Survey: Understand needs and goals of users for the Dependency List
What’s this issue all about?
I want to be able to on linkedin and twitter ask security and developer people why they use a bill of materials or dependency list (why, when, what fields)
What questions are you trying to answer?
- Who are you (security? developer? other?)
- Title
- what do you call a list of dependencies, and information about them, that your software utilizes? (example)
- under what circumstances / why do you interact with a BOM / DL? (example; as part of a request by external audit, or as part of internal audit)
- What information do you need on your BOM/DL for it to satisfy your needs? (Component name, version, package manager, location, type of license, known vulnerabilities)
What assumptions do you have?
people who are developers or security or compliance or legal need them mostly to check are we in legal compliance (license type), audit reasons, security reasons (vulns, out of date)
What decisions will you make based on the research findings?
change how we refer to, or the fields we have, or the roles/personas we aim for when doing dependency lists and reports
What's the latest milestone that the research will still be useful to you?
asap ideally as we are already actively renaming
Edited by Nicole Schwartz