Hey Liquibase Community! I am doing some research around SBOMs so we can put one in place. Anyone have any request for a specific format? There are three main ones in widespread use: (1) Software Package Data Exchange (SPDX), an open source machine-readable format with origins in Linux Foundation (2) CycloneDX (CDX), an open source machine-readable format with origins in the OWASP community; and (3) Software Identification (SWID).
Wondering if anyone has an specific need for one of these?
For the more curious: https://www.ntia.doc.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf
Thanks for posting this for the community, @ktaggart
Would some of our most active community members on the forum please consider sharing your thoughts?
@daryldoak @MikeOlivas @StevenMassaro @cgirard @rcampbell - your input would be appreciated.
I am actually not familiar with SBOM. I’ll have to look deeper into this. Thanks.
I too am not familiar with this concept. Does anyone know of any other open source projects that produce a SBOM?
I know Jenkins has various BOMs, but I am not personally familiar with their formats. Linux Foundation has a bunch of training/materials Generating a Software Bill of Materials (LFC192) - Linux Foundation - Training and I think this is a good resource too. Software Bill Of Materials: Formats, Use Cases, and Tools - FOSSA