A software bill of materials is your friend
In this section, we will explore OSS supply chain issues – how to consume or depend on OSS without introducing new vulnerabilities using a Software Bill of Materials (SBOM), how to identify mature and stable OSS projects, how to nurture and assist projects you rely on, and responding to projects that abandon their initial commitments.
Using SBOMs to track software dependencies
A software architect can be called on to provide specific recommendations for OSS solutions in an architecture or implementation. The risks in doing so are that the proper solution (or one of its immediate dependencies) for a given set of requirements might be from a project that is not mature or stable (see the following subsection for more about that topic). Therefore, it is incumbent on you to perform due diligence, either recommending against using those projects or only with strong caveats when no other good options are available, so that the ultimate...
