SBOM attestations

Jan 1, 0001

Definition

SBOM attestations refer to the formal declarations or assertions regarding the contents and integrity of a Software Bill of Materials (SBOM). An SBOM is a comprehensive inventory of all components, libraries, and dependencies within a software application, including their versions and origins. Attestations provide assurance that the SBOM is accurate, complete, and has not been tampered with, often using cryptographic signatures to verify authenticity and integrity.

Secure Settings Example

sbom:
  version: 1.0
  components:
    - name: "example-library"
      version: "2.3.4"
      source: "https://example.com/repo"
  attestation:
    signed: true
    signature:
      algorithm: "SHA256"
      value: "b6f8e1d2c3a4f5e6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0"
    signer: "trusted-entity"
    timestamp: "2023-10-15T12:00:00Z"

Insecure Settings Example

sbom:
  version: 1.0
  components:
    - name: "example-library"
      version: "2.3.4"
      source: "https://example.com/repo"
  attestation:
    signed: false
    signature:
      algorithm: "SHA256"
      value: ""
    signer: ""
    timestamp: ""

SBOM attestations

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter