-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
28 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,51 +1,62 @@ | ||
| # Notes for the dialog | ||
|
|
||
| Raffi: Hey there, | ||
| What do many people do in January? | ||
| They plan their year and they plan their vacations. | ||
| They plan their year and they plan their vacation. | ||
| To help everyone find the perfect vacation destination, I have developed a tool that makes great recommendations based on certain parameters. | ||
|
|
||
| Are you interested in this tool? | ||
|
|
||
| # RNU: Demo -> Show demo app | ||
| ## Raffi - DEMO -> Show demo app | ||
|
|
||
| Unfortunately, I am only a hobby developer and still need some support before I can bring the tool to market. | ||
| Fortunately, Marc is helping me with this. He already prepared something and is now going to show us... | ||
|
|
||
| Raffi: Hey Marc, thanks for having a look at my tool. You already mentioned that we should create an SBOM for it. What exactly is an SBOM? | ||
| Marc: Great question, Raffi! An SBOM stands for Software Bill of Materials. It’s essentially a detailed inventory of all the components that make up a piece of software. | ||
| Marc: Great question, Raffi! An SBOM stands for **S**oftware **B**ill **o**f **M**aterials. It's essentially a detailed inventory of all the components that make up a piece of software. | ||
|
|
||
| Raffi: Oh, like a list of ingredients for a recipe? | ||
| Marc: Exactly! Just like you’d want to know what goes into your food, an SBOM tells you what’s inside your software, including proprietary and open-source components, their versions, licenses, and dependencies. | ||
| Marc: Exactly! Just like you'd want to know what goes into your food, an SBOM tells you what's inside your software, including proprietary and open-source components, their versions, licenses, and dependencies. | ||
|
|
||
| Raffi: Can you show me such an ingredients list and how to create it? | ||
| Marc: Sure! -> Show SBOM file, tell about standardized formats | ||
| Marc: Sure! | ||
|
|
||
| > [!NOTE] | ||
| > Show SBOM file, tell about standardized formats | ||
| ## Marc - DEMO -> show how to create an SBOM for a .NET application on your device | ||
|
|
||
| # Marc: Demo -> show how to create an SBOM for a .NET application on you device | ||
| > [!TIP] | ||
| > Installation via NuGet | ||
| > `dotnet tool install --global CycloneDX` | ||
| ```bash | ||
| dotnet CycloneDX ./demo-app/TravelDestinationRecommender.sln --out ./ | ||
| ``` | ||
|
|
||
| ## Known standards | ||
| ### Known standards | ||
|
|
||
| 1. **SPDX** (Software Package Data Exchange): A standard supported by the Linux Foundation. | ||
| 2. **CycloneDX**: A lightweight format specifically designed for security use cases. | ||
| 3. **SWID Tags** (Software Identification Tags): An ISO standard for software identification. | ||
| 1. **SPDX** (Software Package Data Exchange): A standard supported by the Linux Foundation | ||
| 2. **CycloneDX**: A lightweight format specifically designed for security use cases | ||
| 3. **SWID Tags** (Software Identification Tags): A ISO standard for software identification | ||
|
|
||
| Raffi: Why is it so important to have this "ingredient list" for software? | ||
| Marc: There are a few reasons. First, transparency. With an SBOM, you can clearly see what components are being used, which is especially helpful when you’re working with third-party or open-source software. | ||
| Marc: There are a few reasons. First, transparency. With an SBOM, you can clearly see what components are being used, which is especially helpful when you're working with third-party or open-source software. | ||
|
|
||
| Raffi: That makes sense. But transparency is not so important to me, do I have other advantages? | ||
| Marc: An SBOM helps identify vulnerabilities. If a specific version of a library or tool is found to have a security flaw, you can quickly check your SBOM to see if your software uses it. It’s a crucial part of vulnerability management. | ||
| Marc: An SBOM helps to identify vulnerabilities. If a specific version of a library or tool is found to have a security flaw, you can quickly check your SBOM to see if your software uses it. It's a crucial part of vulnerability management. | ||
|
|
||
| Raffi: Got it. So, it’s like spotting an expired ingredient in your fridge before it causes problems. | ||
| Marc: Exactly! Plus, it’s useful for compliance. An SBOM includes licensing details, so you can ensure your software complies with all relevant licenses and avoid legal trouble. | ||
| Raffi: Got it. So, it's like spotting an expired ingredient in your fridge before it causes problems. | ||
| Marc: Exactly! Plus, it's useful for compliance. An SBOM includes licensing details, so you can ensure your software complies with all relevant licenses and avoid legal trouble. | ||
|
|
||
| Raffi: I have seen that OWASP has published a tool that also maintains an inventory of my software. May I show you this solution? | ||
|
|
||
| # Raffi: Demo -> Generate and upload SBOM | ||
| # Raffi - DEMO -> Generate and upload SBOM | ||
|
|
||
| # Raffi: Demo -> Dependency Track UI | ||
| # Raffi - DEMO -> Dependency Track UI | ||
|
|
||
| Marc: Fine, I show you my approach | ||
|
|
||
| # Marc: Demo -> License Compliance Check | ||
| # Marc - DEMO -> License Compliance Check | ||
|
|
||
| # Comparison |