惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
罗磊的独立博客
F
Fortinet All Blogs
人人都是产品经理
人人都是产品经理
量子位
V
Visual Studio Blog
Blog — PlanetScale
Blog — PlanetScale
M
MIT News - Artificial intelligence
B
Blog RSS Feed
腾讯CDC
博客园_首页
aimingoo的专栏
aimingoo的专栏
博客园 - 三生石上(FineUI控件)
博客园 - Franky
S
SegmentFault 最新的问题
N
Netflix TechBlog - Medium
小众软件
小众软件
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LINUX DO - 热门话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Martin Fowler
Martin Fowler
D
Docker
P
Privacy & Cybersecurity Law Blog
S
Securelist
V
V2EX
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
T
Tor Project blog
The Hacker News
The Hacker News
Microsoft Azure Blog
Microsoft Azure Blog
AWS News Blog
AWS News Blog
The GitHub Blog
The GitHub Blog
有赞技术团队
有赞技术团队
T
The Exploit Database - CXSecurity.com
Help Net Security
Help Net Security
酷 壳 – CoolShell
酷 壳 – CoolShell
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 叶小钗
Recent Announcements
Recent Announcements
Cloudbric
Cloudbric
Y
Y Combinator Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
V2EX - 技术
V2EX - 技术

OWASP

Aikido and OWASP bring agentic Code Audit to the global AppSec community | OWASP Foundation Community update regarding Richard Greenberg | OWASP Foundation OWASP Dependency-Track 5.0 Is Now Generally Available | OWASP Foundation Juice Shop v20.0.0 — a fresh squeeze of features, now with AI | OWASP Foundation Welcome to the Google Summer of Code 2026! | OWASP Foundation OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software | OWASP Foundation The OWASP Foundation appoints Missie Lindsey as Director of Corporate Relations | OWASP Foundation Bridging the Gap in Product Lifecycle Management: How OpenEoX and CLE Work Together | OWASP Foundation Announcing the Retirement of OWASP Meetup Platform | OWASP Foundation The OWASP Foundation appoints Stacey Ebbs as Communications & Marketing Manager | OWASP Foundation OWASP Certified Secure Software Developer | OWASP Foundation GSoC 2025 Recap | OWASP Foundation OWASP Top 10 Community Survey | OWASP Foundation OWASP Elections 2025 - Become a member today! | OWASP Foundation Help Support Sherif Mansour by donating blood today! | OWASP Foundation InfoSecMap x OWASP Collaboration | OWASP Foundation OWASP x Google Summer of Code 2025 - Enabling 15 opportunities for impact | OWASP Foundation OWASP Enables AI Regulation That Works with OWASP AI Exchange | OWASP Foundation OWASP Calls to Build a Unified Framework for Global Vulnerability Intelligence | OWASP Foundation ASVS 5.0 RC1 is ready for your review! | OWASP Foundation OWASP Education and Training Committee update | OWASP Foundation Committees Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and Third-Party Dependencies | OWASP Foundation OWASP Juice Shop leadership changes & contributor recognition | OWASP Foundation Lifecycle events are part of the secure supply chain | OWASP Foundation More than a Password Day 2024 | OWASP Foundation A workaround for OWASP Foundation emails being blocked by Microsoft Office 365 | OWASP Foundation Securing React Native Mobile Apps with OWASP MAS | OWASP Foundation
cdxgen and CycloneDX .NET Join GitHub Secure Open Source Fund | OWASP Foundation
Prabhu S. and Michael Tsfoni · 2025-08-11 · via OWASP
image

Monday, August 11, 2025

cdxgen and CycloneDX .NET participated in the GitHub Secure Open Source Fund


Strengthening supply-chain security from the inside out.

In the domain of supply-chain security, two distinct aspects exist: security within the supply chain and the security of the supply chain itself. The CycloneDX specification, an OWASP flagship project, is supported by a community that maintains an extensive ecosystem of open-source specifications, libraries, and tools, focusing primarily on enhancing security and transparency within the supply chain. Nevertheless, there remains a critical need to strengthen the broader security of the overall supply chain by providing open-source projects and maintainers with substantial funding, essential tools, relevant knowledge, and ongoing support.

Introducing the GitHub Secure Open Source Fund (SOSF), purposefully designed to secure fast-growing dependencies critical to large projects and ecosystems. The CycloneDX community maintains many open-source tools that implement and support the specification, and we are pleased to announce that two key projects, cdxgen and CycloneDX .NET, have been selected as proud recipients and participants of GitHub’s SOSF.

Inspired by GitHub’s AI accelerator program, SOSF provides structured training and dedicated hands-on support from experts at Microsoft, GitHub, and external consultants. With substantial personal and infrastructure sponsorships, the program enables project teams to strategically plan their long-term roadmaps.

CycloneDX .NET

As the SBOM generator for .NET and .NET Framework projects, it enables developers to integrate SBOM creation directly into CI/CD pipelines.

Through the GitHub Secure Open Source Fund, we established key security processes and prepared the groundwork for long-term improvements:

  • Drafted an Incident Response Plan to formalize response procedures
  • Strengthened CI/CD pipeline security practices
  • Enhanced approaches for application security and sensitive data handling in SBOM generation
  • Initiated a threat model to guide ongoing risk analysis

The program provided structured expertise and strategic direction, positioning the project to better integrate SBOM generation into the .NET build process. Our next steps focus on implementing the threat model, expanding dependency transparency, and improving SBOM data quality.

cdxgen

As a rapidly growing project with increasing adoption, it has been an honor for cdxgen to participate in GitHub’s SOSF program. Throughout the four-week duration, our team fully utilized the resources, models, and collective knowledge provided by the cohort to comprehensively review our project’s security and infrastructure.

In collaboration with a dedicated GitHub security success buddy, we identified five significant vulnerabilities within cdxgen. With the release of versions 11.4.x and 11.5.x, we not only addressed these vulnerabilities but also mitigated entire categories of weaknesses through the implementation of comprehensive allow-listing for external commands and remote hosts. This enhanced seat-belt approach to security further establishes cdxgen as the preferred tool for generating Bill of Materials (BOM) documents at scale, suitable for both trusted and untrusted projects and container images.

Maintaining cdxgen’s infrastructure is both complex and resource-intensive, with availability in over 110 executable formats and container images. It ranks as one of the top consumers of computing and storage resources within the CycloneDX community and OWASP. Thanks to significant infrastructure sponsorship from Microsoft, we aim to resolve our computing resource bottlenecks by deploying a hybrid infrastructure that includes the Azure cloud stack, self-hosted compute resources, and GitHub Actions.

Combined with existing funding from the EU, NLNet, and private organizations, cdxgen remains sustainably positioned with a clear, long-term roadmap. As an OWASP project committed to inclusivity and diversity, we actively encourage contributors from all backgrounds and skill levels to join our efforts. Additionally, our team enthusiastically supports and practices AI-driven coding methodologies (Vibe coding).


Open source thrives when security is a shared responsibility. With the support of the GitHub Secure Open Source Fund, both CycloneDX .NET and cdxgen are poised to continue strengthening supply-chain security — and setting new standards for transparency and trust.