Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using SBOM Everywhere to amplify guidance through other public workstreams #46

Open
joshbressers opened this issue Mar 12, 2024 · 4 comments

Comments

@joshbressers
Copy link
Contributor

During the meeting on 2024-03-12 a topic came up about how we could work together with other groups, especially government groups, to amplify what we are all doing. The notes from the meeting are below


Amplifying SBOM Everywhere Guidance through CISA SBOM Workstreams


This SIG has some unique opportunities other SBOM focused groups do not as we are a truly neutral venue. We should take advantage of this status to further some SBOM related efforts that will help the entire industry.

A few examples that came up during the discussion

  1. There are currently some SBOM guidance documents from the Netherlands, Germany, and Japan that Allan was kind enough to link to. There is going to be differences and overlap in this guidance. We could parse such documents to identify what they have in common and where they differ. This would be a very valuable reference document.
  2. We could maintain a map of the NTIA minim elements to the actual SPDX and CycloneDX fields. If such a mapping that covers both exists elsewhere we should link to it. If separate mappings exist we can combine those into one reference document.

There are certainly other things we could work on. Please add ideas or comments to this issue to track such efforts. We can split out specific work into issues as needed.

@Mariuxdeangelo
Copy link
Collaborator

This is an awesome idea. It seems like I missed the most interesting meeting in a year. I would love to take a closer look at these Documents from Allan.

I can already add some information to the second point. SPDX and CycloneDx have already published guidance on mapping the NTIA requirements to their schemas.

The thing is, the mapping to the Schemas is done differently in CycloneDx and SPDX. CycloneDx is more strict with its mapping than SPDX. I gave this issue a closer look in my Master Thesis in chapter 7.3.1 see here. Maybe we could fix this, also with help from Allan, who recently mentioned updating the NTIA min elements to make them more straightforward.

@stevespringett
Copy link

If mapping is on the radar, I would suggest using https://scvs.owasp.org/bom-maturity-model/ as the taxonomy and map each spec to it. There’s an example profile that conveys NTIA minimum elements to the taxonomy. But in doing so, it is highly important to read each spec before mapping. Every conversion tool I’ve seen gets it wrong.

@anthonyharrison
Copy link

There are already differences between the various national guidelines. If I am creating a SBOM, I would not want to create a different SBOM to meet the different national guidelines; I would want to create a single SBOM which met ALL of the guidelines (a superset).

However, as we have already seen, even meeting the NTIA guidelines are difficult mainly due to interpretation of what the fields need to contain (in particular supplier). It would be really useful to ensure that the guidelines are harmonised to make it easier for software producers to conform with and also to provide guidance for the consumers of SBOMs to interpret the data within a SBOM.

And for SBOM consumers, I would want to easily assert the quality of the SBOM as the SBOM is likely to form part of a key decision making process within an organisation. Does the SBOM confirm with national guideline X might be a useful starting point before harmonizing of guidance is established.

Bear in mind that we need to be focusing on CONTENT and not FORMAT and the work which @stevespringett references would be a good vehicle to adopt.

@brianf
Copy link

brianf commented Mar 13, 2024

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants