Thank you, especially for the links. I've taken a short look at the glossary and the supply-chain documents:
The reading list will take much more time to peruse, however. The link to the mailing list for the CPANSec group does not seem available and active.
Whatever the origins of the Cyber Security Act (CRA) in the EU etc, and other maneuvers elsewhere, the SBOM requirement does seem to have become a potential barrier against free and open source software which the various communities will have to learn to navigate, probably as communities rather than as individuals since the specification seems complicated for now.
I've taken a quick look at Ovid's parser for version 1.5 of the CycloneDX SBOM specification which you linked to above, and at the CPAN Security Group page also linked above. (Both of those are, strangely, still using GitHub in 2024.)
What means are there to generate an SBOM for a Perl module currently? To that end, what example SBOM files are available to test against Ovid's CycloneDX SBOM reader? Based on reading valid.t there and on CycloneDX/bom-examples (very strangely still on GitHub in 2024), I can kind of guess about writing an SBOM by hand.
In reply to Re^2: Software Bill of Materials (SBOM) in Perl and CPAN
by mldvx4
in thread Software Bill of Materials (SBOM) in Perl and CPAN
by mldvx4
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |