Reliza just announced ReARM support for Transparency Exchange API (TEA) Beta 1. Read details here. I believe this is world first implementation. This is a big milestone for me as I was involved in TEA creation for the past year almost since its inception. The TEA is an effort to create common approach of how… Continue reading ReARM Now Supports Transparency Exchange API
Why New Generation of SBOM Tools Matters
As a preface for what I mean by old generation tooling, here is a screenshot from Semgrep documentation: Essentially, this asks developers to centre their SBOM generation efforts around the main branch of a repository. To expand on this, legacy generation of tooling simply slaps an SBOM to a security scan, resulting in a single… Continue reading Why New Generation of SBOM Tools Matters
SBOM – Not So Static After All
For a long time I was preaching the idea that an SBOM can and should essentially be split into 2 parts. The first part is static – that is the actual list of all software components with their fixed metadata (version, purl, hashes, etc). The second part is dynamic – that is things related to… Continue reading SBOM – Not So Static After All
Practical Guide to NTIA Compliant SBOM
In this post I will describe a specific example of how we can generate an SBOM compliant to NTIA minimum specification. I will go over existing tooling, real-world issues and how to work around them. I Problem Statement The document by NTIA outlining minimum SBOM elements was published in 2021. Still, it is a challenge… Continue reading Practical Guide to NTIA Compliant SBOM
ReARM xBOM Manager is now Available
We have launched Project ReARM – SBOM / xBOM and Release Manager. Community Edition is available on GitHub – https://github.com/relizaio/rearm Project Website – https://rearmhq.com
SBOMs to xBOMs to Transparency
Here is a recording of my talk at OWASP Ottawa: Slides available here: https://www.slideshare.net/slideshow/from-sboms-to-xboms-to-transparency-pavel-shukhman-at-owasp-ottawa-on-2025-03-19/277683431
3 Dimensions of Versioning Problem
The versioning problem was significant part of my work for the last 6 years. During that time we wrote a versioning library used for automatic bump of versioning of various schemas. On several occasions I was doing talks and materials on versioning, including my blog post on combinatorial explosion and another one on minor component… Continue reading 3 Dimensions of Versioning Problem
The Value of Thinking
Over the years we saw a lot of different attempts to properly manage the work of software developers and related technical specialists. One of the most grotesque example is using Lines of Code as a key metric for developer productivity, as discussed in The Mythical Man-Month. Still, even today hourly-based contracts remain standard in the… Continue reading The Value of Thinking
Why We Chose CycloneDX Over SPDX
This is my second post in SBOM series where I would explain why we chose CycloneDX over SPDX for our projects. The first post was focusing on the need to have more than one bill of materials to describe any particular product. I Introduction If you search the web or ask ChatGPT about CycloneDX vs… Continue reading Why We Chose CycloneDX Over SPDX
Why a Single SBOM is Never Enough
As I become increasingly involved in SBOM generation and management, I plan to publish a series of posts exploring the current state of SBOMs, the key challenges, and how we at Reliza are addressing them. This is the first post in these series where I would like to discuss just how many SBOMs we actually… Continue reading Why a Single SBOM is Never Enough