new: Software Bill of Material (SBOM).
This commit is contained in:
Christian Fravi
parent
6b18b3439c
commit
b17745bdf0
1 changed files with 60 additions and 0 deletions
60
sbom.md
Normal file
60
sbom.md
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
# Software Bill of Material (SBOM)
|
||||
|
||||
## Work order
|
||||
|
||||
### Description
|
||||
|
||||
**When:** evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,
|
||||
|
||||
**As:** a DevSecOps Engineer Team Lead,
|
||||
|
||||
**I want:**
|
||||
|
||||
- To conduct a market overview of available SBOM tools.
|
||||
- Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
|
||||
- Build and document reusable pipeline templates for SBOM generation and validation.
|
||||
|
||||
**This ensures:**
|
||||
|
||||
- Compliance with increasing customer demands for SBOM capabilities.
|
||||
- Streamlined implementation of SBOM generation in our DevOps pipelines.
|
||||
- Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)
|
||||
|
||||
### Acceptance Criteria
|
||||
|
||||
1. Market Overview:
|
||||
|
||||
- A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
|
||||
- git repo docs-onboarding, neue sbom.md datei
|
||||
|
||||
2. Testing & Evaluation:
|
||||
|
||||
- Successful deployment and execution of SBOM tools in our Azure DevOps environment.
|
||||
- Demos conducted for at least 3 shortlisted SBOM solutions.
|
||||
3. Pipeline Templates:
|
||||
|
||||
- Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
|
||||
- Inclusion of relevant metadata, such as Licenses, CVEs etc.
|
||||
- git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner
|
||||
|
||||
4. Documentation:
|
||||
|
||||
- Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
|
||||
- Example configurations if possible
|
||||
|
||||
5. Training and Adoption:
|
||||
|
||||
- Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
|
||||
- Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn
|
||||
|
||||
## Market Overview
|
||||
|
||||
Most used list: https://spdx.dev/use/spdx-tools/
|
||||
|
||||
| Name and Link | Key Features | Licenses | Approx Costs |
|
||||
| ------------- | ------------ | -------- | ------------ |
|
||||
| [Microsofts SBOM Tool](https://github.com/microsoft/sbom-tool) | `tbd` | MIT | Open Source |
|
||||
| [Syft](https://github.com/anchore/syft) | `tbd` | Apache-2.0 | Open Source |
|
||||
| [ScanCode toolkit](https://github.com/aboutcode-org/scancode-toolkit) | `tbd` | Apache-2.0 | Open Source |
|
||||
| [SCANOSS](https://www.scanoss.com) | `tbd` | Proprietary | Free, 35K per Year, Custom |
|
||||
| [Vigilant Ops](https://www.vigilant-ops.com)| `tbd` | Proprietary | Unknown |
|
||||
Loading…
Add table
Add a link
Reference in a new issue