FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream


Dick Brooks
 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 


Gary O'Neall
 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.       Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.       Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.       Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 


Dick Brooks
 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 


Alexios Zavras
 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.       Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.       Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.       Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Dick Brooks
 

FYI.

 

I work on the CISA ICT_SCRM Task Force as a co-author of the Software Assurance Buyers Guide. There are discussions currently underway in CISA on developing a taxonomy of roles and definitions within the software supply chain.

 

Will pass along whatever information I can if/when this work commences within CISA.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Alexios Zavras
Sent: Wednesday, March 8, 2023 11:52 AM
To: dick@...; 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Anthony Harrison
 

We should also make sure that there is some alignment with the CycloneDX SBOMs as well which has 3 definitions (obtained from the CycloneDX specification)

Supplier -The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.

Author - The person(s) or organization(s) that authored the component

Publisher - The person(s) or organization(s) that published the component

Can we add a CycloneDX column to Alexios's table and see how the various approaches (SPDX, NTIA and CycloneDX) align or diverge. 

Regards

Anthony Harrison



On Wed, 8 Mar 2023 at 16:59, Dick Brooks <dick@...> wrote:

FYI.

 

I work on the CISA ICT_SCRM Task Force as a co-author of the Software Assurance Buyers Guide. There are discussions currently underway in CISA on developing a taxonomy of roles and definitions within the software supply chain.

 

Will pass along whatever information I can if/when this work commences within CISA.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Alexios Zavras
Sent: Wednesday, March 8, 2023 11:52 AM
To: dick@...; 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Dick Brooks
 

The NTIA SBOM Framing Document mapping table is also quite useful:

 

https://ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf

 

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Anthony Harrison <anthony.p.harrison@...>
Sent: Wednesday, March 8, 2023 12:59 PM
To: dick@...
Cc: Alexios Zavras <alexios.zavras@...>; Gary O'Neall <gary@...>; Spdx-tech@...; Steve Springett <steve.springett@...>
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

We should also make sure that there is some alignment with the CycloneDX SBOMs as well which has 3 definitions (obtained from the CycloneDX specification)

 

Supplier -The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.

 

Author - The person(s) or organization(s) that authored the component

 

Publisher - The person(s) or organization(s) that published the component

 

Can we add a CycloneDX column to Alexios's table and see how the various approaches (SPDX, NTIA and CycloneDX) align or diverge. 

 

Regards

 

Anthony Harrison

 

 

 

On Wed, 8 Mar 2023 at 16:59, Dick Brooks <dick@...> wrote:

FYI.

 

I work on the CISA ICT_SCRM Task Force as a co-author of the Software Assurance Buyers Guide. There are discussions currently underway in CISA on developing a taxonomy of roles and definitions within the software supply chain.

 

Will pass along whatever information I can if/when this work commences within CISA.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Alexios Zavras
Sent: Wednesday, March 8, 2023 11:52 AM
To: dick@...; 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Gary O'Neall
 

I have a call with CycloneDX later this afternoon – I’ll pass along the request.

 

Steve – I see you’re added to the cc – did you want to take a pass at filling in Alexios’ example?

 

Regards,

Gary

 

From: Anthony Harrison <anthony.p.harrison@...>
Sent: Wednesday, March 8, 2023 9:59 AM
To: dick@...
Cc: Alexios Zavras <alexios.zavras@...>; Gary O'Neall <gary@...>; Spdx-tech@...; Steve Springett <steve.springett@...>
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

We should also make sure that there is some alignment with the CycloneDX SBOMs as well which has 3 definitions (obtained from the CycloneDX specification)

 

Supplier -The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.

 

Author - The person(s) or organization(s) that authored the component

 

Publisher - The person(s) or organization(s) that published the component

 

Can we add a CycloneDX column to Alexios's table and see how the various approaches (SPDX, NTIA and CycloneDX) align or diverge. 

 

Regards

 

Anthony Harrison

 

 

 

On Wed, 8 Mar 2023 at 16:59, Dick Brooks <dick@...> wrote:

FYI.

 

I work on the CISA ICT_SCRM Task Force as a co-author of the Software Assurance Buyers Guide. There are discussions currently underway in CISA on developing a taxonomy of roles and definitions within the software supply chain.

 

Will pass along whatever information I can if/when this work commences within CISA.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Alexios Zavras
Sent: Wednesday, March 8, 2023 11:52 AM
To: dick@...; 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Dick Brooks
 

Gary,

 

The NTIA framing document may be useful when talking with Steve.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Wednesday, March 8, 2023 1:26 PM
To: 'Anthony Harrison' <anthony.p.harrison@...>; dick@...
Cc: 'Alexios Zavras' <alexios.zavras@...>; Spdx-tech@...; 'Steve Springett' <steve.springett@...>
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I have a call with CycloneDX later this afternoon – I’ll pass along the request.

 

Steve – I see you’re added to the cc – did you want to take a pass at filling in Alexios’ example?

 

Regards,

Gary

 

From: Anthony Harrison <anthony.p.harrison@...>
Sent: Wednesday, March 8, 2023 9:59 AM
To: dick@...
Cc: Alexios Zavras <alexios.zavras@...>; Gary O'Neall <gary@...>; Spdx-tech@...; Steve Springett <steve.springett@...>
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

We should also make sure that there is some alignment with the CycloneDX SBOMs as well which has 3 definitions (obtained from the CycloneDX specification)

 

Supplier -The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.

 

Author - The person(s) or organization(s) that authored the component

 

Publisher - The person(s) or organization(s) that published the component

 

Can we add a CycloneDX column to Alexios's table and see how the various approaches (SPDX, NTIA and CycloneDX) align or diverge. 

 

Regards

 

Anthony Harrison

 

 

 

On Wed, 8 Mar 2023 at 16:59, Dick Brooks <dick@...> wrote:

FYI.

 

I work on the CISA ICT_SCRM Task Force as a co-author of the Software Assurance Buyers Guide. There are discussions currently underway in CISA on developing a taxonomy of roles and definitions within the software supply chain.

 

Will pass along whatever information I can if/when this work commences within CISA.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Alexios Zavras
Sent: Wednesday, March 8, 2023 11:52 AM
To: dick@...; 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Gary O'Neall
 

We didn’t have time to go over this topic on the call, so no updates on the table below.

 

I can provide some input, however, from the cdx2spdx tool which interprets the CycloneDX fields.

 

CDX Supplier maps to SPDX property Supplier in class Package.

CDX Publisher maps to SPDX property Originator in class Package as an Organization.

CDX Author maps to SPDX property Originator in class Package as a Person IFF there is no CDX Publisher (this is due to the SPDX cardinality of Originator being 0..1).

 

If anyone thinks this mapping is incorrect, please submit an issue at https://github.com/spdx/cdx2spdx/issues

 

Thanks,

Gary

 

From: Gary O'Neall <gary@...>
Sent: Wednesday, March 8, 2023 10:26 AM
To: 'Anthony Harrison' <anthony.p.harrison@...>; 'dick@...' <dick@...>
Cc: 'Alexios Zavras' <alexios.zavras@...>; 'Spdx-tech@...' <Spdx-tech@...>; 'Steve Springett' <steve.springett@...>
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I have a call with CycloneDX later this afternoon – I’ll pass along the request.

 

Steve – I see you’re added to the cc – did you want to take a pass at filling in Alexios’ example?

 

Regards,

Gary

 

From: Anthony Harrison <anthony.p.harrison@...>
Sent: Wednesday, March 8, 2023 9:59 AM
To: dick@...
Cc: Alexios Zavras <alexios.zavras@...>; Gary O'Neall <gary@...>; Spdx-tech@...; Steve Springett <steve.springett@...>
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

We should also make sure that there is some alignment with the CycloneDX SBOMs as well which has 3 definitions (obtained from the CycloneDX specification)

 

Supplier -The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.

 

Author - The person(s) or organization(s) that authored the component

 

Publisher - The person(s) or organization(s) that published the component

 

Can we add a CycloneDX column to Alexios's table and see how the various approaches (SPDX, NTIA and CycloneDX) align or diverge. 

 

Regards

 

Anthony Harrison

 

 

 

On Wed, 8 Mar 2023 at 16:59, Dick Brooks <dick@...> wrote:

FYI.

 

I work on the CISA ICT_SCRM Task Force as a co-author of the Software Assurance Buyers Guide. There are discussions currently underway in CISA on developing a taxonomy of roles and definitions within the software supply chain.

 

Will pass along whatever information I can if/when this work commences within CISA.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Alexios Zavras
Sent: Wednesday, March 8, 2023 11:52 AM
To: dick@...; 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Gary O'Neall
 

I think Alexios’ example table is a good approach..

 

I created a Google Sheets copy of his table below and added the CycloneDX related properties.  Feel free to update the table.

 

Here’s the link: https://docs.google.com/spreadsheets/d/1eWWLJSM3WxCfGrhzjEPVXm33nxzgrtki6fnWrbwQrhM/edit?usp=sharing

 

Gary

 

From: Dick Brooks <dick@...>
Sent: Wednesday, March 8, 2023 10:30 AM
To: 'Gary O'Neall' <gary@...>; 'Anthony Harrison' <anthony.p.harrison@...>
Cc: 'Alexios Zavras' <alexios.zavras@...>; Spdx-tech@...; 'Steve Springett' <steve.springett@...>
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Gary,

 

The NTIA framing document may be useful when talking with Steve.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Wednesday, March 8, 2023 1:26 PM
To: 'Anthony Harrison' <anthony.p.harrison@...>; dick@...
Cc: 'Alexios Zavras' <alexios.zavras@...>; Spdx-tech@...; 'Steve Springett' <steve.springett@...>
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I have a call with CycloneDX later this afternoon – I’ll pass along the request.

 

Steve – I see you’re added to the cc – did you want to take a pass at filling in Alexios’ example?

 

Regards,

Gary

 

From: Anthony Harrison <anthony.p.harrison@...>
Sent: Wednesday, March 8, 2023 9:59 AM
To: dick@...
Cc: Alexios Zavras <alexios.zavras@...>; Gary O'Neall <gary@...>; Spdx-tech@...; Steve Springett <steve.springett@...>
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

We should also make sure that there is some alignment with the CycloneDX SBOMs as well which has 3 definitions (obtained from the CycloneDX specification)

 

Supplier -The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.

 

Author - The person(s) or organization(s) that authored the component

 

Publisher - The person(s) or organization(s) that published the component

 

Can we add a CycloneDX column to Alexios's table and see how the various approaches (SPDX, NTIA and CycloneDX) align or diverge. 

 

Regards

 

Anthony Harrison

 

 

 

On Wed, 8 Mar 2023 at 16:59, Dick Brooks <dick@...> wrote:

FYI.

 

I work on the CISA ICT_SCRM Task Force as a co-author of the Software Assurance Buyers Guide. There are discussions currently underway in CISA on developing a taxonomy of roles and definitions within the software supply chain.

 

Will pass along whatever information I can if/when this work commences within CISA.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Alexios Zavras
Sent: Wednesday, March 8, 2023 11:52 AM
To: dick@...; 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

I also agree that we would all benefit from common understanding of all these terms, in order to be consistent.

 

What is the meaning of the mapping table from the NTIA framing document? Is it:

  1. The meaning of the NTIA attributes (first column) is to be understood as the corresponding right columns; or
  2. You should use the fields on the right columns to store information about the NTIA attributes.

 

For everyone’s understanding, let’s try to agree on what these represent. Let’s start with the simplest cases:

 

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

OpenSSL source
downloaded from openssl.org

openssl

openssl

OpenSSL binary package
installed via apt (Ubuntu, default settings)

canonical

openssl

Numpy package
downloaded from github.com/numpy/numpy

numpy

numpy

Numpy package
installed via pip (default settings)

pypi

numpy

Numpy package
installed via conda (default settings)

conda

numpy

 

Can anyone help fill the cells of the NTIA fields?

We can then see what we understand for all these in the case of unmodified re-distribution of components. My understanding is:

SPDX

NTIA

Component

Supplier

Originator

Supplier

Vendor

Distributor

Any of the above (is there a difference?)
redistributed inside package X from organization Y

Y

(previous table supplier)

 

 

For reference, I include the definitions from SPDXv2 spec:

 

  • Package supplier: Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site.
  • Package originator: If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, 8 March, 2023 01:44
To: 'Gary O'Neall' <gary@...>; Spdx-tech@...
Subject: Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Thanks for your careful analysis and insights Gary.

 

First, these roles are not specific to NTIA or defined by NTIA, to my knowledge.

 

These roles are found across lots of different materials in which the software supply chain is discussed – it’s a software supply chain thing, not an SPDX thing I’m referring to. For example:

FERC Order 850 and NERC materials refer to vendors and suppliers.

 

Some CISA materials refer to “distributors”.

 

All of these roles “appear” in software supply chain discussions. But, to my knowledge, there is no “universal meaning” assigned to each role.

 

I’m suggesting that the SPDX community has an opportunity to set the stage and put forward a consensus on the semantics for each role. Putting a stake in the sand.

 

I’m suggesting the SPDX community consider the NTIA semantics for Supplier, and adopt the NTIA definition for Supplier as the “formal definition” for Supplier, in the V3 spec, to address the ambiguities that exist, currently.

 

I’m also suggesting that the Vendor and Distributor roles could benefit from a formal definition, and this is an opportunity for the SPDX community to consider.

 

I see two options going forward; be silent on the definitions of the supplier, vendor and distributor roles OR assert some semantics on each role, and consistently use these role names and semantics as the SPDX spec and implementation evolve.

 

I also suggest you consider the NTIA framing document mapping that provides further interpretation for the supplier “concept”, across SBOM formats:

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Gary O'Neall <gary@...>
Sent: Tuesday, March 7, 2023 7:08 PM
To: dick@...; Spdx-tech@...
Subject: RE: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@...
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work Stream, which is developing guidance for Federal Procurement Offers with regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions regarding Supplier semantics. This is a very important topic that we need to be consistent is referring to when discussing semantics of the software supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles in a software supply chain. There are “at least” three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it sounds like SPDX defined these roles.  I would rephrase ‘There are “at least” three distinctive roles’ to ‘The NTIA discusses at least 3 distinctive roles in the NTIA framing document’.

1.      Supplier

               Here is how the NTIA documents describe Supplier, which I agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

 

               REF Page 9:

              

Supplier Name

The name of an entity that creates, defines, and identifies components.

                             

Supplier refers to the originator or manufacturer of the software component.

 

               No consensus was reached within the SPDX Tech community on the semantics of “Supplier”

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier – I believe there is not consensus on the NTIA definition of Supplier within the specific SPDX meeting.  I would remove this sentence or clarify that we are talking about NTIA supplier, not SPDX supplier.

 

               REA agrees with the NTIA definition of Supplier and asserts that Suppliers produce SBOM’s, which are provided to others, i.e. end users, vendors and distributors

 

2.      Vendor

No consensus was reached within the SPDX Tech community on the semantics of “Vendor”

[G.O.] Again – this is an NTIA term.  Vendor is not a term used in SPDX.  We only use supplier and originator.  Same as above, suggest either removing the sentence or clarifying that we are talking about NTIA “Vendor”

 

REA asserts that a vendor is the party that “transacts” in the purchase/sale of a software product to an end consumer. A vendor supplies a customer with a “Vendor Response File”.  A Systems Integrator is considered a Vendor (not a supplier)

 

3.      Distributor

No consensus was reached within the SPDX Tech community on the semantics of “Distributor”

[G.O.] Same comments.

 

               REA asserts that a Distributor is the party that makes a software product available to others. GitHub is an example of a Distributor. The Apple Store is a distributor of software products.

              

As with many concepts in the software supply chain there are many gray areas. REA has gone on the record recommending that SPDX adopt the NITA semantics for Supplier in the next release, v 3.0.

Supplier refers to the originator or manufacturer of the software component.”

 

It’s entirely feasible for a single legal entity to serve in all 3 roles. This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing the discussion.  SPDX current defines 2 roles – a supplier and originator.  Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation discusses 3 roles.  There is a mapping between the NTIA Supplier and the SPDX supplier, but there is some confusion on mapping Distributor and Vendor to the SPDX terms.  We didn’t discuss mapping SPDX originator, but that may also lead to confusion.  I know Kate has put quite a bit of time into discussing this with the NTIA community, so I would suggest getting her feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928