#cyclonedx — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cyclonedx, aggregated by home.social.
-
Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.
Sven Ruppert zeigt die Praxis:
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-1/
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-2/ -
Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.
Sven Ruppert zeigt die Praxis:
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-1/
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-2/ -
Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.
Sven Ruppert zeigt die Praxis:
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-1/
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-2/ -
Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.
Sven Ruppert zeigt die Praxis:
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-1/
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-2/ -
Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.
Sven Ruppert zeigt die Praxis:
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-1/
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-2/ -
Quarkus can now give you a useful SBOM from the build itself, not just a Maven dependency tree with nicer stationery.
I wrote up the practical path: add `quarkus-cyclonedx`, build a tiny service, inspect the distribution SBOM, generate the dependency SBOM, validate both with the CycloneDX CLI, and archive them in CI.
Boring evidence is still evidence. I like that part.
-
Goed nieuws voor de digitale weerbaarheid van de overheid: @forumstandaardisatie zal de intake van #SBOM-standaarden (#CycloneDX en #SPDX) hervatten.
Een SBOM is als een ingrediëntenlijst voor software: essentieel voor inzicht in de keten en veiligheidsbeheer.
Waarom nu?
De onzekerheid over Europese regelgeving is weggenomen:
👉 NEN-conceptnormen sluiten aan bij de praktijk.
👉 CycloneDX en SPDX worden erkend.
👉 Geen normconflicten met de EU.Lees meer: https://www.forumstandaardisatie.nl/nieuws/toetsingsprocedure-sbom-wordt-hervat
-
Back from #FOSDEM and working on the new European SBOM conference in Stockholm April 10th. Send me your ideas for talks!
-
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
-
At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!
-
Going to #FOSDEM? Please join us to celebrate our recent success stories in ECMA TC54! #CycloneDX 1.7, Package URL (#PURL) 1.0 and the Common Lifecycle Enumeration 1.0 (#CLE). We are working to improve all of these and complete the Transparency Exchange API (#TEA) soon!
Join us in the Bedford hotel, Brussels, Friday January 30 at 17-19 for Drinks and light bites. Register att https://workshop.aboutcode.org with the code TC54FTW to reserve a ticket while they're available!
Looking forward to meeting you there!
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
The SPDX community is now creating a new list — similar to the SPDX License List — but focused on cryptographic algorithms. This post shares how this effort started, its current status, the next steps, and a final call for participation.
http://toscalix.com/2025/10/14/introducing-the-spdx-cryptographic-algorithm-list-a-personal-view/
#spdx #sbom #cyclonedx #cryptography #algorithm #linuxfoundation
-
One Open-source Project Daily
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
https://github.com/anchore/syft
#1ospd #opensource #containers #cyclonedx #docker #go #golang #hacktoberfest #oci #sbom #spdx #staticanalysis #tool -
One Open-source Project Daily
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
https://github.com/anchore/syft
#1ospd #opensource #containers #cyclonedx #docker #go #golang #hacktoberfest #oci #sbom #spdx #staticanalysis #tool -
One Open-source Project Daily
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
https://github.com/anchore/syft
#1ospd #opensource #containers #cyclonedx #docker #go #golang #hacktoberfest #oci #sbom #spdx #staticanalysis #tool -
One Open-source Project Daily
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
https://github.com/anchore/syft
#1ospd #opensource #containers #cyclonedx #docker #go #golang #hacktoberfest #oci #sbom #spdx #staticanalysis #tool -
One Open-source Project Daily
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
https://github.com/anchore/syft
#1ospd #opensource #containers #cyclonedx #docker #go #golang #hacktoberfest #oci #sbom #spdx #staticanalysis #tool -
One Open-source Project Daily
A vulnerability scanner for container
https://github.com/anchore/grype
#1ospd #opensource #docker #golang #security #tool #containers #oci #vulnerability #vex #vulnerabilities #containerimage #cyclonedx #openvex -
The OWASP Transparency Exchange API has published our first BETA release for implementors to start implementing the consumer API including the discovery. Get all the docs including the #openapi specification here: github.com/CycloneDX/tr... #OWASP #TEA #SBOM #CYCLONEDX #SPDX
Release 0.1.0-beta.1 · Cyclone... -
Как мы реализовали SCA при помощи SBOM
Чем больше микросервисов в компании, тем веселее жизнь у тех, кто отвечает за безопасность. Количество зависимостей растёт, и в какой-то момент становится нереально уследить, откуда в коде может вылезти критичная уязвимость — будь то старая библиотека или транзитивная зависимость, о которой никто даже не помнит. Решение этого — SCA (Software Composition Analysis) автоматический анализ зависимостей, который помогает вовремя вылавливать уязвимые библиотеки и понимать, что с ними делать. Меня зовут Эрик Шахов, я AppSec-инженер в Циан. В этой статье расскажу, как мы перестроили систему SCA, изменили её архитектуру и какие инструменты теперь используем для контроля зависимостей. Поделюсь реальным опытом внедрения SBOM (Software Bill of Materials) и тем, как он помогает нам держать код в порядке.
https://habr.com/ru/companies/cian/articles/900040/
#trivy #cyclonedx #управление_зависимостями #sbom #appsec #sca #сканеры_безопасности #cdxgen #безопасная_разработка #сканеры_уязвимостей
-
Was sind SBOMs?
Ein neuer Beitrag auf meinem Blog. Grundlagen zum Thema SBOMs.
#bom #sbom #sboms #software #softwaredevelopment #softwarebillofmaterials #SoftwareBillsofMaterialSBOMs #dev #devops #development #developer #blog #cybersecurity #security #cyclonedx #spdx #vex
-
Bloggingsaturday?
"Das Spiel mit dem Open Source Feuer"?
Mich störte die Formulierung massiv, also schrieb ich einen Blog Eintrag dazu.
#SBOM #SBOMs #opensource #security #softwarebillofmaterials #linux #spdx #cyclonedx #owasp #linuxfoundation
-
The Cybersecurity Ontology Network: the first building block for a comprehensive Cybersecurity Knowledge Graph
Paper presented at https://www.iai.kit.edu/ok4i/
#FOIS2024 @KIT_Karlsruhe #UniMurcia #UniBasqueCountry #SiemensEnergy
#ontology #cyclonedx #cybersecurity #knowledgegraph #semanticweb
-
#OASIS has launched an open software supply chain info modeling (#OSIM) TC , which aims to standardize and promote open #informationmodels for software provenance and #supplychain #security. How do #SBOM, VEX, CSAF, #CycloneDX, and all that fit together? Come see. Checkmarx, Cisco, Cyware, Google, IBM, LegitSecurity, Microsoft, Root, SAP, CISA, and US NSA are already in.
https://www.oasis-open.org/2024/06/20/oasis-launches-osim/ -
Как организовать безопасность контейнеров на базе Open Source
Привет Хабр! Меня зовут Татьяна Хуртина, и я программист в группе внутренней автоматизации ИБ VK. Недавно я выступала на киберфестивале PHDays c докладом про наш подход для мониторинга безопасности контейнеров. На примере опыта в inhouse-облаке Дзена я рассказала, как можно использовать open source решения, чтобы искать уязвимости в Runtime. И сразу оговорюсь, что тут в понятие Runtime мы вкладываем мониторинг уязвимостей в запущенных в оркестраторе контейнерах в (почти что) реальном времени. Если перед вами стоит похожая задача, возможно, вам пригодится наш практический опыт. Публикую здесь ключевые мысли и схемы.
https://habr.com/ru/companies/vk/articles/821853/
#информационная_безопасность #dependency_track #trivy #SBOM #docker #разработка #golang #сканирование #уязвимости #cyclonedx
-
If you missed the OWASP #CycloneDX community virtual meeting on March 6th the recording is available on YouTube. Learn about the latest DependencyTrack updates and #CBOM or Cryptography Bill of Materials in CycloneDX:
-
I've got a questions about working with the tools provided by #OWASP.
When working within the #Java and #Maven build environments to use both the dependency-check plugin as well as the DependencyTrack application? I do know that the #DependencyTrack uses the #CycloneDX plugin to generate the BOM. What I'm trying to prevent is extra build time used up to perform similar operations.
-
#SLSA: #Macaron is an extensible supply chain security analysis framework from Oracle which integrates with existing #SBOM in OWASP #CycloneDX
-
My colleague Scott Fryer gave a talk at this year's @EclipseFdn 's #EclipseCon on #Adoptium's secure development practices, what we've done and what we're going to do going forward. It covers #SLSA, #SSDF, #SBoM, binary #reproducibleBuilds and keeping a heterogeneous #openSource project's infrastructure secure with #Wazuh
If some of those buzzwords have piqued your interest (or you want to know what they are) checkout his video: https://www.youtube.com/watch?v=mpEKUnX84UQ
#secureDev #CycloneDX -
At the heart of the CVE process and the matching done with the NVD database is the name of the manufacturer and the artefact - the software, system, library or mobile application. It's vital for this to work that the name in the #SBOM is correct to make the match work. The community has developed #PURL - package URL - to improve but so far the CVE/NVD eco system has not adopted PURL.
This needs to be fixed to make sure that the name in the SBOM matches the right set of vulnerabilities.
#SBOM #securesupplychain #CycloneDX #OpenVEX #VEX #OpenSource