Thank you, especially for the links. I've taken a short look at the glossary and the supply-chain documents:

• the CPANSec Glossary of Terms
• the Roles and metadata in open source supply-chains document
• the CPANSec Reading List

The reading list will take much more time to peruse, however. The link to the mailing list for the CPANSec group does not seem available and active.

Whatever the origins of the Cyber Security Act (CRA) in the EU etc, and other maneuvers elsewhere, the SBOM requirement does seem to have become a potential barrier against free and open source software which the various communities will have to learn to navigate, probably as communities rather than as individuals since the specification seems complicated for now.

I've taken a quick look at Ovid's parser for version 1.5 of the CycloneDX SBOM specification which you linked to above, and at the CPAN Security Group page also linked above. (Both of those are, strangely, still using GitHub in 2024.)

What means are there to generate an SBOM for a Perl module currently? To that end, what example SBOM files are available to test against Ovid's CycloneDX SBOM reader? Based on reading valid.t there and on CycloneDX/bom-examples (very strangely still on GitHub in 2024), I can kind of guess about writing an SBOM by hand.

Please join the CPANSec group with your knowledge and motivation :)

There will be a BOF in the London Perl and Raku Workshop where this will be one of the points on the agenda. All that are interested are welcome to join!


Enjoy, Have FUN! H.Merijn

Good luck in the BOF at the London Perl and Raku Workshop. I haven't forgotten this topic, but 1) my activity is rather bursty and 2) this SBOM planning involves skills which put it on the outer edge of a stretch goal for me.

The reading list will take much more time to peruse, however. The link to the mailing list for the CPANSec group does not seem available and active.

The address works fine, but we didn't link to it (you know, email harvesters are still a thing).

Whatever the origins of the Cyber Security Act (CRA) in the EU etc, and other maneuvers elsewhere, the SBOM requirement does seem to have become a potential barrier against free and open source software which the various communities will have to learn to navigate, probably as communities rather than as individuals since the specification seems complicated for now.

The SBOM requirements are certainly a speed-bump and an annoyance – given the fact that most FOSS work is done on a volunteer basis. I wouldn't call it a blocker though. My hope is that the Roles and metadata in open source supply-chains document eventually can help these communities navigate this new landscape.

What means are there to generate an SBOM for a Perl module currently?

AFAIK, there are no options currently for doing this automatically. Furthermore, if this is going to work without too much hassle for the majority of maintainers, any proposed solutions will probably have to be able to be integrated into the current toolchain without much more effort than upgrading a bunch of it. This is still a bit in the future, given that so few are volunteering their time to make this happen (or not sharing any work with the community, fwiw).

To that end, what example SBOM files are available to test against Ovid's CycloneDX SBOM reader?

The CycloneDX spec repo has a test suite that could be integrated into Ovid's work, if someone wants to give it a try (I'll probably do it eventually, though)