sboms · Jamie Tanna | Software Engineer

Friends and folks working with #SBOMs - how do you conceptually think about them in terms of ingesting them into tools?

I.e. I like to think of an SBOM having a source repository or component it relates to, but sometimes you don't know that up front, and all you have is the result of a scan, which could be the source repo, a container image, or a built binary.

Considering whether:

I try to guess what repo/component it is based on the filename
Just store the filename in the database and allow querying with that (and leave repo info optional)
Retrieve metadata from the SBOM that known tools use to define this
Some 4th option?

Trying to tweak how Dependency Management Data works with SBOMs and trying to find how other folks do it and consider them

Sun, 28 Apr 2024 12:00 by Jamie Tanna . #sboms.

Note

Do I know anyone with a (paid) Snyk org who'd be willing to give me a hand with getting some example data from their Open Source projects?

Looking to grab a project's SBOM to get some examples of what the data looks like, but seems to only be available if you're a paying customer, but I'm just trying to get some examples of #SBOMs for use with importing the data into dependency-management-data

Sun, 16 Jul 2023 14:08 by Jamie Tanna . #sboms.

Note

Does anyone know if there's a good community space where folks building tooling that work with #SBOMs can be found? Got some questions I'd like to ask!

Sat, 15 Jul 2023 14:57 by Jamie Tanna . #sboms.

Tag sboms