Kaylin TrychonAre SBOMs Any Good? Preliminary Measurement of the Quality of Open Source Project SBOMs
Simon Poole@ktrychon my thoughts as an average hobby dev (at least that is one hat), is there anything actionable that I can derive from the dependencies of my projects having SBOMs? I somewhat doubt that IRL.
@simon Interesting question... the main use of SBOMs is/will be for vuln management (discovery) so SBOMs can be fed to downstream tools like Grype to give information on known CVEs. As SBOMs become more common we expect to see more and more useful downstream tools, another example is the OSV scanner Google launched last week https://github.com/google/osv-scanner#input-an-sbom
Dan Luhring@ktrychon @simon Agreed, the value in using SBOMs for open source projects is in improving the certainty of the projects' security, since it means feeding better data to vulnerability detection tools.
To answer the question myself, as a hobbyist dev (working outside of a company), when I try to improve the security of my projects, it tends to be for moral reasons — I don't want to enable malicious people doing bad things when my code gets used by others
@luhring @ktrychon I, naturally, run everything I write through static code checkers, any library that I publish has its dependencies checked for vulnerabilities. The only use case for myself, as I don't have to tick off any compliance checkboxes, of a SBOM would be as an input to a service that continuously checks for new vulns and produces alerts.