Reproducible identifiers & fine-grained build dependency tracking for software artifacts.
OmniBOR is a draft specification which defines two key concepts:
- Artifact Identifiers: independently-reproducible identifiers for software artifacts.
- Artifact Input Manifests: record the IDs of every input used in the build process for an artifact.
Artifact IDs enable anyone to identify and cross-reference information for software artifacts without a central authority. Unlike pURL or CPE, OmniBOR Artifact IDs don't rely on a third-party, they are inherent identifiers determined only by an artifact itself. They're based on Git's Object IDs (GitOIDs) in both construction and choice of cryptographic hash functions.
Artifact Input Manifests allow consumers to reconstruct Artifact Dependency Graphs that give fine-grained visibility into how artifacts in your software supply chain were made. With these graphs, consumers could in the future identify the presence of exact files associated with known vulnerabilities, side-stepping the complexities of matching version numbers across platforms and patching practicies.
You can view the OmniBOR specification here.
The United States Cybersecurity & Infrastructure Security Agency (CISA), identified OmniBOR as a major candidate for software identities in its 2023 report "Software Identification Ecosystem Option Analysis."
| Crate Name | Type | Purpose | Links |
|---|---|---|---|
omnibor |
OmniBOR Identifiers and Manifests | README · Changelog · API Docs · Crate | |
omnibor-cli |
CLI for OmniBOR Identifiers and Manifests | README · Changelog · Crate | |
gitoid |
Git Object Identifiers (GitOIDs) | README · Changelog · API Docs · Crate | |
xtask |
OmniBOR Rust Workspace Automation | README |
We happily accept contributions to any of the packages in this repository!
All contributed commits must include a Developer Certificate of Origin
sign-off (use the --signoff flag when running git commit). This is checked
by Continuous Integration tests to make sure you don't miss it! You can
learn more on the DCO website.
Contributors do not sign any Contributor License Agreement. Your contributions remain owned by you, licensed for use in OmniBOR under the terms of the Apache 2.0 license.
Check out the full Contributing Guide to learn more!
If you've encountered specific bugs or have specific feature requests, we recommend opening issues in the issue tracker!
However, if you have more open-ended ideas, want to ask questions about OmniBOR or the OmniBOR Rust implementation, or want to get support debugging an issue you've encountered, we recommend opening a new discussion.
If you believe you've found a security vulnerability, please report it to us.
The project maintains an official Security Policy and accepts security disclosures through GitHub.
All discussions, issues, pull requests, and other communication spaces associated with this project require participants abide by the project's Code of Conduct (Contributor Covenant 2.0).
All crates in this repository are Apache 2.0 licensed. You can read the full
license text in the LICENSE file.