SCA (Software Composition Analysis) is an engineering practice that is used to analyze the software that is used in the {system,application,module}. Fields, where SCA is commonly applied, are software security and supply chain security.
RPM/DNF/UpdateInfo stack is de facto SBOM-based SCA with CVE integration. I would like to explore the last bit of this stack, updateinfo, a little bit further.
Moreover, in this presentation, I would like to touch on additional subjects such as:
- how good RPMDB-based SBOM is and how it could be improved - security updates being only as good as underlying vulnerability database - Fedora && CPE && CVE - SLSA and other Supply Chain Standards.
Lastly, I would like to present some new tools that should make building updateinfo information a little bit easier for independent vendors.
Video Stream
