This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.
Supply Chain Security
Supply Chain Security
Supply Chain Security
Supply Chain Security
Supply Chain Security
Supply Chain Security
Supply Chain Security
Supply Chain Security
Supply Chain Security
Introduction
Software supply chain attacks target the processes and tools used to build, package, and distribute software. High-profile incidents like SolarWinds and Codecov demonstrated that compromising a single trusted vendor can cascade into thousands of downstream victims. Defending the supply chain requires verifiable integrity, provenance, and policy enforcement at every stage.
Software Bill of Materials (SBOM)
An SBOM is a machine-readable inventory of all components in a software artifact. It enables consumers to quickly identify exposure when a vulnerability is disclosed.
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"component": {
"name": "my-application",
"version": "1.2.3",
"type": "application",
"supplier": {
"name": "ACME Corp"
}
}
},
"components": [
{
"type": "library",
"name": "lodash",
"version": "4.17.21",
"purl": "pkg:npm/lodash@4.17.21",
"licenses": [{"license": {"id": "MIT"}}]
},
{
"type": "library",
"name": "express",
"version": "4.18.2",
"purl": "pkg:npm/express@4.18.2"
}
],
"vulnerabilities": []
}
Generate SPDX SBOM with syft
syft packages ./myapp:latest -o spdx-json > sbom.spdx.json
Generate CycloneDX SBOM
cyclonedx-bom -o bom.xml -t file
Compare SBOMs for change detection
diff <(jq '.components[].purl' bom-v1.json | sort) \
<(jq '.components[].purl' bom-v2.json | sort)
Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.
Found this useful? Check out more developer guides and tool comparisons on AI Study Room.
Top comments (0)