Supply chain security has become a critical topic in the security world in recent years, and while SBOMs are a foundational piece, they are still infrequently generated and even less frequently used in a way that meaningfully improves software supply chain security.
To address this gap, the OCX session “Generating SBOM: Understanding the Why, Mastering the How and Learning from Eclipse Kura’s Experience” focuses on simplifying SBOM adoption through a combination of practical resources and real-world project experience. Drawing on the Eclipse Foundation’s security tooling and guidance, Ioana Iliescu, Security Team Tech Lead at the Eclipse Foundation, and Mattia Dal Ben, Principal Software Engineer and Eclipse Kura committer, walk through how SBOM generation, supporting infrastructure, and automation come together in practice, based on Eclipse Kura’s adoption journey.
SBOMs are often introduced through compliance or customer-driven requirements. When their value is perceived as external rather than operational, teams struggle to prioritise the initial effort required for meaningful adoption. As Ioana Iliescu explains:
When the benefit feels like it’s external, and delayed, but the cost is internal, and immediate, SBOMs tend to lose out to feature work.
The consequences of this deprioritisation become visible when a vulnerability is disclosed. At that point, teams must rely on the information they already have about their software composition. As Iliescu notes, traditional dependency management reflects intent rather than reality:
It’s what the project declares itself that it depends on, and SBOM shows what’s actually shipped, including not only direct, but also transitive dependencies, and the relationship between them.
This visibility into transitive dependencies directly affects how quickly teams can assess exposure and respond to software supply chain incidents.
Eclipse Kura’s experience also shows that SBOM generation on its own is not sufficient to create security value. As Mattia Dal Ben points out:
SBOM generation is a small piece of the overall picture. You have to generate them automatically, keep them updated, store them, ingest them, and perform continuous analysis on them.
Integrating SBOM generation into existing build systems and CI/CD pipelines required addressing compatibility issues and project-specific edge cases, even with a mature SBOM tooling ecosystem.
Attendees of this session will gain a concrete understanding of what it takes to generate and move SBOMs from static artefacts into operational security inputs. The talk will walk through tooling choices, integration decisions, and edge cases encountered in Eclipse Kura, alongside the Eclipse Foundation infrastructure that supports SBOM generation, storage, and analysis at scale.
Learn more at OCX in Brussels
Register and attend this session in Brussels to see how SBOMs are operationalised in practice, based on real Eclipse Foundation infrastructure and the Eclipse Kura team’s experience.
