Software Bill of Materials (SBOM) ↔ GitHub

Relations (1)

cross_type 0.40 — supporting 4 facts

GitHub serves as a platform for hosting SBOM-related tools and research, such as the 'endorlabs/sbom-lab' repository [1], the Technolinator GitHub App [2], and academic mining studies on SBOM adoption [3]. Additionally, GitHub provides infrastructure for security attestations integrated into SBOM platforms like Sbomify [4].

Facts (4)

Sources

bureado/awesome-software-supply-chain-security - GitHub github.com GitHub 3 facts

referenceEndor Labs provides a reproducible script at the GitHub repository 'endorlabs/sbom-lab' that allows users to quickly measure the accuracy of Software Bill of Materials (SBOMs) for free.

referenceTechnolinator is a GitHub App developed by MediaMarktSaturn that performs pull-request vulnerability analysis and creates and uploads Software Bill of Materials (SBOM) to Dependency-Track by wrapping CDXGen, SBOMQS, and dep-scan/Grype.

claimSbomify is an SBOM platform that supports attestation verification using Sigstore and GitHub attestations, SPDX 2.3 export, product lifecycle management, and compliance tracking.

A Mixed-Methods Study of Open-Source Software Maintainers On ... arxiv.org arXiv 1 fact

referenceSabato Nocera, Simone Romano, Massimiliano Di Penta, Rita Francese, and Giuseppe Scanniello performed a mining study on GitHub to analyze the adoption of Software Bill of Materials (SBOM), published in the 2023 IEEE International Conference on Software Maintenance and Evolution (ICSME).