Add BOMHort sandbox submission#627
Conversation
Signed-off-by: Mario Fahlandt <[email protected]>
|
This name change makes sense- CBOM and SeeBom is confusing. |
|
|
||
| * **SBOMit** (OpenSSF Sandbox): Focuses on verifiable SBOMs using in-toto attestation. BOMHort focuses on consumption and governance. Complementary, not competing. | ||
| * **protobom** (OpenSSF Sandbox): Format translation layer. BOMHort uses protobom as an optional backend for format coverage. Complementary. | ||
| * **GUAC** (OpenSSF Incubating): Graph-based supply chain aggregation. BOMHort focuses on Kubernetes-native deployment, ClickHouse analytics, and license governance with policy enforcement — different architecture and primary use case. |
There was a problem hiding this comment.
I very much appreciate this section which describes how BOMHort differs from existing OpenSSF projects.
In this context, however, I'd prefer more details regarding how GUAC and BOMHort differ and/or complement each other. On a high-level, both ingest and aggregate SBOMs (and other data sources/documents).
There was a problem hiding this comment.
@gkunz thank you for the question! Both ingest/aggregate SBOMs but with different approaches:
So this is our view for GUAC and BOMHort:
GUAC: graph-based, strong at relationship queries (dependency trees, blast radius). Research-oriented, single-project depth
BOMHort: tabular analytics, focused on fleet-scale compliance: license policy enforcement, VEX management, operational dashboards for compliance/legal teams.
BOMHort has a dedicated license governance implementation with configurable policies and active VEX management. GUAC has deeper graph traversal that BOMHort doesn't aim to replicate. Different strengths, different primary users.
This came up in the June 3 SCI WG meeting, including GUAC maintainer @mlieberman85 noting GUAC's complexity for operational use cases.
We see them as complementary, potential integration where BOMHort feeds data to GUAC's graph, and GUAC feeds certifier results back to BOMHort for governance dashboarding.
There was a problem hiding this comment.
Thank you for the detailed explanation, @mfahlandt.
There was a problem hiding this comment.
BOMHort has a dedicated license governance implementation with configurable policies and active VEX management. GUAC has deeper graph traversal that BOMHort doesn't aim to replicate. Different strengths, different primary users.
I highly encourage both projects to make clear in their description who their primary users are expected to be and for what.
While it is great to see more projects coming to OpenSSF we need to make sure that people can quickly understand what is relevant to them. Otherwise, the diversity of OpenSSF tools becomes detrimental by leaving potential users confused and unsure what to use and for what purpose.
There was a problem hiding this comment.
Totally agree; we will add it to our description and documentation to really give end users a good understanding of where to use what! Thank you!
This adds the BOMHort (formerly known as SeeBOM) project into OpenSSF.
The Project is under a neutral ORG with no company affiliation.
The reasons for the rename after the discussion with the WG Supply Chain Integrety https://docs.bomhort.dev/docs/getting-started/rename/
New Scorecard Url: https://scorecard.dev/viewer/?uri=github.com/seebom-labs/BOMHort
In addition, for disclosure, I utilized AI for the aid in creating this submission, but it has been reviewed by both myself and @koksay for correctness and style.