Episode 410 - Package identifiers are really hard
Open Source Security Podcast
English - January 08, 2024 00:00 - 31 minutes - 29.2 MB - ★★★★★ - 38 ratingsTechnology cybersecurity open opensource security source Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Episode 409 - You wouldn't hack a train?
Next Episode: Episode 411 - The security tools that started it all
Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not.
Show Notes OpenSSF CISA response purl CPE OmniBOR SWID