The first full release of BOMnipotent is here
Become a CSAF trusted provider by letting BOMnipotent sign your documents.
After more than 800 hours of work, BOMnipotent 1.0, the first full release, is finally here. What began as an easy to set up server to host CSAF advisory documents has become so much more:
- It treats Bill of Materials (BOM) documents with the same respect as advisories.
- It lists known vulnerabilities , and helps you keep track of new ones.
- It offers user management with fine-grained, role-based access control and passwordless logins.
- It verifies a users’s access to their email account via HMAC.
- It seamlessly integrates into your environment with ready-to-use GitHub actions and Bash scripts.
This new release takes the final steps from CSAF provider to CSAF trusted provider. All you have to do is to give the server access to an OpenPGP key. It will then serve the public part of your key, and cryptografically hash and sign your BOM and CSAF documents. The documentation can help you get started with OpenPGP keys.
All this functionality will remain free of charge for non-commercial entities. It will remain available to companies etc. for a single-tiered subscription, which, honestly, does not cost that much more than nothing.
This is far from the end of the journey for BOMnipotent. At the time of writing, the backlog has exactly 100 open items. Most are ideas for new features, some are for ensuring the high code quality. Security issues will always be fixed with the highest priority, closely followed by bugs. After all, this is what supply chain security is about: Software that is reliable on every level.