Today on the Open at Microsoft Blog series, we are going to be speaking all about Project OmniBOR. On this episode, we are joined by Ed Warnicke, one of the founders of OmniBOR, as he walks us through how to navigate supply chain problems and security issues. OmniBOR (formerly GitBOM) stands for Universal Bill Of Receipts. It is a minimalistic scheme for build tools to embed a unique, content-addressable reference in each step of a build process and thereby enable the generation of a compact Artifact Dependency Graph, tracking every source code file incorporated into each built artifact.
OmniBOR is designed to effortlessly construct a verifiable Artifact Dependency Graph (ADG) across languages, environments, and packaging formats, with zero developer effort, involvement, or awareness. However, OmniBOR is not designed to be a replacement for SBOMs -- rather it complements SBOM formats, such as SPDX and CycloneDX.
Have you ever asked yourself, “Does this product contain log4j?” but been unable to answer it because Java package names are often obfuscated? OmniBOR can help by providing a precise artifact identifier which can be used in situations where naming schemes may be ambiguous or when critical dependencies are nested deep in a supply chain.
Watch this episode to learn more about the architecture of OmniBOR and how it can help you with your project. Check out the OmniBOR project on GitHub or jump in to one of the community's weekly meetings if you're interested in contributing to the project or adding support to your favorite open source build tools.
Be on the lookout for our next featured post for the Open at Microsoft show but in the meantime checkout all our current open source projects here.