Open Source Summit Europe 2022

Modern software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing not only what these dependencies are but exactly what parts of the dependencies are used in your software is a daunting task. Should a security vulnerability be found in particular file of a particular version of a dependency, how do you know whether your software uses that part? Enter GitBOM. GitBOM is an Open Source, minimialist scheme for build tools to 1) Build a compact artifact tree, tracking every source code file (including from dependencies) incorporated into each built artifact and 2) Embed a unique, content-addressable reference for that artifact tree into the artifact at build time. GitBOM is designed to construct verifiable artifact trees across languages, environments, and packaging formats with zero developer effort. While GitBOM is not itself an SBOM, it is compatible with and augments SBOMs. Come to this talk not only to learn about GitBOM (and how you can become involved!) but also to see how this build scheme can be implemented across languages and ecosystems. You will leave understanding how GitBOM can improve the security of your whole software supply chain.