I also highly recommend watching this Microsoft video on SBOM - SCITT is discussed.
https://www.youtube.com/watch?v=Yu9-_0Dmvjk Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Dick Brooks Sent: Monday, December 5, 2022 9:40 AM To: 'Eliot Lear' <[email protected]>; [email protected]; [email protected] Cc: 'Friedman, Allan' <[email protected]> Subject: Re: [spdx-tech] [SCITT] Another party claiming that SBOM is bad Eliot, I assure you, using SAG-PM I can download a distribution package from the Internet and produce an SBOM, based on its contents in less than 5 minutes. Attached you will find an SPDX SBOM for the current Log4j package distribution generated by SAG-PM. It took under 1 minute to produce this. Please stop spreading misinformation claiming that SBOM generation is difficult, this is simply not true. It's not easy in all cases and it's not difficult in all cases, but there are plenty of cases where SBOM creation is quite easy. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: Eliot Lear <[email protected]> Sent: Monday, December 5, 2022 9:32 AM To: [email protected]; [email protected]; [email protected] Cc: 'Friedman, Allan' <[email protected]> Subject: Re: [SCITT] Another party claiming that SBOM is bad Hi Dick, On 05.12.22 15:14, Dick Brooks wrote: > An SBOM is easy to produce using existing tooling, in many cases. I > don’t understand the resistance to providing consumers an SBOM so that > they can monitor for new risk/vulnerabilities. I suspect we will get to the point where it is easy, but we are nowhere near that today for any but the simplest of devices. For any system of any complexity it requires careful analysis, license identification and selection, third party integration, tooling integration to not only release but patch management. That will require time and experience to get right. Eliot -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4872): https://lists.spdx.org/g/Spdx-tech/message/4872 Mute This Topic: https://lists.spdx.org/mt/95469298/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
