Eliot, Would you be convinced that SBOM creation is easy if I showed you that I can create an SPDX SBOM from an apache distribution, downloaded from the Internet, all in less than 2 minutes?
And in less than 30 minutes have a trust score for that same downloaded apache package. Would that convince you that some SBOM creation really is that easy AND SBOM use in software risk assessment is useful at identifying software risks during a risk assessment? Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Eliot Lear Sent: Monday, December 5, 2022 9:32 AM To: [email protected]; [email protected]; [email protected] Cc: 'Friedman, Allan' <[email protected]> Subject: Re: [spdx-tech] [SCITT] Another party claiming that SBOM is bad Hi Dick, On 05.12.22 15:14, Dick Brooks wrote: > An SBOM is easy to produce using existing tooling, in many cases. I > don’t understand the resistance to providing consumers an SBOM so that > they can monitor for new risk/vulnerabilities. I suspect we will get to the point where it is easy, but we are nowhere near that today for any but the simplest of devices. For any system of any complexity it requires careful analysis, license identification and selection, third party integration, tooling integration to not only release but patch management. That will require time and experience to get right. Eliot -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4880): https://lists.spdx.org/g/Spdx-tech/message/4880 Mute This Topic: https://lists.spdx.org/mt/95469298/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
