Address SaaS tooling in the absence of real consensus

[anoncam]

Something that is becoming increasingly clear is the SaaS vendors selling SBOM insight views on their "platforms." I won't begin naming names just yet.

Given the maturity of this repo and effort, I say that a fee-based solution is a route to a misleading industry sector simply doing the same type of research. While it is true they took the time to play with the CSS and HTML to map data fields in the CycloneDX and SPDX specifications, the end users have no clue what comprehensive is when it comes to the various SBOM 'perspectives', and the vendors do not truly relay the caveats to the data that is provided.

I think there will be an inevitable need to open source the capabilities of the most robust paid option we discover; we need to ensure that there is never a financial barrier to gain equal insight if one is willing to do the additional work of setting up an open source solution and self-host.

[stevespringett]

One way to combat this is with data. The BOM Mature Model coming out of the OWASP SCVS project will likely help. Once the model is published, the community will be able to build tools which can evaluate BOM output from SBOM suppliers (or anyone else) to determine what the BOM can be used for and create automatic policy around it. It can also aid in purchasing decisions when evaluating vendors that claim to support SBOM for various use cases.

Also, for clarification... When you're referring to "SaaS", are you referring to SaaSBOMs (which only CycloneDX supports) or are you referring to traditional SBOMs being supported by a SaaS provider?

[joshbressers]

I think a SaasBOM is out of scope for this project.

We should focus on the traditional SBOM provided by a SaaS provider