Expand description
OmniBOR Artifact Identifiers and Artifact Input Manifests in Rust.
§What is OmniBOR?
OmniBOR is a draft specification which defines two key concepts:
- Artifact Identifiers: independently-reproducible identifiers for
software artifacts. Use
ArtifactIdfor these. - Artifact Input Manifests: record the IDs of every input used in the
build process for an artifact. Use
InputManifestfor these.
Artifact IDs enable anyone to identify and cross-reference information for software artifacts without a central authority. Unlike pURL or CPE, OmniBOR Artifact IDs don’t rely on a third-party, they are inherent identifiers determined only by an artifact itself. They’re based on Git Object Identifiers (GitOIDs) in both construction and choice of cryptographic hash functions.
Artifact Input Manifests allow consumers to reconstruct Artifact Dependency Graphs that give fine-grained visibility into how artifacts in their software supply chain were made. With these graphs, consumers could in the future identify the presence of exact files associated with known vulnerabilities, side-stepping the complexities of matching version numbers across platforms and patching practices.
You can view the OmniBOR specification here.
The United States Cybersecurity & Infrastructure Security Agency (CISA) identified OmniBOR as a major candidate for software identities in its 2023 report “Software Identification Ecosystem Option Analysis.”
Modules§
- embedding
- Defines whether data for an
InputManifestis embedded in the artifact itself. - hashes
- Defines the hash algorithms supported for
ArtifactIds. - storage
- Defines how manifests are stored and accessed.
Structs§
- Artifact
Id - An OmniBOR Artifact Identifier.
- Input
Manifest - A manifest describing the inputs used to build an artifact.
- Input
Manifest Builder - An
InputManifestbuilder. - Relation
- A single input artifact represented in a
InputManifest.
Enums§
- Error
- Errors arising from
ArtifactIduse orInputManifestinteraction. - Should
Store - Should a manifest be stored after creation?
Traits§
- Into
Artifact Id - Types that can produce an
ArtifactId.