Thursday, June 29, 2023

CycloneDX 1.5 arrives!

June 26 was a watershed day for the “SBOM industry” (if I may be so bold as to declare this an industry). On that day, two important things happened, both of which I discuss in this new post on FOSSA’s blog:

1.      CycloneDX 1.5 was released.

2.      The CycloneDX Authoritative Guide to SBOM was published.

Which of these do I think is more significant? While CDX 1.5 represents a solid advance for what was already an excellent SBOM standard, the Guide (which I never even heard was in development, since – sniff! – Steve Springett never mentioned it to me) is simply the single best document on SBOMs that I’ve ever read.

I’ll point out that this isn’t a technical guide to CDX 1.5 (here’s the technical guide) and doesn’t even mention anything about v1.5, v1.4, etc. Instead, it introduces SBOMs, their use cases, and important features. Of course, all the examples in the Guide are from CycloneDX and the topics were clearly developed with CDX in mind; this just shows that the people that wrote the Guide, the CDX development team, ain’t no fools. But SPDX users will find the Guide very useful as well, so I recommend it to everyone.

What I especially liked in the Guide were the three items I discussed at the end of the post, under the heading “Three Important SBOM Problems and Their Solutions”. These are three of the hardest questions regarding SBOMs (the SBOM Forum just spent two meetings discussing only the first of these, and we never reached a conclusion). I’ve been wondering about all of them since the NTIA days, and none of the NTIA or CISA workgroups has ever seriously discussed them, let alone looked for a solution.

The Guide shows how each of these problems can be solved – yes, I’m saying “solved”, not “mitigated” - in CycloneDX (I assume they can be solved in SPDX as well, since the problems are certainly not specific to CDX). I planned to start discussing all three of them in blog posts, although I wasn’t sure I’d find an answer. Now the Guide’s published the answers. It seems they’re trying to put me out of business…

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

No comments:

Post a Comment