From 7d82db6456b2a6d0077190b3b61dcb1f0cfecab4 Mon Sep 17 00:00:00 2001 From: Marc Rufer Date: Wed, 29 Jan 2025 16:26:05 +0100 Subject: [PATCH] Update DIALOG.md --- DIALOG.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/DIALOG.md b/DIALOG.md index 40547b6..49396be 100644 --- a/DIALOG.md +++ b/DIALOG.md @@ -13,12 +13,15 @@ Unfortunately, I am only a hobby developer and still need some support before I Fortunately, Marc is helping me with this. He already prepared something and is now going to show us... Raffi: Hey Marc, thanks for having a look at my tool. You already mentioned that we should create an SBOM for it. What exactly is an SBOM? + Marc: Great question, Raffi! An SBOM stands for **S**oftware **B**ill **o**f **M**aterials. It's essentially a detailed inventory of all the components that make up a piece of software. Raffi: Oh, like a list of ingredients for a recipe? + Marc: Exactly! Just like you'd want to know what goes into your food, an SBOM tells you what's inside your software, including proprietary and open-source components, their versions, licenses, and dependencies. Raffi: Can you show me such an ingredients list and how to create it? + Marc: Sure! > [!NOTE] @@ -41,12 +44,15 @@ dotnet CycloneDX ./demo-app/TravelDestinationRecommender.sln --out ./ 3. **SWID Tags** (Software Identification Tags): A ISO standard for software identification Raffi: Why is it so important to have this "ingredient list" for software? + Marc: There are a few reasons. First, transparency. With an SBOM, you can clearly see what components are being used, which is especially helpful when you're working with third-party or open-source software. Raffi: That makes sense. But transparency is not so important to me, do I have other advantages? + Marc: An SBOM helps to identify vulnerabilities. If a specific version of a library or tool is found to have a security flaw, you can quickly check your SBOM to see if your software uses it. It's a crucial part of vulnerability management. Raffi: Got it. So, it's like spotting an expired ingredient in your fridge before it causes problems. + Marc: Exactly! Plus, it's useful for compliance. An SBOM includes licensing details, so you can ensure your software complies with all relevant licenses and avoid legal trouble. Raffi: I have seen that OWASP has published a tool that also maintains an inventory of my software. May I show you this solution? @@ -59,4 +65,12 @@ Marc: Fine, I show you my approach # Marc - DEMO -> License Compliance Check -# Comparison +# Conclusion + +- CycloneDX +- OWASP Dependency-Track +- Microsoft SBOM Tool + +- OWASP dep-scan +- OSV-Scanner +- Dependency review