https://deploy-preview-14--sbomit.netlify.app/ Recent content on SBOMit Hugo -- gohugo.io https://deploy-preview-14--sbomit.netlify.app/charter/ Mon, 01 Jan 0001 00:00:00 +0000 https://deploy-preview-14--sbomit.netlify.app/charter/ Technical Charter (the “Charter”) for SBOMit a Series of LF Projects, LLC Adopted: January 9th, 2024 This Charter sets forth the responsibilities and procedures for technical contribution to, and oversight of, the SBOMit open source project, which has been established as SBOMit a Series of LF Projects, LLC (the “Project”). LF Projects, LLC (“LF Projects”) is a Delaware series limited liability company. All contributors (including committers, maintainers, and other technical positions) and other participants in the Project (collectively, “Collaborators”) must comply with the terms of this Charter. https://deploy-preview-14--sbomit.netlify.app/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://deploy-preview-14--sbomit.netlify.app/about/ What is SBOMit? SBOMit is an open source tool that generates Enriched SBOMs by combining standard SBOM tooling with build-time attestations captured by Witness, a supply chain security framework built on the in-toto specification. Where traditional SBOM tools scan software after the fact and guess at its composition, SBOMit observes the build as it happens — recording exactly what was downloaded, compiled, and linked — then uses that data to produce a complete, verifiable software component inventory. https://deploy-preview-14--sbomit.netlify.app/faq/ Mon, 01 Jan 0001 00:00:00 +0000 https://deploy-preview-14--sbomit.netlify.app/faq/ Why do we need Accurate SBOMs? When Log4Shell (CVE-2021-44228) hit in December 2021, the number of exposed systems exploded from 40,000 to 830,000 in under 72 hours. Log4j was buried as a transitive dependency, and most teams had no way to know whether they were running it and where. Incident response turned into an organization-wide mining project. Affected systems in the 72 hours following the Log4Shell outbreak. Log4Shell made the case for SBOMs clearly: if you had a complete, accurate inventory of every component in your software, you could answer “are we affected? https://deploy-preview-14--sbomit.netlify.app/getting-started/ Mon, 01 Jan 0001 00:00:00 +0000 https://deploy-preview-14--sbomit.netlify.app/getting-started/ This guide walks through setting up Witness to instrument your build, then using SBOMit to generate an enriched SBOM from the resulting attestation. Prerequisites Go 1.19 or later openssl jq base64 (part of GNU coreutils) Part 1: Witness Witness wraps your build process and records signed attestations, a cryptographic audit trail. 1. Install Witness bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh) Or download a binary from the Witness releases page. 2. Create a signing keypair Witness signs each attestation with a private key.