SBOM reliability structural failure

SBOMs from six ecosystems all miss indirect dependencies—and npm averages hundreds per package All Things Open
TL;DW
  • Indirect dependencies often outnumber direct dependencies by orders of magnitude—npm projects average huge counts; Docker containers can exceed 10,000 packages from just a base image plus 20 selected packages
  • Different package ecosystems (pip, npm, maven, go, cargo, gradle) generate SBOMs with fundamentally different metadata quality and dependency capture—tool selection matters significantly
  • Dependencies are not static: version pinning behavior, build environment (Windows/Mac/Linux), CI/CD tool injection, and build timing all alter which dependencies actually get included in your software
  • For Python, use pip-licenses and cyclone-dx-pip; for npm, use npm-license-checker and cyclone-dx; for Go, must run go-licenses inside containers; for Gradle/Maven, convert SBOM XML to legal notices via OSS attribution tools
  • Running package managers inside containers is essential for accurate metadata—container analysis tools (Syft) may miss native language dependencies unless tools run in the container environment
  • Developers significantly underestimate their dependency count and typically know only first-order dependencies, missing second and deeper order dependencies that may carry restrictive licenses or security vulnerabilities
  • SBOM generation timestamps matter: SBOMs created months ago may be obsolete if dependency versions have changed, making historical SBOMs unreliable for compliance or security
  • When distributing software externally, compliance obligations increase substantially compared to internal use—SBOMs alone are insufficient; convert to human-readable legal notices for distribution
  • Use package manager lock files to prevent dependency tree changes; audit dependencies with tools like npm-check or maven-dependency-tree; test after version changes to catch breaking dependency updates
  • Multiple package managers on the same system create blind spots—npm might not capture pip-installed CSVKit, so use matching package managers for complete inventory visibility

Walks through SBOM generation for Python, npm, Maven, Go, Cargo, and Gradle plus Docker using pip-licenses, CycloneDX, and Syft. Each tool only sees its own ecosystem, lock file discipline is inconsistent, and CI/CD tooling injects unlisted deps—so an SBOM from three months ago is likely already wrong.

agentic coding workflow reframe

iOS veteran finds 15 years of coding experience transfers to AI agents only through planning and review discipline XRealityZone
TL;DW
  • Agent-driven development requires embracing Git commits as checkpoints, not just quality gates—revert and retry becomes powerful when agents can learn from commits.
  • Running multiple agents on one project beats context-switching between projects; focused agent teams produce more tangible progress than scattered parallel work.
  • Plan mode before execution prevents costly 20-minute agent detours; upfront clarity via detailed plans saves far more time than post-hoc fixes.
  • Use a three-layer quality gate: sub-agents do work, external model reviews PRs (bias-free), automated tests verify functionality—each model has blind spots.
  • Give AI visibility via Model Context Protocol (MCP) tools and detailed JSON annotations; Xcode Instruments data, analytics APIs, and image metadata amplify agent effectiveness.
  • Commit frequently and keep PRs small after agent tasks; massive PRs become unmergeable—break them into reviewable chunks even after completion.
  • Prevention beats correction; precise upfront prompts prevent agents from hacking tests or optimizing the wrong thing; invest prompt quality early.
  • Experienced developers remain essential gatekeepers; 15 years of iOS knowledge catches what AI misses, especially in architecture, security, and codebase context.
  • Automation multiplies over time—every "don't forget" task is a candidate for CI automation; tools like Cursor support weekly autonomous improvements via agents.
  • Use Agent Skills (specialized context prompts) for your weak areas, not coding; marketing psychology, ASO, and performance analysis yield more ROI than code skills.

Antoine van der Lee details the workflow shift: detailed upfront specs, Git checkpointing between agent runs, MCP tooling for analytics visibility, and strict PR review gates. Engineering judgment on security and architecture remains essential—just applied earlier in the planning phase rather than at the keyboard.