Building a successful #OSPO with the Good Governance Initiative Handbook (aka #GGI).
At the upcoming #EclipseCon2023 @EclipseFdn @yakaceme will introduce the latest release of the Good Governance Handbook, v1.2

📅 17 Oct
⏰ 16:50
🌒 https://www.eclipsecon.org/node/4282

This #GGI talk is part of the #EclipseCon2023 track session called "#OpenSource Best Practices" covering a lot of topics of interest if you're dealing with an #OSPO (#IP #DueDiligence #InnerSource #SupplyChain #Security #Licensing #SBOM etc)

There is now a lot of info on how to generate an #SBOM, but not much on how to use the SBOM's you've generated, and barely anything on visualising your massive SBOM json and making sense of it, it seems.

Any clues, fedifriends?

Writing a parser for the #CyberDX #sbom #json parser.

Because it might be eventually useful in the #perl core (unsure due to vagueness with upcoming EU CRA regulations), I can't use a standard #OpenAPI validator and I'm crafting it by hand with core Perl.

It's fun, but much harder!

After #blockchain solved #security problems, now #SBOM is solving all security issues.

Wir haben Teil 2 der Technischen Richtlinie TR-03183 "Cyber-Resilienz-Anforderungen" veröffentlicht. Das Dokument definiert formelle und fachliche Vorgaben für Software-Stücklisten (#SBOM). Damit bieten wir als BSI Softwareherstellern eine Empfehlung zur Gestaltung von SBOMs, die der Erhöhung der Sicherheit in der Software-Lieferkette (Software Supply Chain Security) dienen.

➡https://www.bsi.bund.de/dok/1093154

Have we reached a point of no return on managing #software #dependencies? #SoftwareSupplyChain #sbom

https://www.cncf.io/blog/2023/08/07/have-we-reached-a-point-of-no-return-on-managing-software-dependencies/

Hey there!

I'm looking for any #comic​s on #SBOM​s. Could you help me out?

Thank you.

Video from CISA’s 2023 SBOM-a-Rama event is now online! https://www.youtube.com/playlist?list=PL-BF3N9rHBLIGmx6Gtl6nxrlmC6fiFYS9 #sbom

📰 New article: #Security Developer-in-Residence Weekly Report #4

Discussed @projectsigstore signatures of #Python releases and PEP 710 for provenance of distributions and applicability to #SBOM.

https://sethmlarson.dev/security-developer-in-residence-weekly-report-4

Great post from the @osi arguing that Meta's new #LLM, ##LLAMA2, is not #OpenSource.

I agree, *and*, we don't know where the data comes from .. data and models need to be considered separately from an #SBOM perspective.

https://www.linkedin.com/posts/open-source-initiative-osi-_metas-llama-2-license-is-not-open-source-activity-7087895457766539264-vY-0

#Python environments to #SBOM using draft PEP 710 👀

PEP 710: Provenance of installed packages authored by @fridex 🎉

https://discuss.python.org/t/pep-710-recording-the-provenance-of-installed-packages

Can inspect an already existing #Python environment about where packages where installed from. Part 1/2 for being able to create an #SBOM from an existing Python environment 👀

:vulkan_salute:

update for all the upstream tools used by our #SBOM handling GitHub app at once. perfect end of week.

https://github.com/MediaMarktSaturn/technolinator

CycloneDX is one of the most popular standards for describing the components of an application. With the latest release of the specification, the projec is expanding it even further to encompass hardware, operations, manufacturing, and artificial intelligence.
https://jpmellojr.blogspot.com/2023/07/cyclonedx-15-next-big-step-for-sboms.html #sbom

Easily scan container images with @Docker Scout https://www.fosslife.org/using-docker-scout-scan-container-images #Docker #OpenSource #DockerScout #containers #security #FOSS #SBOM

Second weekly report for the #Security Developer-in-Residence role. I wrote about bundled libraries in #Python wheels, #SBOM, Trusted Publisher metrics, and @GitHub Push Protection for @pypi API tokens:

https://sethmlarson.dev/security-developer-in-residence-weekly-report-2

"De opeenvolging van een aantal grote supply chain incidenten zoals SolarWinds en Log4J heeft de afgelopen jaren pijnlijk duidelijk gemaakt dat veel organisaties onvoldoende zicht hebben op de afhankelijkheden binnen hun software supply chain. De Software Bill Of Materials (SBOM) is een belangrijke bouwsteen om dit probleem aan te pakken." Lees verder in de goede #SBOM startersgids van het #NCSC https://www.ncsc.nl/documenten/publicaties/2023/juli/5/sbom-startersgids

Everyone is talking about Software Bill of Materials #sbom! Last week was CISA's SBOM-a-Rama event in LA that was all about SBOMs; I've compiled a list of articles covering the event and shared the links on my blog. https://blog.davelester.org/post/720683977482043392/sbom-a-rama-2023-round-up

Discover a few new Docker commands you might not know about https://www.fosslife.org/10-docker-commands-know #Docker #containers #OpenSource #SoftwareDevelopment #SBOM #FOSS

I was so excited (still I'm) about the v0.11 release of the @Docker #BuildKit ✨With that release, creating an #SBOM and #SLSA provenance for your builds has been never been easy!
I'm so glad to see that @openpolicyagent #Gatekeeper project uses these🥳✨
https://github.com/open-policy-agent/gatekeeper/blob/2835519d21bc1011483b015886e6a8d12c32f51f/Makefile#L105