Software Composition

Evolving vulnerabilities in CycloneDX

February 7, 2021
5:00 PM – 5:15 PM

D.composition

Gareth Rushgrove

CycloneDX is a software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. It's developed in the open and widely implemented in open source tooling. As well as quick introduction to CycloneDX, this talk will look in particular at the vulnerability extension. Modelling vulnerabilities in software is surprisingly complex. In this talk we'll look at some of the current issues in the CycloneDX vulnerability extension, summarise some of the ongoing discussions in this area, and get people's input on proposals for improvements.

No prior knowledge of CycloneDX will be required for this session. The basics of the specification are simple enough for folks interested in Software Composition Analysis to grok quickly. The main aim of the session is to raise awareness of the open specification and the process around it, and get more eyes on future improvements. The audience should come away with some insight into why CycloneDX is useful, why open standards are important and how to get involved in the project.

Additional information

Type	devroom

More sessions

2/7/21	Software Composition Analysis Devroom Welcome Software Composition D.composition Welcome to the Software Composition Analysis Devroom
2/7/21	OSS Review Toolkit - project update Software Composition Thomas Steenbergen D.composition In this session we will provide an update on OSS Review Toolkit (ORT) - which features have been recently added and what they ORT team is currently working on.
2/7/21	ScanCode projects update Software Composition Philippe Ombredanne D.composition This is a presentation of the latest features and updates in ScanCode toolkit and its companion projects.
2/7/21	FOSSology SCA integration Software Composition D.composition FOSSology focusses on license compliance analyses. Recently, a number of new features have been published by the community to integrate better with software composition analysis. The presentation shows an introduction of the main and relevant development here.
2/7/21	SCANOSS: Democratising Open Source Risk Management Software Composition Alan Facey D.composition Software Composition Analysis (SCA) tools perform source-code analysis, comparison and identification of Open Source components. Sadly, none of the SCA vendors have embraced Open Source themselves, most of their tooling consists of proprietary code and their OSS Knowledge Bases are also closed.
2/7/21	Tern and the State of Cloud Native Compliance Software Composition Rose Judge D.composition Container and VM images contain many packages and are quite a challenge for composition analysis.
2/7/21	OSS Projects Update - Concluding Q&A Software Composition D.composition The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.

FOSDEM 2021

2/6/21 – 2/7/21

Event

Hackerkonferenzen

Created by @CCC 50 Follower

Event Calendar