From b17745bdf08e41f2a6378db16cbc58e629f323aa Mon Sep 17 00:00:00 2001 From: Christian Fravi Date: Mon, 13 Jan 2025 16:42:56 +0100 Subject: [PATCH] new: Software Bill of Material (SBOM). --- sbom.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 sbom.md diff --git a/sbom.md b/sbom.md new file mode 100644 index 0000000..67401dc --- /dev/null +++ b/sbom.md @@ -0,0 +1,60 @@ +# Software Bill of Material (SBOM) + +## Work order + +### Description + +**When:** evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows, + +**As:** a DevSecOps Engineer Team Lead, + +**I want:** + +- To conduct a market overview of available SBOM tools. +- Test and evaluate SBOM solutions through demos within our Azure DevOps environment. +- Build and document reusable pipeline templates for SBOM generation and validation. + +**This ensures:** + +- Compliance with increasing customer demands for SBOM capabilities. +- Streamlined implementation of SBOM generation in our DevOps pipelines. +- Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen) + +### Acceptance Criteria + +1. Market Overview: + + - A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer) + - git repo docs-onboarding, neue sbom.md datei + +2. Testing & Evaluation: + + - Successful deployment and execution of SBOM tools in our Azure DevOps environment. + - Demos conducted for at least 3 shortlisted SBOM solutions. +3. Pipeline Templates: + + - Creation of reusable pipeline templates for SBOM generation in Azure DevOps. + - Inclusion of relevant metadata, such as Licenses, CVEs etc. + - git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner + +4. Documentation: + + - Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template + - Example configurations if possible + +5. Training and Adoption: + + - Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können + - Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn + +## Market Overview + +Most used list: https://spdx.dev/use/spdx-tools/ + +| Name and Link | Key Features | Licenses | Approx Costs | +| ------------- | ------------ | -------- | ------------ | +| [Microsofts SBOM Tool](https://github.com/microsoft/sbom-tool) | `tbd` | MIT | Open Source | +| [Syft](https://github.com/anchore/syft) | `tbd` | Apache-2.0 | Open Source | +| [ScanCode toolkit](https://github.com/aboutcode-org/scancode-toolkit) | `tbd` | Apache-2.0 | Open Source | +| [SCANOSS](https://www.scanoss.com) | `tbd` | Proprietary | Free, 35K per Year, Custom | +| [Vigilant Ops](https://www.vigilant-ops.com)| `tbd` | Proprietary | Unknown |