New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding a software bill of materials (SBOM) #3520

Open

Rot127 opened this issue May 21, 2023 · 1 comment

Labels

buildsystem enhancement help wanted infrastructure

Member

Rot127 commented May 21, 2023 •

edited by XVilka

Loading

Is your feature request related to a problem? Please describe.

Adding a software bill of materials (SBOM) has several advantages:

Possibly increases the attractiveness for corporate use cases of Rizin.
Gives us a better understanding of our dependencies.
Possibly allows for automated CVE detection of dependencies we use.
Since software will be more regulated by legislation in the future, it might be better to start now with basic due diligence and supply chain security then later.

Describe the solution you'd like

Discuss which SBOM format should be used and write one.

Describe alternatives you've considered

It could be wise to wait until the Cyber Resilience Act (summary and intro by Bert Hubert) has defined some standards how to do supply chain security and orient our-self on it.
Not adding one, if it is too much effort.

Additional context

Also related with the issue of copied code:

Member

XVilka commented May 22, 2023

There is a bunch of existing tools for that: https://github.com/awesomeSBOM/awesome-sbom

XVilka added enhancement infrastructure buildsystem help wanted labels

XVilka mentioned this issue

Harmonize license/copyright with Rizin with SPDX rizinorg/cutter#2638

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment