new: Software Bill of Material (SBOM).
This commit is contained in:
Christian Fravi
parent
6b18b3439c
commit
b17745bdf0
1 changed files with 60 additions and 0 deletions
60
sbom.md
Normal file
60
sbom.md
Normal file
|
|
@ -0,0 +1,60 @@
|
||||||
|
# Software Bill of Material (SBOM)
|
||||||
|
|
||||||
|
## Work order
|
||||||
|
|
||||||
|
### Description
|
||||||
|
|
||||||
|
**When:** evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,
|
||||||
|
|
||||||
|
**As:** a DevSecOps Engineer Team Lead,
|
||||||
|
|
||||||
|
**I want:**
|
||||||
|
|
||||||
|
- To conduct a market overview of available SBOM tools.
|
||||||
|
- Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
|
||||||
|
- Build and document reusable pipeline templates for SBOM generation and validation.
|
||||||
|
|
||||||
|
**This ensures:**
|
||||||
|
|
||||||
|
- Compliance with increasing customer demands for SBOM capabilities.
|
||||||
|
- Streamlined implementation of SBOM generation in our DevOps pipelines.
|
||||||
|
- Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)
|
||||||
|
|
||||||
|
### Acceptance Criteria
|
||||||
|
|
||||||
|
1. Market Overview:
|
||||||
|
|
||||||
|
- A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
|
||||||
|
- git repo docs-onboarding, neue sbom.md datei
|
||||||
|
|
||||||
|
2. Testing & Evaluation:
|
||||||
|
|
||||||
|
- Successful deployment and execution of SBOM tools in our Azure DevOps environment.
|
||||||
|
- Demos conducted for at least 3 shortlisted SBOM solutions.
|
||||||
|
3. Pipeline Templates:
|
||||||
|
|
||||||
|
- Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
|
||||||
|
- Inclusion of relevant metadata, such as Licenses, CVEs etc.
|
||||||
|
- git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner
|
||||||
|
|
||||||
|
4. Documentation:
|
||||||
|
|
||||||
|
- Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
|
||||||
|
- Example configurations if possible
|
||||||
|
|
||||||
|
5. Training and Adoption:
|
||||||
|
|
||||||
|
- Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
|
||||||
|
- Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn
|
||||||
|
|
||||||
|
## Market Overview
|
||||||
|
|
||||||
|
Most used list: https://spdx.dev/use/spdx-tools/
|
||||||
|
|
||||||
|
| Name and Link | Key Features | Licenses | Approx Costs |
|
||||||
|
| ------------- | ------------ | -------- | ------------ |
|
||||||
|
| [Microsofts SBOM Tool](https://github.com/microsoft/sbom-tool) | `tbd` | MIT | Open Source |
|
||||||
|
| [Syft](https://github.com/anchore/syft) | `tbd` | Apache-2.0 | Open Source |
|
||||||
|
| [ScanCode toolkit](https://github.com/aboutcode-org/scancode-toolkit) | `tbd` | Apache-2.0 | Open Source |
|
||||||
|
| [SCANOSS](https://www.scanoss.com) | `tbd` | Proprietary | Free, 35K per Year, Custom |
|
||||||
|
| [Vigilant Ops](https://www.vigilant-ops.com)| `tbd` | Proprietary | Unknown |
|
||||||
Loading…
Add table
Add a link
Reference in a new issue