CycloneDX is a full-stack Bill of Materials (BOM)

Since the PeppermintOS developers began implementing their Bill of Materials (BOM) processes, I've been closely monitoring the standards and tools they've adopted. Initially, the complexity of this endeavor can be overwhelmingand confusing.....not gonna make that sound easy peasy...LOL, but it's fascinating to see their choice of the CycloneDX standard

What is it?

CycloneDX is a specification for creating Software Bills of Materials (SBOMs). It's a standardized format for documenting and sharing information about the components that make up a software product in this case it is a Linux distribution. It focuses on providing detailed information about software components, their dependencies, and associated security vulnerabilities

What is PeppermintOS doing?

From what I learned from them is,being based on Debian/Devuan, there are a wealth of open-source tools and technologies, that they can use. Implementing CycloneDX involves integrating tools that can generate, manage, or consume CycloneDX SBOMs into their software development or deployment processes.

They identify the components that the team wants to create SBOMs for. For example they are developing applications or managing system configurations on Peppermint OS, these will be the focus. CycloneDX can be used to document the application dependencies, system configurations, and even the hardware components of the Peppermint OS system.

Next, they research and select appropriate tools that support CycloneDX. Several open-source and commercial tools can generate CycloneDX SBOMs. Some popular options that they ran across are:

• Dependency-Track - This is an open-source platform that consumes CycloneDX SBOMs and provides vulnerability analysis, license risk assessment, and component management capabilities. You can install Dependency-Track on your Peppermint OS server or use a hosted instance.