I concur, Gary “From what I’ve observed, build SBOM’s are becoming increasingly popular and are being incorporated into some of the build tools themselves (e.g. NPM).”
Build SBOM’s are the primary input to software product risk assessment activities: See CISA’s Software Acquisition Guide CONTROL.GOV.09 Does the supplier provide a machine-readable SBOM meeting minimum requirements defined by National Telecommunications Information Administration (NTIA) or successor guidance as published by CISA that covers all software components of the product being delivered to the customer organization? https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ Risk always exists, but trust must be earned and awarded.™ https://businesscyberguardian.com/ Email: [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Gary O'Neall Sent: Friday, August 9, 2024 4:14 PM To: [email protected]; 'Nisha Kumar' <[email protected]>; [email protected] Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx >From what I’ve observed, build SBOM’s are becoming increasingly popular and >are being incorporated into some of the build tools themselves (e.g. NPM). For some time, source code scans was the only option since they were being built by 3rd parties after the code was originally built as the tools were not as available for generating SBOMs at build time. Regards, Gary From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Vishal Goyal via lists.spdx.org Sent: Friday, August 9, 2024 9:19 AM To: Nisha Kumar <[email protected] <mailto:[email protected]> >; [email protected] <mailto:[email protected]> Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Thanks Nisha for the response. I have been digging deeper and have realized the same. A follow-up question – do we see many customers generate and maintain a build SBOM or the source code scan SBOM is the most commonly used one ? CISA talks about 6 SBOM types and to me build SBOM and run time SBOMs look very relevant. But I have not seen these 2 being used too often. Regards, Vishal. From: Nisha Kumar <[email protected] <mailto:[email protected]> > Sent: Friday, August 9, 2024 7:40 PM To: Vishal Goyal <[email protected] <mailto:[email protected]> >; [email protected] <mailto:[email protected]> Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Vishal, Most probably the difference comes from transitive dependencies pulled in during the build. Your pom.xml doesn't include those. nisha On 8/5/24 09:08, Vishal Goyal via lists.spdx.org wrote: All, I am looking for some help and guidance from experts on how to validate build SBOMs and check for any false positives. I have used this maven plugin to generate SPDX format build SBOM for an open source Java project (https://github.com/wmichalska/CreditManager) github.com/spdx/spdx-maven-plugin <https://github.com/spdx/spdx-maven-plugin> The build SBOM has around 120 lines. For the same codebase, i generated SBOM by doing source code scan - this has 10 lines. Can someone please advise how to validate the build SBOM ? Thanks, Vishal. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5697): https://lists.spdx.org/g/Spdx-tech/message/5697 Mute This Topic: https://lists.spdx.org/mt/107734884/21656 Mute #spdx:https://lists.spdx.org/g/Spdx-tech/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
