| ▲ | halJordan 7 hours ago | |
It shouldn't be a "get the foreigners!" situation. Sure that is a method of solving the symptoms. But what you're really asking for is ... a software bill of materials. Why dont we have that yet? Bc it's cheaper to get ripped off than it is to pay for a bom. Thats the real problem | ||
| ▲ | c0balt 7 hours ago | parent | next [-] | |
SBOMs exist. You can get them generated for most software via package managers in standard forms like cyclonedx. It's just not that effective when the SBOM becomes unmanageable. For example, our JS project at $work has 2.3k dependencies just from npm. I can give you that SBOM (and even include the system deps with nix) but that won't really help you. They are only really effective when the size is reasonable. | ||
| ▲ | Ekaros 2 hours ago | parent | prev [-] | |
SBOM really doesn't do much when compromise happens before or while you are building it. It really is orthogonal to these types of attacks. Best you can do is to find that you were compromise afterwards. | ||