No Project is an Island: Why You Need SBOMs and Dependency Management

by
janrinok
from SoylentNews on (#6VYY6)

canopic jug writes:

Author, sysadmin, and Grumpy BSD Guy, Peter N M Hansteen, has written a post about Software Bill of Materials (SBOM) and how they relate to all software, both proprietary and Free and Open Source Software (FOSS). Increasingly maintaining a machine-readable inventory of runtime and build dependencies in the form of an SBOM is becoming the cost of doing business, even for FOSS projects.

Whether you let others see the code you wrote nor not, the software does not exist in isolation.

All software has dependencies, and in the open source world this fact has been treated as a truth out in the open. Every free operating system, and in fact most modern-ish programming languages come with a package system to install software and to track and handle the web of depenencies, and you are supposed to use the corresponding package manager for the bulk of maintenance tasks.

So when the security relevant incidents hit, the open source world was fairly well stocked with code that did almost all the things that were needed for producing what became known as Software Bill of Materials, or SBOM for short.

So what would a Software Bill of Materials even look like?

Obviously nuts and bots would not be involved, but items such as the source code files in your project, any libraries or tools needed to build the thing would be nice-to-knows, and once you have the thing built, what other things -- libraries, suites of utilities, services that are required to be running or other software frameworks of any kind -- that are required in order to have the thing run are bivious items of interest.

So basically, any item your code would need comes out as a dependency, and you will find that your code has both build time and run time dependencies.

There is increasing agreement that SBOMs are now necessary. The question is now becoming how to implement them without adding undue burdens onto developers or even onto whole development teams. Perhaps the way would be to separate out the making of these machine-readable inventories similarly to how packaging is generally separate from the main development activities.

Previously:
(2023) Managing Open Source Software and Software Bill of Materials
(2022) Open Source Community Sets Out Path to Secure Software

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments