Skip to content

Reproducible identifiers & fine-grained build dependency tracking for software artifacts.

License

Notifications You must be signed in to change notification settings

omnibor/omnibor-rs


OmniBOR Logo

Reproducible identifiers & fine-grained build dependency tracking for software artifacts.

Website License: Apache-2.0

What is OmniBOR?

OmniBOR is a draft specification which defines two key concepts:

  • Artifact Identifiers: independently-reproducible identifiers for software artifacts.
  • Artifact Input Manifests: record the IDs of every input used in the build process for an artifact.

Artifact IDs enable anyone to identify and cross-reference information for software artifacts without a central authority. Unlike pURL or CPE, OmniBOR Artifact IDs don't rely on a third-party, they are inherent identifiers determined only by an artifact itself. They're based on Git's Object IDs (GitOIDs) in both construction and choice of cryptographic hash functions.

Artifact Input Manifests allow consumers to reconstruct Artifact Dependency Graphs that give fine-grained visibility into how artifacts in your software supply chain were made. With these graphs, consumers could in the future identify the presence of exact files associated with known vulnerabilities, side-stepping the complexities of matching version numbers across platforms and patching practicies.

You can view the OmniBOR specification here.

The United States Cybersecurity & Infrastructure Security Agency (CISA), identified OmniBOR as a major candidate for software identities in its 2023 report "Software Identification Ecosystem Option Analysis."

What's in this Repository?

Crate Name Type Purpose Links
omnibor Library OmniBOR Identifiers and Manifests README · Changelog · API Docs · Crate
omnibor-cli Binary CLI for OmniBOR Identifiers and Manifests README · Changelog · Crate
gitoid Library Git Object Identifiers (GitOIDs) README · Changelog · API Docs · Crate
xtask Binary OmniBOR Rust Workspace Automation README

Contributing

We happily accept contributions to any of the packages in this repository!

All contributed commits must include a Developer Certificate of Origin sign-off (use the --signoff flag when running git commit). This is checked by Continuous Integration tests to make sure you don't miss it! You can learn more on the DCO website.

Contributors do not sign any Contributor License Agreement. Your contributions remain owned by you, licensed for use in OmniBOR under the terms of the Apache 2.0 license.

Check out the full Contributing Guide to learn more!

Discussions & Support

If you've encountered specific bugs or have specific feature requests, we recommend opening issues in the issue tracker!

However, if you have more open-ended ideas, want to ask questions about OmniBOR or the OmniBOR Rust implementation, or want to get support debugging an issue you've encountered, we recommend opening a new discussion.

If you believe you've found a security vulnerability, please report it to us.

Security

The project maintains an official Security Policy and accepts security disclosures through GitHub.

Code of Conduct

All discussions, issues, pull requests, and other communication spaces associated with this project require participants abide by the project's Code of Conduct (Contributor Covenant 2.0).

License

All crates in this repository are Apache 2.0 licensed. You can read the full license text in the LICENSE file.

About

Reproducible identifiers & fine-grained build dependency tracking for software artifacts.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages