Add xref to sbom-catalog.openssf.org. (#702)

david-a-wheeler · web-flow · commit 372602a9f02b · 2025-03-11T13:56:21.000Z
Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/docs/Concise-Guide-for-Developing-More-Secure-Software.md b/docs/Concise-Guide-for-Developing-More-Secure-Software.md
@@ -24,7 +24,7 @@ Here is a concise guide for all software developers for secure software developm
 15. **Improve your** [**OpenSSF Scorecards**](https://github.com/ossf/scorecard) **score (if OSS and on GitHub)**. You can read the [Scorecards checks](https://github.com/ossf/scorecard#scorecard-checks). Use the [Allstar](https://github.com/ossf/allstar) monitor.
 16. **Notify the community of vulnerabilities in your project.** Publish security advisories with accurate & precise information, e.g., what usage & versions are vulnerable, mitigations, and fixed version(s). Get a CVE ID. On GitHub, [create your security advisory](https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory#creating-a-security-advisory) & [request a CVE](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories#cve-identification-numbers).
 17. **Improve your** [**Supply chain Levels for Software Artifacts (SLSA)**](https://slsa.dev/) **level**. This hardens the integrity of your build and distribution process against attacks.
-18. **Publish and consume a software bill of materials (SBOM)**. This lets users verify inventory, id known vulnerabilities, & id potential legal issues. Consider [**SPDX**](https://spdx.dev/) or [**CycloneDX**](https://cyclonedx.org/).
+18. **Publish and consume a software bill of materials (SBOM)**. This lets users verify inventory, id known vulnerabilities, & id potential legal issues. Consider [**SPDX**](https://spdx.dev/) or [**CycloneDX**](https://cyclonedx.org/). See our [SBOM-Everywhere catalog](https://sbom-catalog.openssf.org/).
 19. **Onboard your project into** [**LFX Security**](https://security.lfx.linuxfoundation.org/) **if you manage a Linux Foundation project**.
 20. **Apply the** [**CNCF Security TAG Software Supply Chain Best Practices guide**](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf).
 21. **Implement** [**ASVS**](https://owasp.org/www-project-application-security-verification-standard/) **and follow relevant** [**cheatsheets**](https://cheatsheetseries.owasp.org/index.html).
