
Marc: Fine, I show you my approach
@@ -53,4 +49,3 @@ Marc: Fine, I show you my approach
# Marc: Demo -> License Compliance Check
# Comparison
-
diff --git a/README.md b/README.md
index e129e8a..9f9ec0a 100644
--- a/README.md
+++ b/README.md
@@ -26,9 +26,9 @@ https://github.com/rufer7/sbom-and-license-scanning-tryout
What is an SBOM?
-A Software Bill of Materials (SBOM) is a formal record containing the details and
+A Software Bill of Materials (SBOM) is a formal record containing the details and
**supply chain relationships** of various components used in building software.
-These components, including libraries and modules, can be open source or proprietary,
+These components, including libraries and modules, can be open source or proprietary,
free or paid, and the data can be widely available or access-restricted.
@@ -39,6 +39,7 @@ free or paid, and the data can be widely available or access-restricted.
Standards and Formats
To ensure SBOMs are interoperable and easily exchangeable, standardized formats are used:
+
1. **SPDX** (Software Package Data Exchange): A standard supported by the Linux Foundation.
2. **CycloneDX**: A lightweight format specifically designed for security use cases.
3. **SWID Tags** (Software Identification Tags): An ISO standard for software identification.
@@ -50,13 +51,15 @@ To ensure SBOMs are interoperable and easily exchangeable, standardized formats
Why Are SBOMs Important?
-1. **Transparency**:
+1. **Transparency**:
+
- They provide a clear view of all software components, especially useful when using third-party or open-source dependencies.
-2. **Security Management**:
+2. **Security Management**:
+
- SBOMs help identify vulnerabilities in components, allowing organizations to assess and mitigate risks such as zero-day vulnerabilities more effectively.
-3. **Compliance**:
+3. **Compliance**:
- Documenting software licenses ensures companies meet licensing requirements and avoid legal complications.
@@ -67,19 +70,18 @@ To ensure SBOMs are interoperable and easily exchangeable, standardized formats
SBOM and .NET
- [CycloneDX module for .NET](https://github.com/CycloneDX/cyclonedx-dotnet)
- ```powershell
- dotnet tool install --global CycloneDX
- dotnet CycloneDX YourSolution.sln -o /output/path
- ```
+ ```powershell
+ dotnet tool install --global CycloneDX
+ dotnet CycloneDX YourSolution.sln -o /output/path
+ ```
- [GitHub action to generate a CycloneDX SBOM for .NET](https://github.com/CycloneDX/gh-dotnet-generate-sbom)
- ```
- - name: Generate XML SBOM
- uses: CycloneDX/gh-dotnet-generate-sbom@v1
- with:
- path: ./CycloneDX.sln
- github-bearer-token: ${{ secrets.GITHUB_TOKEN }}
- ```
-
+ ```
+ - name: Generate XML SBOM
+ uses: CycloneDX/gh-dotnet-generate-sbom@v1
+ with:
+ path: ./CycloneDX.sln
+ github-bearer-token: ${{ secrets.GITHUB_TOKEN }}
+ ```
@@ -105,7 +107,6 @@ architecture-beta
backend:R --> L:db
```
-
---
@@ -113,39 +114,27 @@ architecture-beta
OWASP dep-scan
-
-
-
---
OSV-Scanner
-
-
-
---
GitHub Advanced Security
-
-
---
-
Sources
- https://www.cisa.gov/
-
-
-