SOSS Community Day India

The Software Supply Chain encompasses all components, libraries, tools, systems, and processes involved in a software artifact. To support effective risk management and to reduce attack vector while creating a software artifact, SBOM (Software Bill Of Materials) and VEX (Vulnerability Exploitability eXchange) documents can be used. An SBOM is a comprehensive list that details all components, libraries, and dependencies within a software package. Meanwhile, VEX serves as a communication standard for vulnerabilities in a software component. Correlating SBOM and VEX data enables to choose high-quality components and ultimately reducing the attack vectors. In this session, we will discuss the significance of SBOM (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange) documents to mitigate the dependency threats. Additionally, we’ll look at how trustification.io (a foundation of the Red Hat Trusted Profile Analyzer) provides developers with easy access to curated builds and hardened open-source libraries that have been verified and attested through provenance checks. Open Source Project: Trustify (https://github.com/trustification/trustify)