Outreachy: Secure Software Supply Chain Enhancements: Project RASPberry

Project Description

This project entails improving our 'R'eproducibility, 'A'uditability, 'S'ecurity, and 'P'resentability (RASP) of our product builds through enhancing our approach to tracking dependencies. We will now like to move this metadata and information to a more standardized form of SBOM (secure bill of materials). Investigation and prototyping to create a CycloneDX SBOM that describes our binaries will be a major piece of this project. This effort directly helps us to have a more transparent and auditable build process and increase confidence of our consumers that we have a secure software supply chain.

Some learning materials that will be useful

Read about why SBOMs are important:

• https://www.fdd.org/analysis/2021/09/29/a-software-bill-of-materials-is-critical-for-comprehensive-risk-management/
• https://blog.sonatype.com/why-you-need-a-software-bill-of-materials-more-than-ever

Review CycloneDX learning materials and documentation:

• https://cyclonedx.org/news/cyclonedx-launches-learning-series/

Look at some of the completed and on-going issues to support reproducible builds

• https://github.com/adoptium/temurin-build/issues/2522
• https://github.com/adoptium/temurin-build/issues/2594
• https://github.com/adoptium/temurin-build/issues/2753

Project RASPberry Q&A session

• Q&A session recording link

Participants

Intern: Sehrish Aslam

Mentors: Andrew Leonard, Stewart Addison and Shelley Lambert