For a secure software as JS7 users are enabled to know what is inside its code:
- the JS7 source code is publicly available from https://github.com/sos-berlin
- the JS7 ships with a Software Bill of Materials (SBOM) that provides the information which 3rd-party components, versions and licenses are included.
FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.2
Software Bill of Materials
The JS7 SBOM is provided from the OWASP CyclonDX format.
Tools to manage and to visualize the SBOM include the OWASP dependency-track. In addition a number of web sites are available that allow to visualize an SBOM.
The JS7 includes a number of 3rd-party components:
- SOS is striving to use up-to-date versions of 3rd-party components.
- SOS cannot exclude a situation when 3rd-party components are hit by vulnerabilities.
- SOS is monitoring 3rd-party components for vulnerabilities at an ongoing basis.
- If vulnerabilities are detected the Release Policy - Vulnerability Management applies.
- This includes to make information about vulnerabilities public with our Change Management System, see https://change.sos-berlin.com
- This includes to add fixed versions of 3rd-party components to timely JS7 maintenance releases.
- The SBOM enables users to check directly from their JS7 scheduling environment if a vulnerable version of a 3rd-party component is included.
The SBOM ships from the
sbom.json file that is available for download from JOC Cockpit.
- URL: <
<http> or <https>is the protocol for which JOC Cockpit is operated.
<host>is the name of the host on which JOC Cockpit is running.
<port>is the port for which JOC Cockpit is operated.
Download from the Login Window
The SBOM can be downloaded from the
Download from any JOC Cockpit page
The SBOM can be download from any JOC Cockpit page using the
Find the following example of an SBOM file for JOC Cockpit:
- Download: sbom.json