Expand description
OmniBOR Artifact Identifiers and Artifact Input Manifests in Rust.
§What is OmniBOR?
OmniBOR is a draft specification which defines two key concepts:
- Artifact Identifiers: independently-reproducible identifiers for software artifacts.
- Artifact Input Manifests: record the IDs of every input used in the build process for an artifact.
Artifact IDs enable anyone to identify and cross-reference information for software artifacts without a central authority. Unlike pURL or CPE, OmniBOR Artifact IDs don’t rely on a third-party, they are inherent identifiers determined only by an artifact itself. They’re based on Git’s Object IDs (GitOIDs) in both construction and choice of cryptographic hash functions.
Artifact Input Manifests allow consumers to reconstruct Artifact Dependency Graphs that give fine-grained visibility into how artifacts in your software supply chain were made. With these graphs, consumers could in the future identify the presence of exact files associated with known vulnerabilities, side-stepping the complexities of matching version numbers across platforms and patching practicies.
You can view the OmniBOR specification here.
The United States Cybersecurity & Infrastructure Security Agency (CISA), identified OmniBOR as a major candidate for software identities in its 2023 report “Software Identification Ecosystem Option Analysis.”
Structs§
- An OmniBOR Artifact Identifier.
- The SHA-256 hashing algorithm.
Enums§
- Errors arising from
ArtifactIduse.
Traits§
- Marker trait for hash algorithms supported for constructing
ArtifactIds.