OmniBOR: Bringing the Receipts for Supply Chain Security

Explore a comprehensive conference talk on OmniBOR, a revolutionary approach to supply chain security. Learn how to capture the full artifact dependency graph of software as an output of build tools, addressing challenges with SBOM scanners and false positives. Discover the concept of artifact dependency graphs, Merkle trees, and the minimum elements required for effective software identification. Gain insights into the OmniBOR community, its potential impact on SBOMs, and the future of build tool integration. Understand the importance of reproducibility and hash functions in software security. Engage with discussions on adoption tooling, practical applications, and the call to action for implementing this innovative solution in software development processes.

Intro
Backstory
Am I safe
Sbombs
What is Trust
Time dependent
Build process
Deep scanning
Build tools
What is a build tool
Compilers
Linkers
Shared Objects
Code Generators
RPM Files
Polyglot
Artifacts
Nonsolutions
Minimum elements
Minimum identifiers
How to identify things
Git
Object IDs
Generalizing
Input manifest
Input manifest identifier
Embed input manifest identifier in output artifacts
Artifact dependency graph
Merkle tree
OmniBOR
OmniBOR Community
What is an Sbomb
cbes
patch
response teams
questions
open database
artifact dependency graphs
call your supplier
other questions
adoption tooling
call for action
hash
sha
the blog post
the build tool
broken reproducibility