Stage 2 criteria for available SBOM #173
Comments
|
What's the objective behind it? |
|
You raise a good point. However, more and more organisations are interested in having SBOMs for the software they use, and interest will increase with CRA and similar regulations. Thanks to OpenRail projects being Open Source, one can create this SBOM themselves. However, if the project already provided a well-crafted (and ideally tested) SBOM, this benefits at least the users. Also see this Sonatype article:
In short, dependency scanning as implemented in #174 rather works internally, while SBOM generation and publication works externally. |
|
It's worth noting that technically we already have a SBOM for all projects we host on GitHub via the GitHub generated dependency list, e.g. https://github.com/OpenRailAssociation/osrd/network/dependencies. If this is well-crafted is up for discussion and it's certainly not tested. |
|
Conclusion from TC meeting: Put it in the release requirements as recommendation for stage 2 and a requirement for stage 3. To be documented in #144. |
mxmehl
modified the milestones:
Define requirements for incubation stage 2,
Define requirements for incubation stage 3
When working on the security requirements for stage 2, I noticed that - to my knowledge - we didn't speak about SBOMs so far.
Would it make sense to ask stage 2 projects to provide sufficient SBOMs, at least for each release? Our own compliance-assistant is able to produce good results which also contain sufficiently OK licensing information.
We already have some related documentation on this for the licensing review: https://github.com/OpenRailAssociation/technical-committee/blob/main/project-handbook/license-review.md
/cc @cornelius @flomonster
The text was updated successfully, but these errors were encountered: