jambor.pro/docs-onboarding
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docs-onboarding/sbom.md
Christian Fravi b17745bdf0 new: Software Bill of Material (SBOM).
2025-01-13 16:42:56 +01:00

2.6 KiB
Raw Blame History

Software Bill of Material (SBOM)

Work order

Description

When: evaluating and selecting Software Bill of Materials (SBOM) tools for integration into our workflows,

As: a DevSecOps Engineer Team Lead,

I want:

  • To conduct a market overview of available SBOM tools.
  • Test and evaluate SBOM solutions through demos within our Azure DevOps environment.
  • Build and document reusable pipeline templates for SBOM generation and validation.

This ensures:

  • Compliance with increasing customer demands for SBOM capabilities.
  • Streamlined implementation of SBOM generation in our DevOps pipelines.
  • Improved security and transparency of our software supply chain. (insofern wir selber Software bereitstellen)

Acceptance Criteria

  1. Market Overview:

    • A comprehensive list of SBOM tools and their key features, including license and approx costs (free, open source, payed, enterprise size costs > kostenlos, vertretbar, arschteuer)
    • git repo docs-onboarding, neue sbom.md datei

  2. Testing & Evaluation:

    • Successful deployment and execution of SBOM tools in our Azure DevOps environment.
    • Demos conducted for at least 3 shortlisted SBOM solutions.

  3. Pipeline Templates:

    • Creation of reusable pipeline templates for SBOM generation in Azure DevOps.
    • Inclusion of relevant metadata, such as Licenses, CVEs etc.
    • git repo cicd-pipeline-library, new sub-folder "sbom", ment-bold.yml verschieben in den neuen Ordner

  4. Documentation:

    • Step-by-step guide for integrating selected SBOM tools in Azure DevOps pipelines alongside cicd template
    • Example configurations if possible

  5. Training and Adoption:

    • Team participation in at least one SBOM-related training webinar (e.g., Cybellum Technologies SBOM Webinar) > schau mal, ob du 2 oder 3 Webinars findest, die sinnvoll sind und an denen wir teilnehmen können
    • Internal presentation summarizing findings and providing guidance for SBOM adoption > Präsentation bei einer der kommenden XWare GLs im Bereich Know How zu Beginn

Market Overview

Most used list: https://spdx.dev/use/spdx-tools/

Name and Link Key Features Licenses Approx Costs
Microsofts SBOM Tool tbd MIT Open Source
Syft tbd Apache-2.0 Open Source
ScanCode toolkit tbd Apache-2.0 Open Source
SCANOSS tbd Proprietary Free, 35K per Year, Custom
Vigilant Ops tbd Proprietary Unknown