As a preface for what I mean by old generation tooling, here is a screenshot from Semgrep documentation: Essentially, this asks developers to centre their SBOM generation efforts around the main branch of a repository. To expand on this, legacy generation of tooling simply slaps an SBOM to a security scan, resulting in a single… Continue reading Why New Generation of SBOM Tools Matters
Month: May 2025
SBOM – Not So Static After All
For a long time I was preaching the idea that an SBOM can and should essentially be split into 2 parts. The first part is static – that is the actual list of all software components with their fixed metadata (version, purl, hashes, etc). The second part is dynamic – that is things related to… Continue reading SBOM – Not So Static After All