UEFI Software Bill of Materials Proposal

• slsa

  35 1,447 8.5 Shell

  Supply-chain Levels for Software Artifacts

  

The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.

I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.

• in-toto

  4 845 9.1 Python

  in-toto is a framework to protect supply chain integrity.

  

The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.

I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.

• Scout Monitoring

  www.scoutapm.com featured

  Free Django app performance insights with Scout Monitoring. Get Scout setup in minutes, and let us sweat the small stuff. A couple lines in settings.py is all you need to start monitoring your apps. Sign up for our free tier today.

  

• trillian-examples

  2 154 9.4 Go

  A place to store some examples which use Trillian APIs to build things.

  

>This feels like this might actually be a use-case for a blockchain or a Merkle Tree.

A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.

I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.

have used Trillian as the basis for their Certificate Transparency implementation.[2]

[0] https://github.com/google/trillian-examples/tree/master/bina...

[1] https://transparency.dev/

[2] https://go.googlesource.com/proposal/+/master/design/25530-s...

[3] https://certificate.transparency.dev/

[4] https://www.sigstore.dev/

• certificate-transparency-go

  8 850 9.6 Go

  Auditing for TLS certificates (Go code)

  

>This feels like this might actually be a use-case for a blockchain or a Merkle Tree.

A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.

I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.

have used Trillian as the basis for their Certificate Transparency implementation.[2]

[0] https://github.com/google/trillian-examples/tree/master/bina...

[1] https://transparency.dev/

[2] https://go.googlesource.com/proposal/+/master/design/25530-s...

[3] https://certificate.transparency.dev/

[4] https://www.sigstore.dev/

• GptHidra

  4 301 5.5 Python

  GptHidra is a Ghidra plugin that uses the OpenAI Chat GPT to explain functions. With GptHidra, you can easily understand the purpose and behavior of functions in your codebase. Now with GPT4 Support!

• GhidraChatGPT

  1 102 3.3 Java

  Brings the power of ChatGPT to Ghidra!

• ghidra_tools

  6 281 5.4 Python

  A collection of Ghidra scripts, including the GPT-3 powered code analyser and annotator, G-3PO.

  

https://github.com/tenable/ghidra_tools/tree/main/g3po

I suspect there are better ones being worked on though.

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• slsa-github-generator

  3 381 9.1 Go

  Language-agnostic SLSA provenance generation for Github Actions

  

https://github.com/slsa-framework/slsa-github-generator#gene... :

> Supply chain Levels for Software Artifacts, or SLSA (salsa), is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.

> SLSA defines an incrementally-adoptable set of levels which are defined in terms of increasing compliance and assurance. SLSA levels are like a common language to talk about how secure software, supply chains and their component parts really are.

Suggest a related project