I am a passionate FOSS hacker, lead maintainer of ScanCode, purlDB and VulnerableCode and on a mission to enable easier and safer to reuse FOSS code with best-in-class open source Software Composition Analysis (SCA) tools for open source discovery, license & security compliance at https://aboutcode.org
I am also a co-founder of SPDX and the creator of Package URL (purl) a de-facto standard to identify packages in SBOMs, SCA tools and vulnerability database used throughout the industry.
If you have not noticed the hype about ABOUT (Software Bill of Material) you must been living in a cave. They have been touted as the next best thing after sliced bread and the cure-it-all to all our security problems of the past many years. Join me to break through the hype and review the good, the bad and the ugly and determine if, how and when they may useful and when not.
Until now, two worlds have mostly ignored each others: the resolution of a software package dependency tree or graph to meet functional constraints and the search for package versions are not subject to known, published vulnerabilities (aka. CVEs) . What if we could combine the functional version range constraints from software developers with the known vulnerable version ranges from security specialist?