UEFI Software Bill of Materials Proposal

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Security supply-chain Transparency chatgpt supply-chain-security

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • slsa

    Supply-chain Levels for Software Artifacts

    • The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.

    I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.

  • in-toto

    in-toto is a framework to protect supply chain integrity.

    • The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.

    I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • trillian-examples

    A place to store some examples which use Trillian APIs to build things.

    • >This feels like this might actually be a use-case for a blockchain or a Merkle Tree.

    A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.

    I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.

    have used Trillian as the basis for their Certificate Transparency implementation.[2]

    [0] https://github.com/google/trillian-examples/tree/master/bina...

    [1] https://transparency.dev/

    [2] https://go.googlesource.com/proposal/+/master/design/25530-s...

    [3] https://certificate.transparency.dev/

    [4] https://www.sigstore.dev/

  • certificate-transparency-go

    Auditing for TLS certificates (Go code)

    • >This feels like this might actually be a use-case for a blockchain or a Merkle Tree.

    A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.

    I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.

    have used Trillian as the basis for their Certificate Transparency implementation.[2]

    [0] https://github.com/google/trillian-examples/tree/master/bina...

    [1] https://transparency.dev/

    [2] https://go.googlesource.com/proposal/+/master/design/25530-s...

    [3] https://certificate.transparency.dev/

    [4] https://www.sigstore.dev/

  • GptHidra

    GptHidra is a Ghidra plugin that uses the OpenAI Chat GPT to explain functions. With GptHidra, you can easily understand the purpose and behavior of functions in your codebase. Now with GPT4 Support!

  • GhidraChatGPT

    Brings the power of ChatGPT to Ghidra!

  • ghidra_tools

    A collection of Ghidra scripts, including the GPT-3 powered code analyser and annotator, G-3PO.

    • https://github.com/tenable/ghidra_tools/tree/main/g3po

    I suspect there are better ones being worked on though.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • slsa-github-generator

    Language-agnostic SLSA provenance generation for Github Actions

    • https://github.com/slsa-framework/slsa-github-generator#gene... :

    > Supply chain Levels for Software Artifacts, or SLSA (salsa), is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.

    > SLSA defines an incrementally-adoptable set of levels which are defined in terms of increasing compliance and assurance. SLSA levels are like a common language to talk about how secure software, supply chains and their component parts really are.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts