Speaker
Description
As SBoMs become more and more important for regulatory compliance and supply chain security, there is a noticeable shift to include more build time information in them 1, 2. In addition to the supply chain security goals, there is also an increasing desire to use build time information to help fine down the flood of vulnerability information by discarding vulnerabilities that do not match compiled source code, or even build time configured features 3.
As these goals become more prevalent, solutions to provide accurate a holistic information about the build time software supply chain will become increasingly relevant. While there are a few current methods of doing this 4, and a number of more recent attempts at supplying this information 5, 6, they currently tend to be highly specific to given build system or toolchain, or lacking in appropriate context. As such, there is an opportunity to collaborate on solutions at the build system level.
The goal of this discussion is to briefly review the current solutions for providing built time SBoM information, and then discuss possible options for improving the information that can available in ways that can benefit multiple ecosystems.