>From what I’ve observed, build SBOM’s are becoming increasingly popular and >are being incorporated into some of the build tools themselves (e.g. NPM).
For some time, source code scans was the only option since they were being built by 3rd parties after the code was originally built as the tools were not as available for generating SBOMs at build time. Regards, Gary From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Vishal Goyal via lists.spdx.org Sent: Friday, August 9, 2024 9:19 AM To: Nisha Kumar <ni...@ctlfsh.tech>; Spdx-tech@lists.spdx.org Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Thanks Nisha for the response. I have been digging deeper and have realized the same. A follow-up question – do we see many customers generate and maintain a build SBOM or the source code scan SBOM is the most commonly used one ? CISA talks about 6 SBOM types and to me build SBOM and run time SBOMs look very relevant. But I have not seen these 2 being used too often. Regards, Vishal. From: Nisha Kumar <ni...@ctlfsh.tech <mailto:ni...@ctlfsh.tech> > Sent: Friday, August 9, 2024 7:40 PM To: Vishal Goyal <vishal_go...@persistent.com <mailto:vishal_go...@persistent.com> >; Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Vishal, Most probably the difference comes from transitive dependencies pulled in during the build. Your pom.xml doesn't include those. nisha On 8/5/24 09:08, Vishal Goyal via lists.spdx.org wrote: All, I am looking for some help and guidance from experts on how to validate build SBOMs and check for any false positives. I have used this maven plugin to generate SPDX format build SBOM for an open source Java project (https://github.com/wmichalska/CreditManager) github.com/spdx/spdx-maven-plugin <https://github.com/spdx/spdx-maven-plugin> The build SBOM has around 120 lines. For the same codebase, i generated SBOM by doing source code scan - this has 10 lines. Can someone please advise how to validate the build SBOM ? Thanks, Vishal. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5696): https://lists.spdx.org/g/Spdx-tech/message/5696 Mute This Topic: https://lists.spdx.org/mt/107734884/21656 Mute #spdx:https://lists.spdx.org/g/Spdx-tech/mutehashtag/spdx Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
