feat: add sbom and inventory

Author: Timo Pagel

data/dimensions-subdimensions-activities/BuildAndDeployment/Build.yaml

@@ -148,3 +148,20 @@ Build and Deployment:
         - I-SB-1-A
         iso27001-2017:
         - 14.2.6
+    SBOM of components:
+      risk:
+        - In case a vulnerability of severity high or critical exists, it needs to be
+          known where an artifacts with that vulnerability is deployed with which dependencies.
+      measure: Creation of an SBOM of components (e.g. application and container image content) during build.
+      dependsOn:
+        - Defined build process
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 3
+      usefulness: 3
+      level: 2
+      iso27001-2017:
+        - '8.1'
+        - '8.2'
+      implementation: []

data/dimensions-subdimensions-activities/BuildAndDeployment/Deployment.yaml

@@ -185,10 +185,8 @@ Build and Deployment:
     Inventory of running artifacts:
       risk:
         - In case a vulnerability of severity high or critical exists, it needs to be
-          known where an artifacts with that vulnerability is deployed with which dependencies.
-      measure: A documented inventory or a possibility to gather the needed information
-        (e.g. the documentation of which script needs to be run by whom) must be in
-        place.
+          known where an artifacts (e.g. container image) with that vulnerability is deployed.
+      measure: A documented inventory or a possibility to gather the needed information.
       dependsOn:
         - Defined deployment process
       difficultyOfImplementation:
@@ -202,3 +200,24 @@ Build and Deployment:
         - '8.1'
         - '8.2'
       implementation: []
+    Inventory of dependencies:
+      risk:
+        - In case a vulnerability of severity high or critical is known by the organization, it needs to be
+          known where an artifacts with that vulnerability is deployed with which dependencies.
+      measure: A documented inventory of dependencies used in images and containers exists.
+      dependsOn:
+        - Defined deployment process
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 3
+      usefulness: 3
+      dependesOn:
+        - SBOM of components
+      level: 3
+      samm2: o-incident-management|TODO
+      iso27001-2017:
+        - '8.1'
+        - '8.2'
+      implementation:
+        - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/dependencyTrack

data/dimensions-subdimensions-activities/implementations.yaml

@@ -546,3 +546,7 @@ implementations:
     name: Building your DevSecOps pipeline 5 essential activities
     url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/
     tags: [pre-commit]
+  dependencyTrack:
+    name: Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM).
+    url: https://github.com/DependencyTrack/dependency-track
+    tags: [sca, inventory]