Check how to use SBOM #95

ebail · 2022-12-05T08:33:56Z

SBoM information is essential for vulnerability and license
compliance assessment
The US government is pushing for having such information
in all software it procures and will probably make it mandatory soon.

Debian FAI does not support SBOM.

ebail · 2022-12-05T08:34:41Z

A good reference to explain how it is done with Yocto: https://summit.yoctoproject.org/yocto-project-summit-2022-11/talk/NAENTD/

watare · 2022-12-05T09:59:07Z

I'm not sure I understand "Debian FAI does not support SBOM"
because a simple script seems to do the job
https://github.com/daald/dpkg-licenses
Am I missing something ?

ebail · 2022-12-05T10:15:13Z

I think that this could be more complicated.

The first question is to list what should be required.
According to the presentation:

● Sources
● Licenses
● Dependencies
● Applied changes
● Fixes for known vulnerabilities

Again we would need to discuss that.

ebail · 2022-12-05T10:29:40Z

Some LFEnergy discussions in 2021 regarding this topic: https://docs.google.com/presentation/d/1iSLCinJoZ_TsUjogeyTr-ypmyASho5R6YOCNzZSmEIk/edit#slide=id.gb62873e1e9_1_53

dupremathieu transferred this issue from seapath/build_debian_iso Dec 5, 2022

dupremathieu added enhancement New feature or request Debian labels Dec 5, 2022

dupremathieu added this to SEAPATH Board Dec 5, 2022

dupremathieu moved this to Todo in SEAPATH Board Dec 5, 2022

dupremathieu added the Security Potential security issue label Apr 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Check how to use SBOM #95

Check how to use SBOM #95

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check how to use SBOM #95

Check how to use SBOM #95

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!