Ponderings on a generic bill of materials for software applications.
Package management manifests have some of this information but:
This gist is intended as a thought experiment, looking at what a generic bill of materials might look like.
This could be used as part of a signed secure software supply chain.
The hypothetical CLI tool could be used to manually build up information about the bill of material.
$ bom add title "sample"
$ bom add description "A sample application"
$ bom add tag key=value
$ bom show
{
"title": "sample",
"description": "A sample application",
"tags": {
"key": "value"
}
}
Building up the information by hand would take too long, especially as things change rapidly. A plugin model for automatic discovery would support detecting the relevant information from a local or remote file system.
$ bom discover
-> Discovered license from LICENSE file
-> Discovered contributors, name, Git SHA from .git
-> Discovered files from local file system
-> Discovered version, dependencies, development dependencies from pyproject.toml
$ bom show
{
"title": "snyker",
"license": "Apache-2",
"version": "0.1.0",
"git": "8ede2edd581b212bd347aca29ee3053947289c40",
"contributors": [
{
"name": "Gareth Rushgrove",
"email": "gareth@example.com"
}
],
"files": [
"README.md": "1792fdf2cc4d8b9c63ab2934b3ac4d70cd488e60d76bf0045192e9c80f042953",
"app.py": "a03ad2cd08c16a1cc61a3d4825cdbc6c19c5059ba464b380da7d9a74c5d9e76d",
...
],
"dependencies": {
"attrs": "19.3.0",
"aws-lambda-context": "1.1.0",
"structlog": "19.2.0",
...
},
"dev-dependencies": {
"pytest-black": "0.3.7",
...
}
}
Finally you would be able to validate a bill of materials against the current specification.
$ bom validate
| - Title | |
| - Description | |
| - Version | |
| - Tags | |
| - Dependencies | |
| - Development dependencies | |
| - License | |
| - File hashes | |
| - Git SHA | |
| - Contributors |