Software Bill of Materials

[borg-1of1]

Can you talk briefly on generating a Software Bill of Materials or SBOM? This is a required item for selling/delivering software to the US Government.

[karasowles]

@borg-1of1 this is a really good question, and when I asked around, other folks re-iterated what an important topic this is. We're not covering it in any of the talks this year, but we'll put a note down that folks are interested in it 👍

[borg-1of1]

This is a hot topic for a program I support and a huge concern as we look to secure the software supply chain. I do appreciate it and am loving what I see GitHub doing for DevSecOps workflows.

[rajbos]

I would love to use Dependabot's SCA results to generate an SBOM and have it linked with all the vulnerability alerts throughout GitHub.
Since that is not available, I';; be trying out the generator from the SPSX community here. That has support for a lot of languages already, so that should work as well.

More info on the Software Package Data Exchange (SPDX) can be found on their site

[borg-1of1]

I am somewhat partial to CycloneDX format but it really doesn't matter as I need to know what makes up my software so that I can be more proactive in hunting for weaknesses. I think the SBOM will be a way to make the black box of software a little more transparent. Would be nice to know what software I have that is using the same libraries under the hood that may potentially share a weakness before finding out about it in a CWE or CVE notice.

[jhutchings1]

👋🏻 Hello @borg-1of1 !
I lead the product team here at GitHub that focuses on supply chain security features like Dependabot. The executive order has led a lot of folks to look into what they can do to generate software bill of materials (SBOM) documents. For companies that sell what NIST classifies as critical software that are affected by the first round of regulations, there aren't many off the shelf solutions right now, and most of these companies are assembling their own solutions. Microsoft recently posted a pretty informative blog on their process if you're curious about what they've done.

Right now, we're collaborating with the larger tech community to develop shared solutions that will make this process easier before the regulations open up to a broader set of software. There's a lot to do, so I don't have any specific timelines I can share at the moment, but most of these discussions are taking place in forums like the OpenSSF and SPDX projects if you want to join in.

[borg-1of1]

I am on the other side of this coin. I am not necessarily looking to generate a SBOM, but rather verify. I would be interested in those groups. Thanks.