You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@royale.apache.org by Andrew Wetmore <co...@gmail.com> on 2022/08/02 13:26:23 UTC
Software Bill of Materials
Hi, all.
I was reading today about SBOM [1] ('a kind of nutrition label to reduce
software supply chain risk') and wondered whether it would be very
difficult to add such a document to the Royale release assets. It seems to
be an impending requirement (or 'desirement') for released software, and I
can't imagine it would be too hard to put one together for our product.
If this seems like a good idea, I would be happy to create a draft and get
others to improve it.
[1]
https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks
--
Andrew Wetmore
Editor, Moose House Publications
Editor-Writer, The Apache Software Foundation
Re: Software Bill of Materials
Posted by Edward Stangler <es...@bradmark.com>.
The dependencies of the output of Royale are a concern, for licensing
and security reasons. Angular automatically produces
3rdpartylicenses.txt to list dependencies, which is helpful.
On 8/2/2022 11:50 AM, Tom DuBuisson wrote:
> Andrew,
>
> You're right, SBOMs have gotten a lot of attention [1]. While it appears
> vendors are going to be most on the hook to provide SBOMs, having the
> insights available at project and library level will be impacting library
> selection more and more.
...
>
>
> On Tue, Aug 2, 2022 at 6:26 AM Andrew Wetmore wrote:
>
>> Hi, all.
>>
>> I was reading today about SBOM [1] ('a kind of nutrition label to reduce
>> software supply chain risk') and wondered whether it would be very
>> difficult to add such a document to the Royale release assets. It seems to
>> be an impending requirement (or 'desirement') for released software, and I
>> can't imagine it would be too hard to put one together for our product.
>>
>> If this seems like a good idea, I would be happy to create a draft and get
>> others to improve it.
>>
>> [1]
>>
>> https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks
>>
>> --
>> Andrew Wetmore
>>
>> Editor, Moose House Publications
>> Editor-Writer, The Apache Software Foundation
>>
Re: Software Bill of Materials
Posted by Tom DuBuisson <to...@muse.dev>.
Andrew,
You're right, SBOMs have gotten a lot of attention [1]. While it appears
vendors are going to be most on the hook to provide SBOMs, having the
insights available at project and library level will be impacting library
selection more and more.
You can easily get bill of materials information for Royale using Lift if
you'd like. Here are some example runs for (forks of) asjs [2] and compiler
[3]. Notice the export button to get CycloneDX files out which could be
used as the first draft.
Cheers,
Thomas
Disclaimer: while I've interacted with Apache projects for a while, I am
working for a vendor of SBOM, vulnerability, and dependency tracking
tooling. The linked Lift tool is used by some Apache projects for nightly
SBOM scans (+ emails on security issues) and by a few more via the
sonatype-lift github application. The team is happy to help with any
questions or issues but whatever tool you pick I encourage you to move
forward.
[1]
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[2]
https://lift.sonatype.com/results/github.com/TomMD/royale-asjs/01G9FJ47NMQJF9TEVME6S2GJSV?tab=dependencies
[3]
https://lift.sonatype.com/results/github.com/tommd/royale-compiler/01G9FH4M6DVZZMEPF5DJGXEE6S?tab=dependencies
On Tue, Aug 2, 2022 at 6:26 AM Andrew Wetmore <co...@gmail.com> wrote:
> Hi, all.
>
> I was reading today about SBOM [1] ('a kind of nutrition label to reduce
> software supply chain risk') and wondered whether it would be very
> difficult to add such a document to the Royale release assets. It seems to
> be an impending requirement (or 'desirement') for released software, and I
> can't imagine it would be too hard to put one together for our product.
>
> If this seems like a good idea, I would be happy to create a draft and get
> others to improve it.
>
> [1]
>
> https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks
>
> --
> Andrew Wetmore
>
> Editor, Moose House Publications
> Editor-Writer, The Apache Software Foundation
>
Re: Software Bill of Materials
Posted by Alex Harui <ah...@adobe.com.INVALID>.
The compiler does have a supply chain, IMO. And some optional Flex modules for RemoteObject users also has a supply chain.
-Alex
On 8/2/22, 8:12 AM, "Harbs" <ha...@gmail.com> wrote:
EXTERNAL: Use caution when clicking on links or opening attachments.
The lack of a supply chain for Royale is probably a good selling point… ;-)
> On Aug 2, 2022, at 4:26 PM, Andrew Wetmore <co...@gmail.com> wrote:
>
> Hi, all.
>
> I was reading today about SBOM [1] ('a kind of nutrition label to reduce
> software supply chain risk') and wondered whether it would be very
> difficult to add such a document to the Royale release assets. It seems to
> be an impending requirement (or 'desirement') for released software, and I
> can't imagine it would be too hard to put one together for our product.
>
> If this seems like a good idea, I would be happy to create a draft and get
> others to improve it.
>
> [1]
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevelop.secure.software%2Fsbom-facts-know-whats-in-software-fend-off-supply-chain-attacks&data=05%7C01%7Caharui%40adobe.com%7C033e0dea204741a08a4b08da74996f06%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637950499588732130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BoQNt7DTbKH1N9xKqv8hz8hv0eOFyX9Y4lF26ALRXc0%3D&reserved=0
>
> --
> Andrew Wetmore
>
> Editor, Moose House Publications
> Editor-Writer, The Apache Software Foundation
Re: Software Bill of Materials
Posted by Harbs <ha...@gmail.com>.
The lack of a supply chain for Royale is probably a good selling point… ;-)
> On Aug 2, 2022, at 4:26 PM, Andrew Wetmore <co...@gmail.com> wrote:
>
> Hi, all.
>
> I was reading today about SBOM [1] ('a kind of nutrition label to reduce
> software supply chain risk') and wondered whether it would be very
> difficult to add such a document to the Royale release assets. It seems to
> be an impending requirement (or 'desirement') for released software, and I
> can't imagine it would be too hard to put one together for our product.
>
> If this seems like a good idea, I would be happy to create a draft and get
> others to improve it.
>
> [1]
> https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks
>
> --
> Andrew Wetmore
>
> Editor, Moose House Publications
> Editor-Writer, The Apache Software Foundation