Open Source Summit North America 2023
Attending this event?
May 10-12, 2023
Vancouver, British Columbia, Canada + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC/GMT -8). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Friday, May 12 • 4:05pm - 4:45pm
What the &#% Is in That SBOM? How to Provide Users What Software Components Are Included - Philippe Ombredanne, nexB

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

So you got an SBOM from a supplier. Now, what do you do with it? Managing open source components – especially their licensing and provenance – is a critical part of the Software Composition Analysis (SCA) process. SCA is now a prerequisite for modern organizations to comply with mandated Software Bill of Materials (SBOM) and other regulations. If you receive an SBOM from a supplier, the first challenge is to identify the components listed in that SBOM and map those components to your own component catalog and your relevant policies. A consistent system for identifying software components (package) is even more critical for managing the risk of software vulnerabilities because vulnerability data is a moving target spread across FOSS projects and repositories. In this talk, Philippe will discuss utilizing the emerging open standard for Package-URLs (PURLs) to standardize ingestion of incoming SBOMs and automate applying internal policies. He will then share how to best leverage VulnerableCode, as a public database of open vulnerability data based on PURLs, to track FOSS vulnerabilities and VEXs, all using FOSS tools and open data.

avatar for Philippe Ombredanne

Philippe Ombredanne

nexB co-founder and CTO, AboutCode and nexB Inc.
Philippe Ombredanne is a passionate FOSS hacker and contributor on a mission to make it easier and safer to reuse FOSS code. He is the maintainer of ScanCode, the industry standard license detection tool, the creator of Package-URL, and the co-maintainer of VulnerableCode, an open... Read More →

Friday May 12, 2023 4:05pm - 4:45pm PDT
121 (Level 1)
Feedback form isn't open yet.