September 13-16, 2022
Dublin, Ireland + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit Europe 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Irish Standard Time (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, September 13 • 16:15 - 16:55
Composing the Ultimate SBOM - Ivana Atanasova & Velichka Atanasova, VMware

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The potential of SBOMs to track vulnerabilities is widely recognized. Open source tools capable of creating SBOMs exist in abundance. However, many of these tools are inventorying software post-build, which relies on heuristics and can result in missing build and dependency metadata which limits the compliance and security benefits of an SBOM. Software is modular in nature - each component has its lifecycle and our SBOM creation and management should represent the modular nature of the whole. What if instead of relying on post-build tools we utilized a sum-of-parts approach to create component level Micro-SBOMs that could be stitched together to create one high-level SBOM? We refer to the process of taking one or more Micro-SBOMs describing some component of the same top level software and transforming them into a single SBOM as "composing". Instead of asking SBOM consumers to open hundreds of fragmented Micro-SBOMs, we’re working on a tool that can do the composing for us. In this talk we will share details on why post-build scanning isn’t sufficient for producing accurate SBOM, discuss operationalisation of SBOMs and motivate the need for more modular SBOM composition. We will demo our proof-of-concept SPDX SBOM composition tool and invite your feedback and collaboration.

avatar for Ivana Atanasova

Ivana Atanasova

Open Source Software Engineer, VMware
Ivana Atanasova is an Open Source Software Engineer in VMware's Open Source Program Office, where she has contributed to a variety of projects, including Python-TUF, go-tuf, Sigstore, Tern, CHAOSS' Augur, Network Service Mesh, OpenFaaS and others. Previously, Ivana worked at the Bulgarian... Read More →
avatar for Velichka Atanasova

Velichka Atanasova

Senior Open Source Engineering Manager, VMware
Velichka is a Senior Open Source Engineering Manager in VMware’s Open Source Program Office where she thrives exploring the innovation capabilities and collaborative power of open source. Before joining VMware in 2019, she spent more than a decade working for a large international... Read More →

Tuesday September 13, 2022 16:15 - 16:55 IST
Liffey B Part 2 (Level 1)