{"id":26340,"date":"2024-07-23T19:56:48","date_gmt":"2024-07-23T17:56:48","guid":{"rendered":"https:\/\/blog.mi.hdm-stuttgart.de\/?p=26340"},"modified":"2024-07-23T22:13:04","modified_gmt":"2024-07-23T20:13:04","slug":"tools-for-automatic-creation-of-software-bill-of-materials-sbom","status":"publish","type":"post","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2024\/07\/23\/tools-for-automatic-creation-of-software-bill-of-materials-sbom\/","title":{"rendered":"Tools for automatic creation of Software Bill of Materials (SBOM)"},"content":{"rendered":"\n

In times, where software develops at a rapid pace, there is little time to write each component of code yourself. That is why libraries and other tools alike exist – to make our lives easier and to speed up the development process. But how can we keep an overview over all the components we use? After all, the libraries and packages we use come with dependencies we mostly do not know of. Checking our requirements.txt <\/em>file is not enough as it does not keep track of dependencies and sometimes not even version numbers. Python is just an example here, the problem persists through other languages as well.<\/p>\n\n\n\n

This is why SBOMs were created. To aid with this problem and increase awareness for packages and their licensing as well as their security.<\/p>\n\n\n\n

What is an SBOM?<\/h2>\n\n\n\n

SBOMs have been around since about 2018, so they are quiet new in terms of information technology. You can consider it a building block for supply chain risk management. The supply chain is everything: every tool, library or package that touches the software or plays any role during its lifecycle.[1] <\/sup><\/p>\n\n\n\n

An SBOM serves as a list of “ingredients” that make up software components. They include critical information about libraries, tools and processes used in development and building the software.[2]<\/sup><\/p>\n\n\n\n

Why should you use an SBOM?<\/h2>\n\n\n\n

Nowadays software is developed at a rapid pace and developers, include code from open source repositories and proprietary packages, to speed up the development and you wouldn’t want to reinvent the wheel each time you need a piece of software that is already written. Using these tools is quiet helpful as it saves time and by that money for the companies. But, all these components can contain weaknesses and general security risks that the developers might not know about. A risk report by synopsis released in 2024, consolidated findings from over 1000 open source codebases across 17 industries in 2023. They found that 96% of the total codebases contained open source code and 84% of codebases contained vulnerabilities. Looking back to 2021, the Log4Shell vulnerability inside the Log4j logging framework, affected numerous companies around the world. Only one version was vulnerable but it took companies some time to figure out what version they were running. An SBOM could have helped here as it keeps track of version numbers as well.[2]<\/sup><\/p>\n\n\n\n

Security issues always come with cost attached. Either to fix them prematurely or to fix them after a breach occurred. This of course also brings damage to the company image, that needs to be avoided. This is why all dependencies, images and infrastructure used, need continuous checking for vulnerabilities and weaknesses. An SBOM serves as a great overview over exactly these things. It gives you insight into all components to look for vulnerabilities and licenses, that do not comply with internal and external policies.[2]<\/sup><\/p>\n\n\n\n

Tools for creating an SBOM<\/h2>\n\n\n\n

There are two popular types of data exchange standards used in SBOMs. There is the CycloneDX format by OWASP. It emphasizes on security vulnerabilities. It can be formatted in json or xml. SPDX by the Linux foundation focuses more on software licenses.[3]<\/sup><\/p>\n\n\n\n

CDX<\/strong><\/td>SPDX<\/strong><\/td><\/tr>
Open source<\/td>Open source<\/td><\/tr>
OWASP<\/td>Linux foundation<\/td><\/tr>
lightweight and focus on vulnerabilities<\/td>ensure compliance and transparency<\/td><\/tr>
focus on ease of adoption and automation<\/td><\/td><\/tr><\/tbody><\/table>
[4]<\/sup><\/figcaption><\/figure>\n\n\n\n

Comparing Tools<\/h2>\n\n\n\n

In order to compare both tools, I created a small python application that creates a webserver and accesses the GitHub API:<\/p>\n\n\n\n

import requests\nfrom flask import Flask, jsonify\n\napp = Flask(__name__)\n\n@app.route('\/')\ndef home():\n    return "Hello, SBOM"\n\n@app.route('\/api')\ndef api():\n    response = requests.get('http:\/\/api.github.com')\n    return jsonify(response.json())\n\nif __name__ == '__main__':\n    app.run(debug=True)\n<\/code><\/pre>\n\n\n\n
When this code is executed, it starts a local webserver on port 5000 and allows you to browse to a window saying “Hello, SBOM” and to view the GitHub API.
The requirements.txt<\/em> contains the following:<\/p>\n\n\n\n
Flask\nrequests<\/code><\/pre>\n\n\n\n
CycloneDX<\/h2>\n\n\n\n
CycloneDX supports a multitude of languages (even Haskell) and can scan your code either locally or as a part of a CI\/CD pipeline. It even has an API server for on demand checks of code. To use CycloneDX for python, there is a pip package called cyclonedx-bom<\/em> (This is similar for other languages; maven has a CycloneDX plugin to create SBOMs during a build). With its command you can generate a multitude of different SBOMs for your python project. See the documentation for more info.[5]<\/sup><\/p>\n\n\n\n
First of all, i created an SBOM using CycloneDX, by firstly installing the pip package:<\/p>\n\n\n\n
pip install cyclonedx-bom<\/code><\/pre>\n\n\n\n
And then creating the SBOM using the following command:<\/p>\n\n\n\n
cyclonedx-py environment > .\/CycloneDX\/environment.json<\/code><\/pre>\n\n\n\n
This gives us the SBOM for out entire environment in CDX format and saves it in the environment.json file.<\/p>\n\n\n\n
The syntax here is the following:<\/p>\n\n\n\n
"components": [\n\t{\n\t\t"bom-ref": "Flask==3.0.3",\n\t\t"description": "A simple framework for building complex web applications.",\n\t\t"externalReferences": [\n\t\t\t{\n\t\t\t\t"comment": "from packaging metadata Project-URL: Chat",\n\t\t\t\t"type": "chat",\n\t\t\t\t"url": "https:\/\/discord.gg\/pallets"\n\t\t\t},\n\t\t\t{\n\t\t\t\t"comment": "from packaging metadata Project-URL: Documentation",\n\t\t\t\t"type": "documentation",\n\t\t\t\t"url": "https:\/\/flask.palletsprojects.com\/"\n\t\t\t},\n\t\t\t{\n\t\t\t\t"comment": "from packaging metadata Project-URL: Source",\n\t\t\t\t"type": "other",\n\t\t\t\t"url": "https:\/\/github.com\/pallets\/flask\/"\n\t\t\t},\n\t\t\t{\n\t\t\t\t"comment": "from packaging metadata Project-URL: Donate",\n\t\t\t\t"type": "other",\n\t\t\t\t"url": "https:\/\/palletsprojects.com\/donate"\n\t\t\t},\n\t\t\t{\n\t\t\t\t"comment": "from packaging metadata Project-URL: Changes",\n\t\t\t\t"type": "release-notes",\n\t\t\t\t"url": "https:\/\/flask.palletsprojects.com\/changes\/"\n\t\t\t}\n\t\t],\n\t\t"licenses": [\n\t\t\t{\n\t\t\t\t"license": {\n\t\t\t\t\t"name": "License :: OSI Approved :: BSD License"\n\t\t\t\t}\n\t\t\t}\n\t\t],\n\t\t"name": "Flask",\n\t\t"purl": "pkg:pypi\/flask@3.0.3",\n\t\t"type": "library",\n\t\t"version": "3.0.3"\n\t},\n<SNIP><\/code><\/pre>\n\n\n\n
As we can see, the overview for a single package is quiet detailed. The first block shows general information. In the second and third, we get a ton of external references, like github or discord links as well as licensing information. The final block then contains other metadata. This is of course so detailed, because Flask is a very popular package to use for writing web backends. Other packages that are not as popular, will not contain such detailed information and certainly not as much.<\/p>\n\n\n\n
If we scroll all the way down in the file, we can even see dependencies. So which package depends on which:<\/p>\n\n\n\n
<SNIP>\n"dependencies": [\n\t{\n\t\t"dependsOn": ["Jinja2==3.1.4", "Werkzeug==3.0.3", "blinker==1.8.2", "click==8.1.7", "itsdangerous==2.2.0"],\n\t\t"ref": "Flask==3.0.3"\n\t},\n\t{\n\t\t"dependsOn": ["MarkupSafe==2.1.5"],\n\t\t"ref": "Jinja2==3.1.4"\n\t},\n\t{\n\t\t"ref": "MarkupSafe==2.1.5"\n\t},\n\t{\n\t\t"dependsOn": ["MarkupSafe==2.1.5"],\n\t\t"ref": "Werkzeug==3.0.3"\n\t},\n<SNIP><\/code><\/pre>\n\n\n\n
We can see that Flask itself depends on 5 other packages. They even include the version numbers for our case. Some packages have no dependencies, like MarkupSafe.<\/em><\/p>\n\n\n\n
Syft<\/h2>\n\n\n\n
Syft can create SBOMs in multiple formats, including CDX and SPDX. It is also a CLI tool and can scan containers as well as file systems. You can also create an SBOM using Syfts own format.[6]<\/sup><\/p>\n\n\n\n
I installed Syft inside of a WSL machine locally with the provided command.[6]<\/sup><\/p>\n\n\n\n
Using Syft, I created a multitude of SBOM files. One in CycloneDX format, one in SPDX format, one in Syfts own format, and one in human readable text form.<\/p>\n\n\n\n
They all utilize the same syntax for that:<\/p>\n\n\n\n
syft . -o [format] > [output file]<\/p>\n\n\n\n
Syft then creates SBOMs like this:<\/p>\n\n\n\n
CyclonDX:<\/p>\n\n\n\n
{"$schema":"http:\/\/cyclonedx.org\/schema\/bom-1.6.schema.json","bomFormat":"CycloneDX","specVersion":"1.6","serialNumber":"urn:uuid:870e8bd0-e86b-48ed-a703-a94c1d4e0f8d","version":1,"metadata":{"timestamp":"2024-07-21T19:28:56+02:00","tools":{"components":[{"type":"application","author":"anchore","name":"syft","version":"1.9.0"}]},"component":{"bom-ref":"af63bd4c8601b7f1","type":"file","name":"."}},"components":[{"bom-ref":"pkg:pypi\/flask@3.0.3?package-id=9a5e3b2e12b775ed","type":"library","name":"Flask","version":"3.0.3","cpe":"cpe:2.3:a:palletsprojects:flask:3.0.3:*:*:*:*:*:*:*","purl":"pkg:pypi\/Flask@3.0.3","properties":[{"name":"syft:package:foundBy","value":"python-installed-package-cataloger"},{"name":"syft:package:language","value":"python"},{"name":"syft:package:type","value":"python"},{"name":"syft:package:metadataType","value":"python-package"},{"name":"syft:location:0:path","value":"\/testApp\/Lib\/site-packages\/flask-3.0.3.dist-info\/METADATA"}\n<SNIP><\/code><\/pre>\n\n\n\n
This is definitely not human readable. Except if you run the output through a tool to reformat it. All the outputs look very similar to this:<\/p>\n\n\n\n
SPDX:<\/p>\n\n\n\n
{"spdxVersion":"SPDX-2.3","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":".","documentNamespace":"https:\/\/anchore.com\/syft\/dir\/b9dc3c0c-0e97-4ba7-ba77-a0849de48ec8","creationInfo":{"licenseListVersion":"3.24","creators":["Organization: Anchore, Inc","Tool: syft-1.9.0"],"created":"2024-07-21T17:29:29Z"},"packages":[{"name":"Flask","SPDXID":"SPDXRef-Package-python-Flask-9a5e3b2e12b775ed","versionInfo":"3.0.3","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"sourceInfo":"acquired package info from installed python package manifest file: \/testApp\/Lib\/site-packages\/flask-3.0.3.dist-info\/METADATA, \/testApp\/Lib\/site-packages\/flask-3.0.3.dist-info\/RECORD","licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION",<SNIP><\/code><\/pre>\n\n\n\n
SYFT Format:<\/p>\n\n\n\n
{"artifacts":[{"id":"9a5e3b2e12b775ed","name":"Flask","version":"3.0.3","type":"python","foundBy":"python-installed-package-cataloger","locations":[{"path":"\/testApp\/Lib\/site-packages\/flask-3.0.3.dist-info\/METADATA","accessPath":"\/testApp\/Lib\/site-packages\/flask-3.0.3.dist-info\/METADATA","annotations":{"evidence":"primary"}},{"path":"\/testApp\/Lib\/site-packages\/flask-3.0.3.dist-info\/RECORD","accessPath":"\/testApp\/Lib\/site-packages\/flask-3.0.3.dist-info\/RECORD","annotations":{"evidence":"supporting"}}],"licenses":[]<SNIP><\/code><\/pre>\n\n\n\n
As you can see, all these outputs are more machine than human readable.<\/p>\n\n\n\n
Syft does provide a human readable format like this:<\/p>\n\n\n\n
[Path: .]\n[Flask]\n Version:\t 3.0.3\n Type:\t\t python\n Found by:\t python-installed-package-cataloger\n\n[Jinja2]\n Version:\t 3.1.4\n Type:\t\t python\n Found by:\t python-installed-package-cataloger\n<SNIP><\/code><\/pre>\n\n\n\n
But there is a lot of information missing here, like licenses or dependencies.<\/p>\n\n\n\n
Jake<\/h2>\n\n\n\n
Jake is a tool specific to python. You can either generate an SBOM or a report on known vulnerabilities of used components. It is also installed via a pip package and can scan your local directory.<\/p>\n\n\n\n
jake sbom --output-format json -o Jake\/sbom.json<\/code><\/pre>\n\n\n\n
With this command we can generate an SBOM and save it to sbom.json. <\/p>\n\n\n\n
One immediate problem is once again the readability. It seems that human readability is more the exception than the rule.<\/p>\n\n\n\n
{"$schema": "http:\/\/cyclonedx.org\/schema\/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:84961009-c747-4ace-968f-167284c4e87f", "version": 1, "metadata": {"timestamp": "2024-07-23T19:51:44.666349+00:00", "tools": [{"vendor": "CycloneDX", "name": "cyclonedx-python-lib", "version": "3.1.5", "externalReferences": [{"url": "https:\/\/github.com\/CycloneDX\/cyclonedx-python-lib\/actions", "type": "build-system"}, {"url": "https:\/\/pypi.org\/project\/cyclonedx-python-lib\/", "type": "distribution"}, {"url": "https:\/\/cyclonedx.github.io\/cyclonedx-python-lib\/", "type": "documentation"}, {"url": "https:\/\/github.com\/CycloneDX\/cyclonedx-python-lib\/issues", "type": "issue-tracker"}, {"url": "https:\/\/github.com\/CycloneDX\/cyclonedx-python-lib\/blob\/main\/LICENSE", "type": "license"}, {"url": "https:\/\/github.com\/CycloneDX\/cyclonedx-python-lib\/blob\/main\/CHANGELOG.md", "type": "release-notes"}, {"url": "https:\/\/github.com\/CycloneDX\/cyclonedx-python-lib", "type": "vcs"}, {"url": "https:\/\/cyclonedx.org", "type": "website"}]}, {"vendor": "Sonatype Nexus Community", "name": "jake", "version": "3.0.14", "externalReferences": [{"url": "https:\/\/app.circleci.com\/pipelines\/github\/sonatype-nexus-community\/jake", "type": "build-system"}, {"url": "https:\/\/pypi.org\/project\/jake\/", "type": "distribution"},\n<SNIP><\/code><\/pre>\n\n\n\n
But we once again get a lot of meta data at the beginning of the file and licensing information. The output seems very similar to the one of Syft but, we can notice a few differences. The tool relies on the Sonatype OSS Index, which is a catalogue for open source components and scanning tools.[7][8]<\/sup><\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
Which SBOM tool you use is entirely up to you. Most are well documented and easy to implement. If you need it to be human readable and not just machine readable, you should have another tool at hand to reformat some of the outputs. But, all three tools find the same things and provide very similar output. Notably, Syft provides more metadata than CycloneDX, like timestamp, format, version of Syft and more. CycloneDX focuses more on the important part. It does not give as much metadata than Syft but gives the information on components and dependencies in a much more readable and clearer way. Jake has more similarities with Syft than CycloneDX, in terms of metadata and readability. But the ability to also generate an automated risk report can be quiet helpful.<\/p>\n\n\n\n
So, should you use SBOMs in your Projects? Yes, definitely. The amount of work you have to put into creating an SBOM or including it into your build pipeline is way less, than trying to figure out all dependencies\/versions yourself.<\/p>\n\n\n\n
It also increases security awareness. By looking through your SBOM you can spot vulnerable versions way easier.<\/p>\n\n\n\n
You can also ensure compliance as they provide a great overview over licensing information.<\/p>\n\n\n\n
[1] https:\/\/www.synopsys.com\/glossary\/what-is-software-supply-chain-security.html<\/a><\/p>\n\n\n\n
[2] https:\/\/about.gitlab.com\/blog\/2022\/10\/25\/the-ultimate-guide-to-sboms<\/a><\/p>\n\n\n\n
[3] https:\/\/www.wiz.io\/academy\/top-open-source-sbom-tools<\/a><\/p>\n\n\n\n
[4] https:\/\/scribesecurity.com\/blog\/spdx-vs-cyclonedx-sbom-formats-compared\/<\/a><\/p>\n\n\n\n
[5] https:\/\/github.com\/CycloneDX\/cyclonedx-python<\/a><\/p>\n\n\n\n
[6] https:\/\/anchore.com\/sbom\/how-to-generate-an-sbom-with-free-open-source-tools\/<\/a><\/p>\n\n\n\n
[7] https:\/\/ossindex.sonatype.org<\/a><\/p>\n\n\n\n
[8] https:\/\/github.com\/sonatype-nexus-community\/jake<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In times, where software develops at a rapid pace, there is little time to write each component of code yourself. That is why libraries and other tools alike exist – to make our lives easier and to speed up the development process. But how can we keep an overview over all the components we use? […]<\/p>\n","protected":false},"author":1167,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[150],"ppma_author":[976],"class_list":["post-26340","post","type-post","status-publish","format-standard","hentry","category-allgemein","tag-ci-cd"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":27870,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2025\/07\/25\/tools-zur-automatischen-erstellung-von-sboms\/","url_meta":{"origin":26340,"position":0},"title":"Tools zur automatischen Erstellung von SBOMs","author":"Pauline Wolf","date":"25. July 2025","format":false,"excerpt":"Transparenz und Sicherheit durch automatisierte Software-St\u00fccklisten Anmerkung:\u00a0Dieser Blogpost wurde w\u00e4hrend dem Sommersemester 2025 f\u00fcr das Modul Enterprise IT (113601a) verfasst. 1. Einleitung Moderne Software besteht l\u00e4ngst nicht mehr nur aus eigenem Quellcode. In nahezu jedem Projekt werden gro\u00dfe Mengen externer Bibliotheken, Frameworks und Open-Source-Komponenten genutzt. Wie auch bei physischen Lieferketten\u2026","rel":"","context":"In "DevOps"","block_context":{"text":"DevOps","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/devops\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27382,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2025\/02\/27\/tools-zur-automatischen-erstellung-von-software-bill-of-materials-sbom\/","url_meta":{"origin":26340,"position":1},"title":"Tools zur automatischen Erstellung von Software Bill of Materials (SBOM)","author":"Dorina Sobiecki","date":"27. February 2025","format":false,"excerpt":"Anmerkung: Dieser Blogpost wurde f\u00fcr das Modul Enterprise IT (113601a) verfasst. 1. Einleitung Die fortschreitende Digitalisierung und die zunehmende Vernetzung von Softwaresystemen haben Cybersicherheit zu einem zentralen Thema f\u00fcr Unternehmen, Beh\u00f6rden und Endnutzer gemacht. Transparenz \u00fcber die eingesetzten Softwarekomponenten ist dabei essenziell, um Sicherheitsl\u00fccken zu identifizieren und regulatorische Anforderungen zu\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27883,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2025\/07\/25\/tools-zur-automatischen-erstellung-von-software-bill-of-materials-sbom-2\/","url_meta":{"origin":26340,"position":2},"title":"Tools zur automatischen Erstellung von Software Bill of Materials (SBOM)","author":"Luca-Max Baur","date":"25. July 2025","format":false,"excerpt":"Anmerkung:\u00a0Dieser Blogpost wurde w\u00e4hrend dem Sommersemester 2025 f\u00fcr das Modul Enterprise IT (113601a) verfasst. \u201eI cant fix what I cant see\u201cOhne Kenntnisse \u00fcber die benutzten Komponenten und Libraries agieren Softwareentwickler wie im Blindflug bez\u00fcglich ihrer Software-Sicherheit. Bekannte Supply Chain Angriffe wie SolarWinds oder die Log4shell L\u00fccke haben genau dies gezeigt.\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":28011,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2025\/09\/11\/cloud-native-security-scanner\/","url_meta":{"origin":26340,"position":3},"title":"Cloud-native Security Scanner","author":"Tim Ruff","date":"11. September 2025","format":false,"excerpt":"Dieses Projekt wurde im Rahmen der Vorlesung \u201eSoftware Development for Cloud Computing\u201c umgesetzt. Ausgangslage und Projektidee Unser bisheriger Fokus im Studium lag haupts\u00e4chlich auf Themen der IT-Security und Machine Learning, weshalb wir beide bis auf die grundlegenden Vorlesungen zum Thema Software Entwicklung kaum Erfahrungen in diesem Bereich gesammelt haben. Aus\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/09\/image.jpeg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/09\/image.jpeg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/09\/image.jpeg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/09\/image.jpeg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/09\/image.jpeg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":22187,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2022\/02\/25\/software-dependencies-die-gefahr-aus-der-tiefe\/","url_meta":{"origin":26340,"position":4},"title":"Software Dependencies – Die Gefahr aus der Tiefe","author":"Eric Prytulla","date":"25. February 2022","format":false,"excerpt":"\"Unbekannte infiltrieren Paketmanager npm und verseuchen Tools mit Schadcode\" hei\u00dft es am 08.11.2021 auf heise online. Die Nutzeraccounts der Maintainer von coa und rc wurden gehackt und neue Versionen dieser Pakete hochgeladen (inklusive Malware). Zwar denken sich bestimmt viele bei coa und rc: \"Aha toll\", aber sp\u00e4testens bei React oder\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2022\/03\/140321634-2a9eb717-7aee-4d6f-9e85-b0ad7fc9eb9f.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":23067,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2022\/03\/15\/security-strategies-and-best-practices-for-microservices-architecture\/","url_meta":{"origin":26340,"position":5},"title":"Security Strategies and Best Practices for Microservices Architecture","author":"Larissa Schmauss","date":"15. March 2022","format":false,"excerpt":"Microservices architectures seem to be the new trend in the approach to application development. However, one should always keep in mind that microservices architectures are always closely associated with a specific environment:\u00a0Companies want to develop faster and faster, but resources are also becoming more limited, so they now want to\u2026","rel":"","context":"In "Scalable Systems"","block_context":{"text":"Scalable Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/"},"img":{"alt_text":"","src":"https:\/\/lh6.googleusercontent.com\/LbFspPRY1BxRBdAVjQwWXeJ6UOoxl6JWsRYrxboF5ObXlNNgy3uZikcGkc3cgzI0mr_ZlbWPxvdp0FoJC1k-odh7mRc2lCPXaMSq8TudjfoZ7e5HKstaMHmLpH319jCym6vQRo1a","width":350,"height":200,"srcset":"https:\/\/lh6.googleusercontent.com\/LbFspPRY1BxRBdAVjQwWXeJ6UOoxl6JWsRYrxboF5ObXlNNgy3uZikcGkc3cgzI0mr_ZlbWPxvdp0FoJC1k-odh7mRc2lCPXaMSq8TudjfoZ7e5HKstaMHmLpH319jCym6vQRo1a 1x, https:\/\/lh6.googleusercontent.com\/LbFspPRY1BxRBdAVjQwWXeJ6UOoxl6JWsRYrxboF5ObXlNNgy3uZikcGkc3cgzI0mr_ZlbWPxvdp0FoJC1k-odh7mRc2lCPXaMSq8TudjfoZ7e5HKstaMHmLpH319jCym6vQRo1a 1.5x"},"classes":[]}],"jetpack_sharing_enabled":true,"authors":[{"term_id":976,"user_id":1167,"is_guest":0,"slug":"tim_drobny","display_name":"Tim Drobny","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/5e5af04f84e925c83ea6c89489e956eb22ae9e2b0e947192960a1722f9962828?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/26340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/users\/1167"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/comments?post=26340"}],"version-history":[{"count":11,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/26340\/revisions"}],"predecessor-version":[{"id":26369,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/26340\/revisions\/26369"}],"wp:attachment":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/media?parent=26340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/categories?post=26340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/tags?post=26340"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/ppma_author?post=26340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}