-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Software Bill of Materials (SBOM) #15604
Comments
Please help, this is required by law actually to generate a BOM with every shipping product.
I don't think this would be practical, but maybe it has to. We should check on MS packages if each package contains a different SBOM, I wouldn't imagine that. Check with aspnet or dotnet extensions packages maybe. |
Why is the tool that you use for NPM packages not working with the packages.json file of |
I completely missed the fact that |
Perhaps what we need here is some documentation on how to create an SBOM for your app, then? It won't be the same for every app, since it depends on your flavor of OC (and your app's own dependencies, of course), so maintaining one for OC doesn't seem too useful. |
Yeah, part of why I raised this issue is because I wasn't sure what the "right" solution was, and that perhaps there is not a one-size-fits-all solution in the first place. I'm not sure what other products are doing in terms of producing and delivering an SBOM. It seems to me like this is still a relatively new topic for the software industry so I don't know if there is a standard practice. For example, is it something that should be produced in the OC build and hosted at https://orchardcore.net/ or https://docs.orchardcore.net/ for consumers to download? Or like you said, maybe just some advice on how to produce the SBOM myself is enough. |
I don't think having a central one for OC would be useful, since it'd both overreport for your app (it'd contain dependencies that your app doesn't use) and underreport (it won't contain custom dependencies that your app includes). This can be useful for enterprises to check a box when selecting a system (which can actually be quite useful for adoption and marketing) but not in practic |
I'll take another look at self-producing the SBOM I need. As you said, it probably means downloading the OC source and running the tool against that. If nothing else I can report back with my findings and the steps I took. |
BTW here is this list too: https://docs.orchardcore.net/en/latest/docs/resources/libraries/ |
You can generate the SBOM for your repo from GitHub too: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository |
I'll preface this by saying I'm by no means an expert on this topic. But SBOM is becoming a hot topic these days in the software world and I'm curious what, if anything, that means for Orchard Core.
Is your feature request related to a problem? Please describe.
My company has been on the receiving end of increased pressure to provide a complete SBOM to our customers. There are various tools to produce an SBOM but one such tool is sbom-tool provided by Microsoft. Using sbom-tool on my code is fairly straightforward and gets me most of the way there, at least as far as .NET packages go. The blind spot I'm struggling with is on the client-side technologies. Many client-side technologies are used by Orchard Core, most prominently in the OrchardCore.Resources module. So take the basic client-side stuff like jQuery and Bootstrap for example. Those probably should be in my SBOM but since the tool is looking for npm files (package.json and package-lock.json) it doesn't have a way to know about those dependencies.
The ultimate goal is this: my customers want to know if a particular security vulnerability affects them. I know that my application uses jQuery, so my customers should be watchful for new jQuery vulnerabilities. But right now, it's hard for me to include jQuery in my SBOM using sbom-tool. jQuery is just one example.
Describe the solution you'd like
I'm specifically trying to produce an SBOM in the SPDX format, which has a way to link other SBOMs. I think that, ideally, I could pull an Orchard Core SBOM from somewhere (also in SPDX) and link it from my SBOM.
One complicating factor for Orchard Core is there might be a need for separate SBOMs per module, since applications may not be pulling in all of Orchard Core.
Describe alternatives you've considered
Reverse engineering a package.json file based on
ResourceManagementOptions
and feeding that into sbom-tool.The text was updated successfully, but these errors were encountered: