The Chains SBOM Orchestra is a chamber ensemble playing different SBOM tools.
It first performed at SCORED 2023 in Copenhagen on Nov 26 2023.
- Prelude: presentation of the orchestra / team and the project (@Benoit)
- Git clone of https://github.com/xwiki/xwiki-rendering (@Benoit)
- Demo of GitHub SBOM (@MartinWitt)
- Demo of cdxgen 1.5 on project X (@Frank)
- Demo of syft (@Eric)
- Demo of tool CycloneDX-maven-plugin on project X (@Aman)
- Demo of tool build-info-go on project X (@Yogya)
- Conclusion: credits (@Martin M.)
- Audio mixing (@Musard)
You only need to care about two files in each folder:
sbom.json
: actual SBOM generated for the project and commit hash.result.json
: comparison result between the SBOM and maven dependency tree.- true positive: the dependency is in the SBOM and the dependency tree.
- false positive: the dependency is in the SBOM but not in the dependency tree.
- false negative: the dependency is not in the SBOM but in the dependency tree.