June 26 was a watershed day for the “SBOM industry” (if I may be so bold as to declare this an industry). On that day, two important things happened, both of which I discuss in this new post on FOSSA’s blog:
1.
CycloneDX 1.5 was
released.
2.
The CycloneDX Authoritative
Guide to SBOM was published.
Which of these do I think is more
significant? While CDX 1.5 represents a solid advance for what was already an
excellent SBOM standard, the Guide (which I never even heard was in development,
since – sniff! – Steve Springett never mentioned it to me) is simply the single
best document on SBOMs that I’ve ever read.
I’ll point out that this isn’t a
technical guide to CDX 1.5 (here’s the technical guide)
and doesn’t even mention anything about v1.5, v1.4, etc. Instead, it introduces
SBOMs, their use cases, and important features. Of course, all the examples in
the Guide are from CycloneDX and the topics were clearly developed with CDX in
mind; this just shows that the people that wrote the Guide, the CDX development
team, ain’t no fools. But SPDX users will find the Guide very useful as well,
so I recommend it to everyone.
What I especially liked in the
Guide were the three items I discussed at the end of the post, under the
heading “Three Important SBOM Problems and Their Solutions”. These are three of
the hardest questions regarding SBOMs (the SBOM Forum just spent two meetings
discussing only the first of these, and we never reached a conclusion). I’ve
been wondering about all of them since the NTIA days, and none of the NTIA or
CISA workgroups has ever seriously discussed them, let alone looked for a solution.
The Guide shows how each of these
problems can be solved – yes, I’m saying “solved”, not “mitigated” - in
CycloneDX (I assume they can be solved in SPDX as well, since the problems are
certainly not specific to CDX). I planned to start discussing all three of them
in blog posts, although I wasn’t sure I’d find an answer. Now the Guide’s
published the answers. It seems they’re trying to put me out of business…
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you. Please
email me at tom@tomalrich.com.
No comments:
Post a Comment