-
I’ve looked into SWID and SPDX and neither in their current state are robust enough to be used for software security. So ended up writing
#CycloneDX because nothing else existed. Support for#PackageURL is crucial in identifying a components ecosystem though.#SBoM#NTIA -
An
@OWASP wiki article on#ComponentAnalysis was just published. https://www.owasp.org/index.php/Component_Analysis … Identify and reduce software supply chain risk - this goes well beyond vulnerable components#owasp#appsec#sca#sbom#packageurl#cyclonedx#spdx#swid#nvd#cscrm#supplychain#devsecops -
The security team from
@Ozon_ru has created a CLI client called “dtrack-audit”. It works similar to “npm audit” but, like Dependency-Track itself, is ecosystem agnostic. Use with#CycloneDX to identify vulns at build. https://github.com/ozonru/dtrack-audit …#opensource#sbom#appsec#owasppic.twitter.com/T3xOfkd4rY
-
We’re expanding our integration with
#VulnDB in v3.6 to include support for analyzing#CycloneDX#SBOM using VulnDB as the source of vulnerability intelligence. Congrats to@RiskBased for consistently identifying thousands of vulnerabilities not included in the NVD.https://twitter.com/RiskBased/status/1166049984921387009 … -
I just published an artifact to
#Maven Central containing a#CycloneDX Software Bill-of-Material. This is likely the first artifact on Central to have an#SBOM released simultaneously with the artifact it describes. Calling others to join. https://repo.maven.apache.org/maven2/us/springett/alpine/1.7.1/ …#java#owasphttps://twitter.com/CycloneDX_Spec/status/1214999597153693703 … -
It took a bit of trial and error, but I ended up creating a project that produces a large number of dependencies and I’m successfully creating a
#CycloneDX#SBOM from them. https://gist.github.com/stevespringett/4d3c39aceb48d9487f644c85845dfe6c … cc:@HttpSecHeaders -
I’m working on a
#CycloneDX schema extension that would provide the ability to document external services in an#SBOM. This is a capability I’ve needed for a long time. Anyone interested in this concept is invited to provide feedback and guidance.https://github.com/CycloneDX/specification/issues/22 … -
Listen to
@allanfriedman talk about the importance of Software Bill-of-Materials (and Twinkies). Then discover how CycloneDX, an opensource SBOM format, can help. https://cyclonedx.org/#SoftwareSupplyChain#SBOM#opensource#CycloneDX https://twitter.com/securityweekly/status/1204119647890673664 … -
Video:
#FLOSSWeekly on#CycloneDX , First Impressions and Overview of#Manjaro MATE http://www.tuxmachines.org/node/123435#gnu#linux -
A users experience generating and consuming Software Bill of Materials for continuous component analysis.
#sbom#CycloneDX#apppsechttps://poshtools.com/2019/02/01/producing-and-auditing-a-bill-of-materials-for-software-products/ … -
I’m looking for individuals to interview on their respective organizations use of
#SBOM (#SPDX,#CycloneDX, others). What do you use them for, how do you wish they were better, etc. Interview may be done by me or someone else in the#NTIA working group. DM or reply is interested. -
Jenkins plugin v2.0 released! This is a major milestone and has the ability to upload
#CycloneDX or#SPDX BoMs and get actionable vulnerability intelligence directly in Jenkins. Requires Dependency-Track v3.3.1 (also released today)#OWASP#SBOM#AppSec https://docs.dependencytrack.org/integrations/jenkins/ …pic.twitter.com/XYNVXPK9PE
-
Indeed. Dependency-Track supports the ingestion of
#CycloneDX as well as#SPDX. This is emerging as the new best practice. Create a BOM from your build (or request from your vendors) and import into Dependency-Track for ongoing analysis of known vulns and out-of-date components.https://twitter.com/CycloneDX_Spec/status/1060987230725070848 … -
The
#CycloneDX project is looking for volunteers to assist with the creation of native build plugins, specifically#RubyGems,#NuGET, and#PyPI. https://cyclonedx.org/ Spec is easily to understand so impl should not be difficult.#opensource#bom#SBoM#appsec#scapic.twitter.com/TqyZKv5T2N
-
#CycloneDX adopters rejoice. You’re already positioned to take advantage of this integration on launch day. Simply use the Node.js or Maven plugin to automatically generate a#bom and import into Dependency-Track.#PackageURL#sbomhttps://twitter.com/DependencyTrack/status/1022588265713623041 …
-
tx worth checking into
#CycloneDX. Roadmap for SPDX suggests room for hope. https://events.static.linuxfound.org/sites/events/files/Introduction%20to%20SPDX-without%20graphics.pdf …#SBoMpic.twitter.com/hReSJ4hLP1
-
The
#CycloneDX#Maven plugin creates an aggregate of all dependencies and transitive dependencies of a project and creates a valid CycloneDX bill-of-material document from the results.http://bit.ly/2JwnXxF -
We now support the ingestion of
#CycloneDX and#SPDX bill-of-material formats. Track all dependencies in first party and COTS applications for vulnerabilities across an enterprise portfolio.
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.