Shepherding Software Dependencies (glt24)

The number of external dependencies in today's software has grown steadily over the years. With all these dependencies come bugs and security issues. Like a flock of sheep, it can be difficult to keep track of them all, take care of their needs, and leave no one behind. In this talk, we'll present solutions for software composition analysis and dependency management using free and open source tools. Afterwards, we hope you will be convinced that this is something everyone should consider in their software projects, because it is relatively easy to get started, and it will make your life easier in the long run. The number of external dependencies in today's software has grown steadily over the years. With all these dependencies come bugs and security issues. Like a flock of sheep, it can be difficult to keep track of them all, take care of their needs, and leave no one behind. In this talk, we'll present solutions for software composition analysis and dependency management using free and open source tools. Afterwards, we hope you will be convinced that this is something everyone should consider in their software projects, because it is relatively easy to get started, and it will make your life easier in the long run. We will demonstrate how to create a *Software Bill Of Material (SBOM)* at build time using the *OWASP CycloneDX* tools. To further analyze the SBOM, we will demonstrate the use of *OWASP Dependency Track*. We will also demonstrate the use of *Renovate* to help maintainers keep up with dependency updates. To run all these tools in a CI/CD environment, we use *GitLab*. - CycloneDX: https://cyclonedx.org/ - Dependency Track: https://dependencytrack.org/ - Renovate: https://www.mend.io/renovate-free/ - GitLab: https://about.gitlab.com/ about this event: https://pretalx.linuxtage.at/glt24/talk/DXJLMZ/