From 9ec575de71ff37e5fa720cb1f64016270948e760 Mon Sep 17 00:00:00 2001 From: Marc Rufer Date: Wed, 29 Jan 2025 10:30:28 +0100 Subject: [PATCH] Formatting --- DIALOG.md | 11 +++-------- README.md | 49 +++++++++++++++++++------------------------------ 2 files changed, 22 insertions(+), 38 deletions(-) diff --git a/DIALOG.md b/DIALOG.md index 1f09005..f58606d 100644 --- a/DIALOG.md +++ b/DIALOG.md @@ -8,18 +8,15 @@ Are you interested in this tool? # RNU: Demo -> Show demo app Unfortunately, I am only a hobby developer and still need some support before I can bring the tool to market. -Fortunately, Marc is helping me with this. He already prepared something and is now going to show us... - +Fortunately, Marc is helping me with this. He already prepared something and is now going to show us... Raffi: Hey Marc, thanks for having a look at my tool. You already mentioned that we should create an SBOM for it. What exactly is an SBOM? Marc: Great question, Raffi! An SBOM stands for Software Bill of Materials. It’s essentially a detailed inventory of all the components that make up a piece of software. Raffi: Oh, like a list of ingredients for a recipe? - Marc: Exactly! Just like you’d want to know what goes into your food, an SBOM tells you what’s inside your software, including proprietary and open-source components, their versions, licenses, and dependencies. Raffi: Can you show me such an ingredients list and how to create it? - Marc: Sure! -> Show SBOM file, tell about standardized formats # Marc: Demo -> show how to create an SBOM for a .NET application on you device @@ -27,25 +24,24 @@ Marc: Sure! -> Show SBOM file, tell about standardized formats dotnet CycloneDX ./demo-app/TravelDestinationRecommender.sln --out ./ ## Known standards + 1. **SPDX** (Software Package Data Exchange): A standard supported by the Linux Foundation. 2. **CycloneDX**: A lightweight format specifically designed for security use cases. 3. **SWID Tags** (Software Identification Tags): An ISO standard for software identification. Raffi: Why is it so important to have this "ingredient list" for software? - Marc: There are a few reasons. First, transparency. With an SBOM, you can clearly see what components are being used, which is especially helpful when you’re working with third-party or open-source software. Raffi: That makes sense. But transparency is not so important to me, do I have other advantages? - Marc: An SBOM helps identify vulnerabilities. If a specific version of a library or tool is found to have a security flaw, you can quickly check your SBOM to see if your software uses it. It’s a crucial part of vulnerability management. Raffi: Got it. So, it’s like spotting an expired ingredient in your fridge before it causes problems. - Marc: Exactly! Plus, it’s useful for compliance. An SBOM includes licensing details, so you can ensure your software complies with all relevant licenses and avoid legal trouble. Raffi: I have seen that OWASP has published a tool that also maintains an inventory of my software. May I show you this solution? # Raffi: Demo -> Generate and upload SBOM + # Raffi: Demo -> Dependency Track UI Marc: Fine, I show you my approach @@ -53,4 +49,3 @@ Marc: Fine, I show you my approach # Marc: Demo -> License Compliance Check # Comparison - diff --git a/README.md b/README.md index e129e8a..9f9ec0a 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,9 @@ https://github.com/rufer7/sbom-and-license-scanning-tryout
What is an SBOM? -A Software Bill of Materials (SBOM) is a formal record containing the details and +A Software Bill of Materials (SBOM) is a formal record containing the details and **supply chain relationships** of various components used in building software. -These components, including libraries and modules, can be open source or proprietary, +These components, including libraries and modules, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.
@@ -39,6 +39,7 @@ free or paid, and the data can be widely available or access-restricted. Standards and Formats To ensure SBOMs are interoperable and easily exchangeable, standardized formats are used: + 1. **SPDX** (Software Package Data Exchange): A standard supported by the Linux Foundation. 2. **CycloneDX**: A lightweight format specifically designed for security use cases. 3. **SWID Tags** (Software Identification Tags): An ISO standard for software identification. @@ -50,13 +51,15 @@ To ensure SBOMs are interoperable and easily exchangeable, standardized formats
Why Are SBOMs Important? -1. **Transparency**: +1. **Transparency**: + - They provide a clear view of all software components, especially useful when using third-party or open-source dependencies. -2. **Security Management**: +2. **Security Management**: + - SBOMs help identify vulnerabilities in components, allowing organizations to assess and mitigate risks such as zero-day vulnerabilities more effectively. -3. **Compliance**: +3. **Compliance**: - Documenting software licenses ensures companies meet licensing requirements and avoid legal complications.
@@ -67,19 +70,18 @@ To ensure SBOMs are interoperable and easily exchangeable, standardized formats SBOM and .NET - [CycloneDX module for .NET](https://github.com/CycloneDX/cyclonedx-dotnet) - ```powershell - dotnet tool install --global CycloneDX - dotnet CycloneDX YourSolution.sln -o /output/path - ``` + ```powershell + dotnet tool install --global CycloneDX + dotnet CycloneDX YourSolution.sln -o /output/path + ``` - [GitHub action to generate a CycloneDX SBOM for .NET](https://github.com/CycloneDX/gh-dotnet-generate-sbom) - ``` - - name: Generate XML SBOM - uses: CycloneDX/gh-dotnet-generate-sbom@v1 - with: - path: ./CycloneDX.sln - github-bearer-token: ${{ secrets.GITHUB_TOKEN }} - ``` - + ``` + - name: Generate XML SBOM + uses: CycloneDX/gh-dotnet-generate-sbom@v1 + with: + path: ./CycloneDX.sln + github-bearer-token: ${{ secrets.GITHUB_TOKEN }} + ``` @@ -105,7 +107,6 @@ architecture-beta backend:R --> L:db ``` - --- @@ -113,39 +114,27 @@ architecture-beta
OWASP dep-scan - -
- ---
OSV-Scanner - -
- ---
GitHub Advanced Security - -
--- -
Sources - https://www.cisa.gov/
- - -