Requiring a sandwich bill of materials for sandwiches will likely end up with not getting many sandwiches, but this was a fun (to me) link. Thanks for sharing.
Requiring a sandwich bill of materials for sandwiches will likely end up with not getting many sandwiches, but this was a fun (to me) link. Thanks for sharing.
I want to inspect these 6% of sandwiches with a lockfile This was my favourite bit:
Post-incident analysis revealed that 94% of affected sandwiches had no lockfile and were resolving eggs to latest at assembly time.
I want to eat inspect these 6% of sandwiches with a lockfile
This was my favourite bit:
CVE-2019-SPROUT: Alfalfa sprouts were found to be executing arbitrary bacteria in an unsandboxed environment. Severity: High. The vendor disputes this classification.
Ugh, sandwich licenses. Why do I need to open up the sandwich and check third party sources so I can put Sriracha sauce on myself when I can just pay for a sandwich that has brand name Sriracha at...
Ugh, sandwich licenses. Why do I need to open up the sandwich and check third party sources so I can put Sriracha sauce on myself when I can just pay for a sandwich that has brand name Sriracha at the proprietary shop down the road? And I know about OpenHot and Yet Another Spicy Sauce, they just don't fit my use case. /j
I love this! SBOMs are such a great idea, but always felt hopeless to me because of dependency chains. Add that to vulnerability scanners that complain about everything right down to the language...
I love this!
SBOMs are such a great idea, but always felt hopeless to me because of dependency chains.
Add that to vulnerability scanners that complain about everything right down to the language you're using and defenestration seems like the best option.
My experience with SBOMs at work has thankfully been limited to adding in a pipeline helper that runs whatever the approved scans are and it hasn't given me any trouble so far. The vulnerability...
My experience with SBOMs at work has thankfully been limited to adding in a pipeline helper that runs whatever the approved scans are and it hasn't given me any trouble so far.
The vulnerability scanners on the other hand have caused me a few headaches, especially a while ago when my work was relying on a several year old version of something that simply didn't have support for the version of Golang my project was on (not to mention apparently thinking that a typescript Promise<void> function called via await funcName(); instead of let x = await funcName(); was some kind of risk).
Thankfully they changed providers, so now I just have to occasionally bump package versions when a new CVE gets picked up.
Requiring a sandwich bill of materials for sandwiches will likely end up with not getting many sandwiches, but this was a fun (to me) link. Thanks for sharing.
I laughed. I thought you might, too!
I want to
eatinspect these 6% of sandwiches with a lockfileThis was my favourite bit:
Ugh, sandwich licenses. Why do I need to open up the sandwich and check third party sources so I can put Sriracha sauce on myself when I can just pay for a sandwich that has brand name Sriracha at the proprietary shop down the road? And I know about OpenHot and Yet Another Spicy Sauce, they just don't fit my use case. /j
YASS would probably do well on brand recognition alone
Stupid things broke - I tried to compile a hotdog and it crashed despite meeting spec requirements.
Works on my end, try a previously unused kitchen?
This is great, thanks for sharing!
I love this!
SBOMs are such a great idea, but always felt hopeless to me because of dependency chains.
Add that to vulnerability scanners that complain about everything right down to the language you're using and defenestration seems like the best option.
My experience with SBOMs at work has thankfully been limited to adding in a pipeline helper that runs whatever the approved scans are and it hasn't given me any trouble so far.
The vulnerability scanners on the other hand have caused me a few headaches, especially a while ago when my work was relying on a several year old version of something that simply didn't have support for the version of Golang my project was on (not to mention apparently thinking that a typescript Promise<void> function called via
await funcName();instead oflet x = await funcName();was some kind of risk).Thankfully they changed providers, so now I just have to occasionally bump package versions when a new CVE gets picked up.