SBOM, Packaging, and Vulnerabilities - Kate Stewart & Art Manion | PackagingCon 2021

Описание: More info: https://pretalx.com/packagingcon-2021...

Description:

Three years of community-oriented software bill of materials (SBOM) work under NTIA has lead to (among other things):

Framing of a model, architecture, and requirements for SBOMs, data, and processes
Formats that satisfy the framing constraints: SPDX, CycloneDX, SWID
To scale, and really to function at all, SBOM production needs to happen during software development phases such as build, packaging, and deployment.

We informally reviewed a handful of package management systems to look for commonality, differences, and alignment with the NTIA SBOM effort. One clearly identified SBOM use case, vulnerability management, stands to benefit from more and higher quality SBOM and inventory information.

What kinds of data does vulnerability management need from SBOM? To what extent do package management systems provide this data? What are the common elements that package management systems already provide?