xee VS cyclonedx-maven-plugin

I took a look at the git blame, and the commit title is perfect.

https://github.com/gco/xee/commit/750196023da5457d9535b30299...

PDF is not my favorite file format

It's also the one with the famous rant, "PSD is not my favourite file format": https://github.com/gco/xee/blob/7aec0d65f776fa59c58eb6cf163b...

// At this point, I'd like to take a moment to speak to you about the Adobe PSD format. // PSD is not a good format. PSD is not even a bad format. Calling it such would be an // insult to other bad formats, such as PCX or JPEG. No, PSD is an abysmal format. Having // worked on this code for several weeks now, my hate for PSD has grown to a raging fire // that burns with the fierce passion of a million suns. // If there are two different ways of doing something, PSD will do both, in different // places. It will then make up three more ways no sane human would think of, and do those // too. PSD makes inconsistency an art form. Why, for instance, did it suddenly decide // that these particular chunks should be aligned to four bytes, and that this alignement // should not be included in the size? Other chunks in other places are either unaligned, // or aligned with the alignment included in the size. Here, though, it is not included. // Either one of these three behaviours would be fine. A sane format would pick one. PSD, // of course, uses all three, and more. // Trying to get data out of a PSD file is like trying to find something in the attic of // your eccentric old uncle who died in a freak freshwater shark attack on his 58th // birthday. That last detail may not be important for the purposes of the simile, but // at this point I am spending a lot of time imagining amusing fates for the people // responsible for this Rube Goldberg of a file format. // Earlier, I tried to get a hold of the latest specs for the PSD file format. To do this, // I had to apply to them for permission to apply to them to have them consider sending // me this sacred tome. This would have involved faxing them a copy of some document or // other, probably signed in blood. I can only imagine that they make this process so // difficult because they are intensely ashamed of having created this abomination. I // was naturally not gullible enough to go through with this procedure, but if I had done // so, I would have printed out every single page of the spec, and set them all on fire. // Were it within my power, I would gather every single copy of those specs, and launch // them on a spaceship directly into the sun. // // PSD is not my favourite file format. ``` Source

Source

I don't understand what the blog adds, I would rather the link pointed directly to

https://github.com/gco/xee/blob/master/XeePhotoshopLoader.m#...

which has been shared quite a lot in the past

It's the same with html and css: people shit on it all the time, but this just shows they don't have the imagination to see how much worse it could be.

Just compare to e.g. Photoshop file format: https://github.com/gco/xee/blob/master/XeePhotoshopLoader.m#...

As others have already commented:

The US government has added SBOMs to a proposed rule to update the Federal Acquisition Regulation. So if you want to sell to the US Government you'll have to provide SBOMs: https://www.federalregister.gov/documents/2023/10/03/2023-21...

Lots of large companies require SBOMs from their supplier.

In the EU we will get the Cyber Resilience Act which will make them mandatory as well in certain cases: https://data.consilium.europa.eu/doc/document/ST-12536-2023-...

And yes, there's bascially two technical standards to provide them: SPDX and CycloneDX: https://cyclonedx.org/

Usually there is a requirement through a risk in the risk register, new project etc. appsec engineers perform an analysis of what is available in the market paid and/or open source and match it against the list of requirements and come up with an proposal to be signed off by relevant stakeholders. Usually (there may be exceptions) security engineers take care of the implementation. Which snyk product are talking about? SCA? If so have a look in https://cyclonedx.org/ open source or jfrog (paid) but it will depend much on your current processes mainly around CI/CD tools

We use https://cyclonedx.org/ to auto generate them.

The recent govulncheck effort made me think of the possibility of having the go tool create an SBOM (Software Bill of Materials) in a standard format like CycloneDX that could be consumed by existing tools like DependencyTrack. Somewhat similar to the recent docker sbom feature.

Alternative it would be nice, if there is way to get an SBOM (Software Bill of Materials). Microsoft created an Open Source Tool to get an SBOM for many programming languages, but pascal is not one of this. With a SBOM file, it should be possible to run it against a tool like CycloneDX.

A Software-Bill-of-Materials (SBOM) lists all the software components included in an image. Buildpacks support SBOMs in CycloneDX, Syft and SPDX formats.

CycloneDX is OWASP's lightweight SBOM standard for application security and software composite analysis. It comes with multiple tools for all environments. Its maven plugin generates SBOM featuring all types of dependencies in your projects.

There is a CylconeDX plugin available on Maven central and Github that appears to be well-maintained and commonly used.

This sample project is using Maven build system for generating artifacts. cyclonedx-maven-plugin is used for generating CycloneDX SBom file.