home.social

#software-transparency — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #software-transparency, aggregated by home.social.

fetched live
  1. toscalix @[email protected] ·

    How big is the risk of using LLM-generated code from the open source point of view? Check this #openchain webinar describing the latest research on LLM-generated code similarities.

    openchainproject.org/news/2025

    #plagiarism #copyright #software #license #compliance #ai #llm #softwaretransparency

    #openchain #plagiarism #copyright #software #license #compliance
  2. Oej @[email protected] ·

    When someone registers a CVE, a vulnerability, for a product the CNA that opens the issue adds a name for the product called a CPE. The owner of the product is not always involved and the name is not very specific. This leads to problems when we try to match names in our SBOM with the names in the CVE and NVD databases to see if there's any issues. A "not found" answer means both "product not found" and "product found, but no CVEs reported" - which is confusing.

    The community is heading towards PURL, package URL, as a name specification. The PURL specification will be standardised by ECMA, spearheaded by OWASP, which is a good step forward. It's an extensible naming scheme that can be used for a large variety of packages - NPM, Maven, Linux packaging, crates and more. It can also be used for projects and products outside of these systems.

    Naming is important and we do hope that coming versions of the CVE/NVD will adopt PURLs. Check it out at github.com/package-url/purl-sp

    As other systems already use PURL, make sure you have PURLs in your SBOM!

    #PURL #SBOM #CVE #NVD #CNA #CyberSecurity #SoftwareTransparency

    #purl #sbom #cve #nvd #cna #cybersecurity
  3. Oej @[email protected] ·

    In order to keep the costs under control for vulnerability handling in software and other related processes we need to automate the exchange of artefacts between the manufacturer and the customer. My experience of working with Internet-related applications for many years is that we have one global database and other attempts to create global databases will not work, especially if "global" really means "US based". We have to bootstrap any automation and discovery process using the DNS distributed database system. Allowing everyone to create an identifier for software based on their domain, we can create a discovery system that scales.

    The vision is to have an identifier I can add to my software platform and it will discover and download the right documents more or less automatically. I think it's doable. What do you think?

    #cybersecurity #CRA #EUCRA #softwaresupplychainsecurity #softwaretransparency

    #cybersecurity #cra #eucra #softwaresupplychainsecurity #softwaretransparency