Software Bill of Materials (SBOM) becoming mandatory for Tiki
- Status
- Closed
- Subject
- Software Bill of Materials (SBOM) becoming mandatory for Tiki
- Version
- 18.x Regression
21.x Regression
24.x
25.x - Category
- Legislative Compliance
- Feature
- All / Undefined
- Resolution status
- Fixed or Solved
- Submitted by
- hman
- Lastmod by
- Marc Laporte
- Rating
- Description
On May 12, the US President issued an Executive Order that binds US agencies that software purchased needs a Software Bill of Materials (SBOM).
Executive Order on Improving the Nation’s Cybersecurity
A SBOM is a comprehensive (!) list of ALL dependencies. You have to list every (!) module, tool, library, whatever that Tiki relies on in a predefined, machine readable format. If you do not provide a SBOM, no US agency or office will be allowed to use Tiki.
The reasoning behind that is simple and clear: Unknown dependencies cause unknown cyber risks. As they are unknown, the impact of those can range from negligible to catastrophic. All dependencies must be tracked. If software that Tiki depends on does not get updated, features might break, or even worse, impose direct security threats through Zero Day exploits. Oh well, looking at some popular tool's outdated version history, you might not even need "0days" to break into other vendor's software, where the user (or admin) might not even be aware of the dependency. Or the depency of some other dependency.
Log4j was the last warning to the industry (and in this regard, Tiki must be considered to be part of the industry).
The machine readable format of SBOM makes it possible to discover the depencies of the dependencies. Nestings of a dozen or more levels are not uncommon...
Now the president took action. Tiki should react, IMHO. Tiki must react, or Tiki won't be usable by officials anymore.
- Solution
- Workaround
- Importance
- 10 high
- Easy to solve?
- 3
- Priority
- 30
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Ticket ID
- 8157
- Created
- Saturday 23 July, 2022 15:07:13 UTC
by hman - LastModif
- Saturday 16 August, 2025 10:57:53 UTC