home.social

#sbom — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sbom, aggregated by home.social.

  1. Want to get a jump start on open source licensing, how your dependencies affect your project, user expectations, and how to get your SBOM in good shape? Join me on TODAY Wednesday May 27th at 1pm PT! Stream info below: maintainermonth.github.com/sch #opensource #oss #compliance #sbom

  2. Want to get a jump start on open source licensing, how your dependencies affect your project, user expectations, and how to get your SBOM in good shape? Join me on TODAY Wednesday May 27th at 1pm PT! Stream info below: maintainermonth.github.com/sch #opensource #oss #compliance #sbom

  3. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap.youtube.com/watch?v=UGUnqfA0VuA

  4. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap.youtube.com/watch?v=UGUnqfA0VuA

  5. ----------------

    🛠️ Tool
    ===================

    Bumblebee is a read-only inventory collector targeting package, extension, and developer-tool metadata on macOS and Linux developer endpoints. It addresses a specific supply-chain response gap: when an advisory names a package or version, which developer machines currently have a matching entry in their on-disk metadata?

    The problem space

    SBOMs tell you what shipped. EDR tells you what ran or touched the network. But supply-chain incidents often require a third view: the messy local state spread across lockfiles, package-manager install metadata, extension manifests, and developer-tool configuration files. Bumblebee turns that scattered on-disk state into structured NDJSON component records and, when given an exposure catalog, flags exact matches for fast triage.

    Technical architecture
    • Single static binary, Go 1.25+, zero non-stdlib dependencies. Straightforward fleet deployment.
    • Three scan profiles (baseline, project, deep) for different populations and cadences.
    • Strictly read-only: no package manager execution (npm ls, pip show, go list), no source-file reads.
    • MCP host configs can carry environment values and credentials in env blocks. Bumblebee parses these for server inventory but does not emit those values in output records.

    Ecosystem coverage
    • npm, pnpm, Yarn, Bun (via lockfiles and node_modules)
    • PyPI (via dist-info/METADATA, egg-info)
    • Go modules (go.sum, go.mod)
    • RubyGems (Gemfile.lock, *.gemspec)
    • Composer (composer.lock, installed.json)
    • MCP JSON host configs (Claude Desktop, Cline, Gemini CLI/Code Assist). Non-JSON configs like Codex config.toml and Continue YAML not parsed in v0.1.
    • Editor extensions: VS Code, Cursor, Windsurf, VSCodium
    • Browser extensions: Chromium-family, Firefox

    Self-test

    bumblebee selftest runs against embedded fixtures with deliberately fake package names ([email protected]). Useful as a pre-deployment smoke test for fleet rollouts.

    go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest
    bumblebee selftest

    Known limitations
    • Read-only by design: no runtime dependency or process detection
    • bun.lockb presence detected but not parsed (diagnostic only)
    • Non-JSON MCP configs unsupported in v0.1
    • Note: haven't tested personally

    🔹 tool #supplychain #SBOM #inventory #developersecurity

    🔗 Source: github.com/perplexityai/bumble

  6. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=HlKQmWVn2Kc

  7. Syft users! 📣 We want to hear from YOU! Take our quick 5-question survey to help shape the future of Syft. Your feedback is invaluable! 👉 forms.gle/VJZ7idKZgchminYD7

  8. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=HlKQmWVn2Kc

  9. Modern supply chain security can't rely on periodic scans. When the next CVE drops, you need fleet-wide visibility immediately.

    Our Managed #DependencyTrack provides continuous #SBOM monitoring with multi-source vulnerability intelligence, smart triage (#VEX + #EPSS), and complete data sovereignty, all without the operational overhead of DIY deployment.

    #OpenSource at the core. Managed where it matters.

    Read our 2026 guide to continuous supply chain security:
    amazee.io/blog/post/dependency

  10. Moet de overheid SBOM-standaarden (CycloneDX & SPDX) verplicht toepassen?

    Forum Standaardisatie onderzoekt dit en zoekt experts uit publieke en private sector om mee te denken. Uw kennis over softwarebeveiliging helpt ons bij de toetsing voor de ‘Pas toe of leg uit’-lijst.

    📆 25 juni 2026, 10:00-14:00 (midden-Nederland)
    Lunch is inbegrepen.

    📧 Interesse? Mail ons: [email protected]

    Meer info: forumstandaardisatie.nl/nieuws

    #SBOM #CycloneDX #SPDX #OpenStandaarden #Overheid

  11. Modern apps ship fast. Dependencies change faster. Without continuous monitoring, new vulnerabilities can remain unnoticed for weeks.

    Managed #DependencyTrack automates #SBOM analysis and vulnerability monitoring. Powered by #OWASP, hosted on our infrastructure, you get the platform without the operational overhead.

    🔗 amazee.io/product/dependency-t

  12. Security Tip: Strengthen your supply chain with SBOMs. 🛡️ A Software Bill of Materials (SBOM) acts as an ingredient list for your applications. In the event of a zero-day vulnerability, an SBOM allows your security team to instantly verify if a compromised library is in your environment, reducing response time from days to minutes. Start building your inventory today. Stay ahead of threats at cvedatabase.com

  13. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=HlKQmWVn2Kc

  14. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=HlKQmWVn2Kc

  15. Technische Anforderungen an die #Vertrauenswürdigkeit von #KI: Die #G7-Staaten haben einen #Leitfaden veröffentlicht, der Mindestanforderungen für Software-Stücklisten (#SBOM) im Bereich der künstlichen Intelligenz definiert.

    Solche Stücklisten sollen sämtliche Bestandteile eines #AI-Systems erfassen, also nicht nur den Programmcode, sondern auch die zugrunde liegenden Modelle und #Trainingsdaten, damit #Schwachstellen schneller lokalisiert und behoben werden können:
    bsi.bund.de/SharedDocs/Downloa

  16. Two different attackers poisoned popular #opensource tools - and showed us the future of #supplychain compromise
    Time to start using #SBOM
    First, attackers hit #Trivy, a vulnerability scanner with more than 100,000 users and contributors embedded in thousands of CI/CD pipelines. Then on March 31, #Axios, one of npm's most widely used HTTP client libraries, became a #malware vehicle for 3hr after attackers hijacked an account and slipped in a remote-access trojan (RAT)
    theregister.com/2026/04/11/tri

  17. Two different attackers poisoned popular #opensource tools - and showed us the future of #supplychain compromise
    Time to start using #SBOM
    First, attackers hit #Trivy, a vulnerability scanner with more than 100,000 users and contributors embedded in thousands of CI/CD pipelines. Then on March 31, #Axios, one of npm's most widely used HTTP client libraries, became a #malware vehicle for 3hr after attackers hijacked an account and slipped in a remote-access trojan (RAT)
    theregister.com/2026/04/11/tri

  18. Two different attackers poisoned popular tools - and showed us the future of compromise
    Time to start using
    First, attackers hit , a vulnerability scanner with more than 100,000 users and contributors embedded in thousands of CI/CD pipelines. Then on March 31, , one of npm's most widely used HTTP client libraries, became a vehicle for 3hr after attackers hijacked an account and slipped in a remote-access trojan (RAT)
    theregister.com/2026/04/11/tri

  19. Two different attackers poisoned popular #opensource tools - and showed us the future of #supplychain compromise
    Time to start using #SBOM
    First, attackers hit #Trivy, a vulnerability scanner with more than 100,000 users and contributors embedded in thousands of CI/CD pipelines. Then on March 31, #Axios, one of npm's most widely used HTTP client libraries, became a #malware vehicle for 3hr after attackers hijacked an account and slipped in a remote-access trojan (RAT)
    theregister.com/2026/04/11/tri

  20. Two different attackers poisoned popular #opensource tools - and showed us the future of #supplychain compromise
    Time to start using #SBOM
    First, attackers hit #Trivy, a vulnerability scanner with more than 100,000 users and contributors embedded in thousands of CI/CD pipelines. Then on March 31, #Axios, one of npm's most widely used HTTP client libraries, became a #malware vehicle for 3hr after attackers hijacked an account and slipped in a remote-access trojan (RAT)
    theregister.com/2026/04/11/tri

  21. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=N-6Sc5CQwI0

  22. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=N-6Sc5CQwI0

  23. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #VulnerabilityScanning

  24. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #VulnerabilityScanning

  25. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #VulnerabilityScanning

  26. Missed our Open Source stream? Catch the recording to hear about the latest Syft, Grype, and roadmap updates! youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #VulnerabilityScanning

  27. The G7 released SBOM for AI, a new dummies book uh I mean software supply chain description for companies distributing AI software

    securityweek.com/g7-countries-

    #ai #sbom

  28. The G7 released SBOM for AI, a new dummies book uh I mean software supply chain description for companies distributing AI software

    securityweek.com/g7-countries-

    #ai #sbom

  29. The G7 released SBOM for AI, a new dummies book uh I mean software supply chain description for companies distributing AI software

    securityweek.com/g7-countries-

    #ai #sbom

  30. The G7 released SBOM for AI, a new dummies book uh I mean software supply chain description for companies distributing AI software

    securityweek.com/g7-countries-

    #ai #sbom

  31. The G7 released SBOM for AI, a new dummies book uh I mean software supply chain description for companies distributing AI software

    securityweek.com/g7-countries-

    #ai #sbom

  32. 📰 CISA and G7 Partners Release New Guidance for AI SBOMs

    CISA and G7 partners have released new guidance on creating a Software Bill of Materials for AI (AI SBOM). The goal is to bring transparency to the AI supply chain by listing the 'ingredients' of AI models. 🤖📄 #AISecurity #SBOM #CISA #G7

    🔗 cyber.netsecops.io

  33. Global Agencies Unveil AI Supply Chain Risk Guidance with SBOMs

    Global agencies have joined forces to release groundbreaking guidance on AI supply chain risk, outlining minimum elements for Software Bill of Materials (SBOMs) to enhance security and transparency. This crucial step forward aims to tackle the complex challenges of measuring and defining AI risks across organizations.

    osintsights.com/global-agencie

    #AiSupplyChain #SoftwareBillOfMaterials #Sbom #ArtificialIntelligence #G7

  34. Erfolgreich scheitern mit #NPM- und #PyPI-Paketen. 🤗

    "zuletzt jeweils auf über 11 Millionen Downloads pro Woche. Und das sind nur zwei von insgesamt 416 Software-Paketversionen, die die Socket-Forscher in ihrem Bericht als betroffen auflisten."

    Die Ursache liegt eher bei den Entwicklern: 🙈

    "Softwareentwickler, die NPM- oder PyPI-Pakete im Einsatz haben, sollten dringend prüfen, ob sie möglicherweise eine oder mehrere betroffene Versionen der kompromittierten Pakete heruntergeladen haben. Ist dies der Fall, so sind die jeweiligen Systeme als kompromittiert zu betrachten."

    Die Sorglosigkeit scheint Programm zu sein. Erfahrene Entwickler werden leiden weil der gesamte Bereich nun im schlechten Licht gesehen wird. 🙄

    Ohne #SBOM und sorgfältiger Umgang mit Dritt-Software ist es sehr riskant. 🙁

    Fragen Sie erfahrene Entwickler wie man sicherer im #Internet die Entwicklung betreiben muss. Ob #NPM- und #PyPI-Pakete, es gibt Verfahren die deutlich weniger Fehler zulassen. 🙂

    golem.de/news/supply-chain-ang

    #NPM #PyPI #SBOM #Internet

  35. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  36. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0

  37. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  38. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  39. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  40. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  41. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0

  42. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  43. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  44. Join the Anchore Open Source team this Thursday at 12 PM PT for our live stream! We'll cover issues, PRs, & roadmap. youtube.com/watch?v=N-6Sc5CQwI0 #SBOM #Vulnerability

  45. If software supply chain is part of your day, Cybeats is worth knowing. Gold Sponsor at AppSec Village this year — thanks for the support!

    Learn more about them here: cybeats.com/

    #AppSecVillage #SBOM #SponsorShoutout #Goldsponsor

  46. If software supply chain is part of your day, Cybeats is worth knowing. Gold Sponsor at AppSec Village this year — thanks for the support!

    Learn more about them here: cybeats.com/

    #AppSecVillage #SBOM #SponsorShoutout #Goldsponsor

  47. If software supply chain is part of your day, Cybeats is worth knowing. Gold Sponsor at AppSec Village this year — thanks for the support!

    Learn more about them here: cybeats.com/

    #AppSecVillage #SBOM #SponsorShoutout #Goldsponsor

  48. If software supply chain is part of your day, Cybeats is worth knowing. Gold Sponsor at AppSec Village this year — thanks for the support!

    Learn more about them here: cybeats.com/

    #AppSecVillage #SBOM #SponsorShoutout #Goldsponsor

  49. Security Tip: Transparency is key to a secure software stack. 🛡️ Implementing a Software Bill of Materials (SBOM) allows your team to maintain a comprehensive inventory of all components. When a new vulnerability breaks, an SBOM helps you identify affected systems in minutes, not days. Stay informed on the latest vulnerabilities and remediation steps at cvedatabase.com #CyberSecurity #InfoSec #SBOM #SoftwareSupplyChain #CVE

  50. Security Tip: Transparency is key to a secure software stack. 🛡️ Implementing a Software Bill of Materials (SBOM) allows your team to maintain a comprehensive inventory of all components. When a new vulnerability breaks, an SBOM helps you identify affected systems in minutes, not days. Stay informed on the latest vulnerabilities and remediation steps at cvedatabase.com #CyberSecurity #InfoSec #SBOM #SoftwareSupplyChain #CVE