Comment by zingar

Comment by zingar 10 hours ago

10 replies

View on Hacker News

In hearing the SBOM term for the first time from that article and the linked Wikipedia page. For the ignorant like me: what is it that SBOM is used for that lockfiles aren’t? Everything in the article is something that I’m used to seeing automated scanners using lockfiles for.

Is it just that the two are used by different communities? What is the SBOM community?

zvr 4 hours ago

Think of the SBOM as a "table of contents" for the software you are receiving. Another metaphors that has been used is the "nutrition label" that you get in all packaged food.

So, it's a list of the "software components" that are inside a piece of software. And then you add metadata about each of these components: what's its name? its version? its hash? Up to now we're in lockfile territory.

But you want more information: what is the license? who supplied it? what is the security status? does it have known CVEs? are they relevant?

And then you go to special cases, like "AI" software: oh, it's a model? how was it trained? on which data? Or like software that has to be certified, to be used when safety is important.

An SBOM is capable of providing all this information. Take a look at the different parts that SPDX provides, and it's an ever expanding area.

Reply View 0 replies
edoceo 10 hours ago

In many cases the lock files are for one part of the stack. Like npm and composer and $other_lang thing. sBOM is when all are together and version-pinned. (I've over simplified).

Edit: for my domain we have Alpine, Debian, PHP, JS, Go in the stack. So our BOM has all that (and dependencies). It's a big list. Some is just necessary base (Alpine, Debian) but some are core stack and other are edge (dependency on python lib when we're mostly Rust (or something)).

Mirror/Vendor all these things for supply-chain integrity (it's what they tell me)

Reply View 0 replies
Khaine 7 hours ago

SBOMs are a solution intended to help solve a couple of problems:

1) help identify and remediate software that has been built with vulnerable packages (think log4j).

2) help protect against supply chain compromise as the SBOM contains hashes that allow packages to be verified

Reply View 3 replies
  • ozim 6 hours ago

    You forgot about the important one SBOMs are created with thought about sharing them with third parties like your customers - lock files not.

    Reply View 1 reply
    • Khaine 2 hours ago

      Thats an important point. You can't tell if the software you use is vulnerable to something like log4j without the vendor telling you, or doing lots of manual investigation.

      SBOMs are supposed to help with software composition analysis. Basically, you as an enterprise have an inventory of what software you use, and their SBOMs (i.e. dependencies). I can then use this to automatically check which software is impacted by severe vulnerabilities when they are announced.

      Reply View 0 replies
Tomte 6 hours ago

Software licensing information is the big use case where SPDX originated from.

In CycloneDX you can also express things like attestations/certifications, possibly down to the code review level (although I think nobody does that).

Reply View 0 replies
LoganDark 10 hours ago

> what is it that SBOM is used for that lockfiles aren’t?

Compliance. The article mentions "the EU’s Cyber Resilience Act will push vendors toward providing SBOMs", and having package managers generate SBOMs directly would certainly be convenient for that.

Reply View 1 reply
  • jlubawy 8 hours ago

    The FDA also requires SBOMs as of a few years ago for medical device software.

    Reply View 0 replies
[removed] 10 hours ago
[deleted]
Reply View 0 replies