Date   

Re: SBOM Survey

karen.bennet
 

This survey was a great start to gather feedback about SBOM, but it would be good to get some questions about AI sBOM, they need additional information collected

On Thu, Nov 10, 2022 at 1:34 AM Wintersgill, Nathan <njwintersgill@...> wrote:

Dear SPDX Community,

The SEMERU research lab from William and Mary is conducting an online survey to understand issues, needs, and opportunities related to software supply chain management through Software Bill of Materials (SBOMs).

If you have knowledge of or experience with SPDX or other SBOM formats, we would value your participation in this study.

We would greatly appreciate 20-30 minutes of your time to complete the survey: https://wmsas.qualtrics.com/jfe/form/SV_cO4qm1gk3AFunJk.

If you decide to participate, we kindly ask you to complete the survey as soon as possible, ideally within a week. Participating will enter you into a lottery to win one of 10 $50 Amazon gift cards.

Your participation will help us in our mission to better understand the current state of SBOMs in practice and help us provide better resources and tools to developers for managing and securing their own software supply chains.

If you have any questions about our research, our methods, or our survey please do not hesitate to ask. If you have any colleagues who you believe may have valuable domain knowledge and experience, please forward this email and survey to them.

This research is conducted under protocol PHSC-2022-07-14-15722 approved by the IRB at William and Mary.

Thank you for your time,

Oscar Chaparro - Assistant Professor (oscarch@...)

Denys Poshyvanyk - Professor (dposhyvanyk@...)

Trevor Stalnaker - Ph.D. student (twstalnaker@...)

Nathan Wintersgill - Ph.D. student (njwintersgill@...)


SBOM Survey

Wintersgill, Nathan
 

Dear SPDX Community,

The SEMERU research lab from William and Mary is conducting an online survey to understand issues, needs, and opportunities related to software supply chain management through Software Bill of Materials (SBOMs).

If you have knowledge of or experience with SPDX or other SBOM formats, we would value your participation in this study.

We would greatly appreciate 20-30 minutes of your time to complete the survey: https://wmsas.qualtrics.com/jfe/form/SV_cO4qm1gk3AFunJk.

If you decide to participate, we kindly ask you to complete the survey as soon as possible, ideally within a week. Participating will enter you into a lottery to win one of 10 $50 Amazon gift cards.

Your participation will help us in our mission to better understand the current state of SBOMs in practice and help us provide better resources and tools to developers for managing and securing their own software supply chains.

If you have any questions about our research, our methods, or our survey please do not hesitate to ask. If you have any colleagues who you believe may have valuable domain knowledge and experience, please forward this email and survey to them.

This research is conducted under protocol PHSC-2022-07-14-15722 approved by the IRB at William and Mary.

Thank you for your time,

Oscar Chaparro - Assistant Professor (oscarch@...)

Denys Poshyvanyk - Professor (dposhyvanyk@...)

Trevor Stalnaker - Ph.D. student (twstalnaker@...)

Nathan Wintersgill - Ph.D. student (njwintersgill@...)


FOSDEM 2023 - SBOM devroom info and CfP

Alexios Zavras
 

[this is also available as https://gist.github.com/zvr/c852b4a560ac2c67885c473034cd4a93]

 

# FOSDEM 2023 - SBOM devroom info and CfP

 

## Overview

 

[FOSDEM] is one of the world's premier meetings of free software developers, with thousands of people attending each year.

FOSDEM 2023 will take place on the weekend of 4-5 February 2023 and it will be an in-person event in Brussels once again!

 

For the first time, a track ("devroom") about Software Bill of Materials (SBOM) has been accepted in the conference.

 

## Details

 

The devroom will take place for half a day (09:00-12:50), on Sunday morning, as an in-person event in a room to be announced at a later time.

 

The SBOM Devroom at FOSDEM 2023 is an informal, technical, in-person event oriented to authors, users, and enthusiasts of FLOSS programs that produce, consume, or transform SBOMs.

 

While other domains like construction, mechanical engineering, or even computer hardware have long used the concept of Bill of Materials (BOMs), software traditionally has not followed this best practice. There have been efforts running for over a decade to address this, and recent developments have pushed forward the use and wide adoption of Software BOMs. Since most of today’s software is made up of Open Source, it is important that this information can be accurately conveyed. It includes, but is not limited to, metadata such as name and version but also licensing or security information.

 

The goal of the devroom is for interested people to get in touch with each other, exchange ideas and opinions, have interesting and hopefully productive discussions, and finally what is most important: to have fun.

 

**We are looking for presenters!**

 

## Call for participation

 

We are interested in presentations on any topic related to Software Bill of Materials: content, definitions, standardization efforts, tools, etc.

 

An indicative, non-exclusive, list of topics:

 

- Tools that produce SBOMs or related information

- Tools that consume SBOMs to generate other information

- Case studies and lessons learned from real-life use or introduction of SBOMs

- Use of different types of SBOMs (e.g., Source, Build, Runtime, etc.)

- Linking and verification of SBOMs to other relevant artifacts

- Special areas of interest not covered by current SBOM formats, that need discussion to be included

 

Any effort that would lead on increasing collaboration between different approaches and tools are particularly encouraged.

 

### Key dates

 

- 28 November: Submission deadline

- 16 December: Announcement of selected talks

- 5 February: SBOM devroom in FOSDEM - You must be available in person to present your talk

 

### Submission process

 

Please use the [Pentabarf] system to submit a talk proposal for the devroom. On the "General" tab, please look for the "Track" option and choose "Software Bill of Materials devroom".

Note: if you have used FOSDEM Pentabarf before, please do _not_ create a new account/username but rather use your existing one.

 

### First-time speakers

 

FOSDEM devrooms are a welcoming environment for people who have never given a talk before. Please feel free to contact the devroom administrators personally if you would like to ask any questions about it.

 

### Submission guidelines

 

The Pentabarf system will ask for many of the essential details. Remember to re-use your account from previous years if you have one.

 

We will be looking for relevance to the conference and devroom themes, but essentially any presentation about SBOMs would qualify. Please note that the audience is expected to be _developers_ of Free and Open Source Software and will most probably be _knowledgeable_ in at least some aspects of SBOMs. Therefore aim your presentation accordingly.

 

Feel free to indicate your preferred duration for your presentation between 5 and 30 minutes, but please note that the final decision on duration will be made by the devroom administrators based on the number of accepted proposals. As the overall duration of the devroom is fixed and rather short, no presentation will exceed 30 minutes (including Q&A), so that more speakers can participate. Keep in mind that, as the event will be in-person, we also need to account for switching between speakers. Shorter presentation are **strongly** encouraged!

 

Please note FOSDEM aims to record and live-stream all talks. The CC-BY license is used for the recordings.

 

## Volunteers needed

 

To make the devroom run successfully, we are always looking for volunteers. If you will be attending the devroom and would like to help, please reach out to the organizers!

 

## Spread the word and discuss

 

If you know of any mailing lists or other online venues where this info and CfP would be relevant, please feel free to forward this document.

 

## Contact

 

The organizers of the devroom can be reached by sending email to sbom-devroom-manager@.... Please do not hesitate to contact us if you have any inquiry or suggestion for the devroom.

 

For any private queries, you may also contact the organizers directly:

- Alexios Zavras fosdem@...

- Kate Stewart stewart@...

 

[FOSDEM]: https://fosdem.org

[Pentabarf]: https://penta.fosdem.org/submission/FOSDEM23/

 

 

-- zvr

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


SPDX Thurs General Meeting Reminder

Phil Odence
 

EMEA folks- US had not changed clocks yet, so the meeting time at 11EDT is an hour off from normal for you.

 

We will have a special presentation from Thomas Steenbergen about how we have been evolving SPDX to support use cases for security vulnerabilities. This is an especially timely topic as much of the SBOM buzz is around this use case. We’ve made good progress with SPDX 2.3 and more progress is planned for 3.0.

 

GENERAL MEETING

 

Meeting Time: Thurs, Nov 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval: At the bottom of this email

 

Presenation - Thomas

 

Steering Committee Update - Phil

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack/Sebastian/Alexios

 

 

 

SPDX General Meeting Minutes - Oct 6, 2022       

 

## Administrative

* Lead by Phil Odence

* Minutes from last meeting approved

·          

### Attendance: 23

 

 

## Special Presentation - NTIA Conformance Checker – Josh Lin

* Introducing Josh and GSoC

* NTIA Minimum Elements

* Checker "checks" whether SBOM meets minimum requirements

·         * plus one other field, doc version

* Demo

·         * Web app

·         * Command line available too

* Q&A

 

## Steering Committee Update

* Wiki freeze

* 2.3 pdf

* Legal Team License List cadence

·                 

## Tech Team Report - Gary

·          

### Spec

2.3

    * Essentially released

    * Still some remaining "cleanup" items

    * But good to go; ready for use

* 3.0 Core

    * Continuing to work through core model with punchlist

    * Schedule

·             * Have been targeting end of 2022

·         * looking unlikely, 

·         * Core work is an important dependency

·         * Working with Cyclone DX on interop including tooling

·         * good working relationship

·         * aiming for lossless translation between the two

·         * trying to include as much joint functionality as possiblity

* Profile active progress towards 3.0

    * Defects - 

    * Usage - 

    * AI profile - 

    * Build profile - 

    * New FuSa profile 

* Tooling

    * Lots of activity

    * Significant interest in the Maven plugin

    * Fairly significant release of the tools in the next week or so (including Josh's utility)

    * Lots of progress on Go tools

·          

## Legal Team Report - Jilayne, Steve

Current focus is on processes and documentation

·         * ergo less on processing submissions

* However, submissions have ramped up

·         * Fedora/Richard Fontana in particular has proposed many new licenses

·         * So 32 pending, much higher than normal

·         https://github.com/spdx/license-list-XML/issues - please come and weigh in on submitted issues, re: whether requests fit with the license inclusion principles at https://github.com/spdx/license-list-XML/blob/main/DOCS/license-inclusion-principles.md

* Cadence discussion

·         * Has been calendar quarter + 1

·         * Looking at major/minor version numbers

·         * Open to input from tool vendors on Legal Team mailing list - https://lists.spdx.org/g/Spdx-legal

* Help needed

·         * People to do the work

·         * Automation of license mark up

* Old license

·         * Fedora, Debian, FreeBSD collaboration on license archaeology

 

## Outreach Team Report -  Sebastian 

Website

·         * Rebuild entering next stage

·         * Must meet LF standards

·         * Collecting member logs in vector formats (to scale up and down from phone to mega monitor)

* 2.3 pdf

·         * SPDX has grown and so has the task

·         * Jack has done previous and conversion for the ISO spec

·         * Stepping back and building markdown to LaTeX pdf convertor

·         * Pandoc has not been effective

·         * Tables are a particular problem

·         * Perhaps there's an existing, non-Pandoc, tool that would serve

·         * Should be addressed in 3.0, built in by design

·         * spec generator that Alexios is driving

* Help needed

·         * website in particular

·         * bringing content over

·         * so need 

·         * writing

·         * graphic design

·         * web development

·          

·                 

## Attendees

* Phil Odence, Synopsys/Black Duck Audits

* Jari Koivisto

* David Edelsohn

* VM Brasseur

* Armin Tanzer

* Gary O'Neall

* William Cox (Synopsys)

* Josh Lin

* Steve Winslow

* Karsten Klein (metaeffekt)

* Alex Rybak (Revenera)

* Bruce

* Brad Goldring (GTC Law Group)

* Jack Manbeck

* Rich Steenwyk (GE Healthcare)

* Bryan Cowan (Fortress)

* Nicolaus Weidner

* Jilayne Lovejoy

* Michael Herzog

* Sebastian Crane

* Molly Menoni

* Marc-Etienne Vargenau

* Ria Schalnat 

 


Re: Unicode

Nathan Willis
 

With the colossal caveat that I am only a **consumer of** Unicode's deliverables, I could speak briefly to the concern at point #3:

On Mon, Oct 31, 2022 at 11:20 AM Till Jaeger via lists.spdx.org <jaeger=jbb.de@...> wrote:

3.
To me it seems that the "Unicode® Copyright and Terms of Use" are more
or less ToU for a website and all redistributables are under "Unicode-DFS".

This is certainly inconvenient, but the Unicode site does host quite a few items with practical application, but which aren't under the "DATA FILES" and "SOFTWARE" hierarchies spelled out in "B" of the TOU.

Namely, there is the whole "Unicode® Technical Site" at the entry point https://unicode.org/main.html ... which is different from the "Unicode site" at the entry point https://home.unicode.org/

Some of that "Technical Site" material covers projects and committees; there are also older documents, proposals, some data tables, things called "annexes" that I'm never 100% sure I understand the status of, and so on. My guess would be that there is a lot of legacy material from the organization's history that simply doesn't have a clear-cut, select-a-license-from-the-dropdown option.

Fortunately, a lot of that material is mostly needed as references, but I can certainly see how occasions would arise where quoting from it is necessary to squash a bug. I've had people attach screenshots from really old Unicode docs in discussion threads. So I wouldn't attempt to weigh in on the other issues (certainly keeping the text up-to-date sounds vital), but merely dropping the license from SPDX would likely affect (a few) projects downstream.

Nate

--
nathan.p.willis
nwillis@...


Unicode

Till Jaeger
 

Dear all,

I'm wondering why https://spdx.org/licenses/Unicode-TOU.html is (still)
part of the license list. Could it be deprecated?

1.
First of all, the current text of the "Unicode® Copyright and Terms of
Use" is quite different from the text which is referenced at
https://spdx.org/licenses/Unicode-TOU.html (SPDX License Diff is very
helpful to show the differences - thanks again to Alan Tse).

2.
Sec. C.3 of the current version refers to the "Unicode Data Files and
Software License":

"Further specifications of rights and restrictions pertaining to the use
of the Unicode DATA FILES and SOFTWARE can be found in the Unicode Data
Files and Software License."

The "Unicode Data Files and Software License"
(https://www.unicode.org/license.txt) is similar but not identical to
"https://spdx.org/licenses/Unicode-DFS-2016.html".

3.
To me it seems that the "Unicode® Copyright and Terms of Use" are more
or less ToU for a website and all redistributables are under "Unicode-DFS".

4.
Unicode modifies the "year" within the copyright notice from year to
year. The "Unicode Data Files and Software License" provides as follows:

"this copyright and permission notice appear with all copies
of the Data Files or Software"

Would this require to identify in which year the data and/or software
was copied from the Unicode website to use the license text with the
correct year? Would it be sufficient to use the most recent version of
the license text? Should this be reflected in the SPDX identifier?


Is there anybody with more background information who can give some
assistance?

Best regards,

Till


IMPORTANT REMINDER: Telco Work Group meeting today - Telco SBOM Spec in Drafting

 

Dear all

The OpenChain Telco Work Group has a meeting today at 17:00 CEST (15:00 UTC).

This meeting will be of special interest to anyone working on matters related to SBOMs, as the work group is currently drafting a telco spec related to this topic:
https://github.com/OpenChain-Project/telco/blob/main/OpenChain%20Telco%20SBOM%20Specification.md

Absent other pressing agenda items, the call today will focus on collecting feedback for this specification via issues submitted live on the call (by the chair) or offline (by you directly).

Join us:
https://zoom.us/j/4377592799

Regards

Shane


Shane Coughlan
General Manager, OpenChain
e: scoughlan@...
p: +81 (0) 80 4035 8083
w: www.linuxfoundation.org

Schedule a call:
https://meetings.hubspot.com/scoughlan


SPDX Thurs General Meeting Reminder

Phil Odence
 

This month’s presentation will be one of the every popular reports on a Google Summer of Code project:

 

Project Title: NTIA Conformance Checker – Josh Lin

 

Project Abstract: This project implemented an NTIA Conformance Checker that checks whether a software bill of materials (SBOM) in SPDX format conforms to the NTIA’s Minimum elements guidance.

 

Project Overview: The minimum constituent parts of an overall Software Bill of Material (SBOM) – referred to as NTIA’s minimum elements – are three broad, interrelated areas (Data Fields, Automation Support, and Practices and Processes). These elements will enable an evolving approach to software transparency, capturing both the technology and the functional operation. The purpose of this project is to check if an SBOM document contains the minimum required data fields such as the supplier name, component name, component version, unique identifiers, dependency relationships, author of the SBOM, and timestamps.

 

About Josh:

I am a 2nd year computer science student at University British Columbia and I am currently on a co-op term. I participated in Google Summer of Code 2022 as an open source contributor and it was through this program that I built the NTIA Conformance Checker under the guidance of my mentors Jeff, Nisha, Gary, and Kate.  

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Oct 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval: https://github.com/spdx/meetings/blob/main/general/2022-09-01.md

 

Steering Committee Update – Phil

 

GSOC Presentation  – Josh Lin

 

Technical Team Report – Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Sebastian/Alexios

 

 

 

 


General release of SAG-PM Version 1.2 with support for SPDX Version 2.3

Dick Brooks
 

REA is pleased to announce the general availability of SAG-PM Version 1.2 with support for SPDX V 2.3 and CycloneDX V 1.4.

This release satisfies the requirements outlined on OMB memo M-22-18 published on September 14.

 

https://www.linkedin.com/posts/richard-dick-brooks-8078241_reliable-energy-analytics-llc-activity-6980932569018081280-pjaC/?utm_source=share&utm_medium=member_desktop

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, September 14, 2022 5:13 PM
To: 'SPDX Technical Mailing List' <spdx-tech@...>
Subject: [spdx-tech] FYI: New White House Memo issued today outlining SBOM implementation guidance for Executive Order 14028

 

Parties interested in actual SBOM implementation guidance should refer to this White House Memo, issued September 14, 2022:

https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 


New Change Proposal process

J Lovejoy
 

Dear SPDX community,

As mentioned on a couple of the general calls some time ago, the Steering Committee has been working on a Change Proposal template and process to facilitate communication, prioritization, and decision-making as to what major changes the project will work on. 

As the community has grown, we want to ensure we have a way to discuss new ideas in a timely manner, decide on what will get implemented, and then follow-through on that plan. Many projects use a template for describing new ideas and proposals, which ensures everyone is clear on what is being proposed, why, and how it fits into the bigger picture. 

To this end a new GitHub repo has been created (https://github.com/spdx/change-proposal) with a description of the process and a Change Proposal template.  Having a separate repo will provide a place for new ideas to start and make it easier to manage notifications. The intention is that this process will be used for more significant changes - not day-to-day activities or things already in flight. As to what changes use this process or not, we will refine guidance on that as needed. 

We also thought it’d be good for a Steering Committee member to lead by example and submit the first Change Proposal. To that end, Alexios has volunteered to do so!

Thanks to Vicky Brasseur and Ria Schalnat for their excellent help in drafting this and the Steering Committee for bringing it to fruition. 

Jilayne
(on behalf of SPDX Steering Committee)




SPDX Thurs (today) General Meeting Reminder

Phil Odence
 

It’s September! Apologies for the late reminder. I just never hit send yesterday.

 

Note that the minutes from August meeting are at the bottome of this email.

 

This month, there will be no special presentation per se, however the Steering Committee update will be extended and will include Jilayne presenting a new process to facilitate expedient decision making around new ideas that have cross team impact or would represent a big change for the overall project.

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_2892046952   signature_4149161518   signature_715487372   signature_2597224942

 

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Sept 1, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval: At the bottom of this email

 

Steering Committee Update - Phil

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack/Sebastian/Alexios

 

 

 

SPDX General Meeting Minutes - Aug 4, 2022

Administrative

Attendance: 29

  • Lead by Phil Odence, Steve Winslow
  • Minutes from last meeting approved

Special Presentation, Matthew Crawford

  • A new era for SPDX at Arm, are we ready for change? - A New Era for SPDX at Arm: Are we ready for change? (recording available, insert link later)
  • Thanks to Jilayne, Sami Atabani and SPDX team
  • Old system (ulimately non-std BoM format)
  • Towards generating SPDX
  • New tooling "hot off the press"

Tech Team Report - Gary/Kate/WilliamB

Spec

  • SPDX 2.3 release window - 6 days left. If see any issues, raise in Github, or on tech team email list
    • RC1 window - no roadblocks raised yet.
    • Schema available and tool creators requested to experiment and raise issues.
    • Joshua - CVE reporting added, not clear how to use it. Gary: using external references to refer to CVEs, as well as other security types. Any way to indicate a specific CVE has been fixed? VEX document may be an option. Recommed going to defects working group.
    • Java tools have been implemented, will be publised after 2.3 release is out.
  • GSoC checkpoint - Alexios
    • just passed half-time mark, steady progress on both projects.
  • SPDX 3.0 Model
    • Good progress on identities, updated in repo. seee: SPDX v3 model diagram https://github.com/spdx/spdx-3-model/blob/main/model.png
    • AI BOM profile - discussed into 2 parts - AI App/Model & Data sets
    • Build Profile - making steady process
    • Defects - looking at what should be in 3.0 now, use-cases welcome
    • Usage -

Legal Team Report - Jilayne/Paul/Steve

Outreach Team Report - Sebastian / Jack / Alexios

  • GSoC - mentioned above
  • general activity, making improvements to outreach team Landscape with Wipro volunteer assistance (thanks Vicky and others!)
  • logos for SPDX's own tools - seeking folks with graphic design talents
    • can explore with LF marketing (Steve will help with LF interaction)
    • noted at OpenSSF - using AI image generators
    • Meeting time is changing to shorter weekly 30 minute meetings.

Attendees

  • Phil Odence, Synopsys/Black Duck Audits
  • Matthew Crawford (Arm)
  • Kate Stewart
  • Gary O'Neall
  • Jilayne Lovejoy (Red Hat)
  • Jari Koivisto
  • Sebastian Crane
  • Alexios Zavras
  • Steve Winslow
  • Ray Lutz (Citizensoversight.org)
  • Akbar (Arm)
  • Alex Rybak (Revenera)
  • Alfredo Espinosa
  • Andrew Jorgenson
  • Brad Goldring (GTC Law Group)
  • Bryan Cowan
  • Christopher Lusk
  • David Edelsohn
  • Jeff H.
  • Karsten Klein
  • Molly Menoni
  • Rich Steenwyk
  • Shailja Kumari
  • Joshua Watt
  • Ria Schalnat
  • Stephen Reeves
  • Janet
  • VM Brasseur
  • Jeff Schutt

 

 

 

 


Re: SPDX Merging #spdx

Ivana Atanasova
 

Hi,

 

Just made the sbom-composer tool public. It’s been only run with sboms that I generated, so would be very happy to hear your feedback and do any following updates if necessary.

 

Joe, it does the merge based on these guidelines. As an example these two sboms result in this composed.spdx. Shortly, it just appends the data without the document creation information, allows the latter to be configurable and updates the references. Would be happy to hear your feedback if any.

 

Best,

Ivana

 

---

Ivana Atanasova

Open Source Engineer

VMware Open Source Program Office

 

From: spdx@... <spdx@...> on behalf of Joe Bussell via lists.spdx.org <joe.bussell=microsoft.com@...>
Date: Tuesday, 9 August 2022, 20:09
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Merging #spdx

Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?

 

From: spdx@... <spdx@...> On Behalf Of Gary O'Neall via lists.spdx.org
Sent: Monday, August 8, 2022 10:07 AM
To: spdx@...
Subject: [EXTERNAL] Re: [spdx] SPDX Merging #spdx

 

I’m not aware of a tool that currently supports merging.  There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.

 

Regards,

Gary

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 4:07 AM
To:
spdx@...
Subject: [spdx] SPDX Merging #spdx

 

Hi All, 
Is there any tool to merge two spdx file ? 

Regards
Sandeep 

 



Re: SPDX Merging #spdx

Joe Bussell
 

Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?

 

From: spdx@... <spdx@...> On Behalf Of Gary O'Neall via lists.spdx.org
Sent: Monday, August 8, 2022 10:07 AM
To: spdx@...
Subject: [EXTERNAL] Re: [spdx] SPDX Merging #spdx

 

I’m not aware of a tool that currently supports merging.  There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.

 

Regards,

Gary

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 4:07 AM
To: spdx@...
Subject: [spdx] SPDX Merging #spdx

 

Hi All, 
Is there any tool to merge two spdx file ? 

Regards
Sandeep 


Re: SPDX Merging #spdx

Ivana Atanasova
 

Hi,

 

I’m currently working on a composer tool that supports merging. Shortly to be open-sourced.

 

Best,

Ivana

 

---

Ivana Atanasova

Open Source Engineer

VMware Open Source Program Office

 

From: spdx@... <spdx@...> on behalf of Gary O'Neall via lists.spdx.org <gary=sourceauditor.com@...>
Date: Monday, 8 August 2022, 20:07
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Merging #spdx

I’m not aware of a tool that currently supports merging.  There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.

 

Regards,

Gary

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 4:07 AM
To: spdx@...
Subject: [spdx] SPDX Merging #spdx

 

Hi All, 
Is there any tool to merge two spdx file ? 

Regards
Sandeep 

 



Re: SPDX Merging #spdx

Gary O'Neall
 

I’m not aware of a tool that currently supports merging.  There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.

 

Regards,

Gary

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 4:07 AM
To: spdx@...
Subject: [spdx] SPDX Merging #spdx

 

Hi All, 
Is there any tool to merge two spdx file ? 

Regards
Sandeep 


Re: SPDX Signing #spdx

Brandon Lum
 

Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md

(Different from the attestation i just sent)

On Mon, Aug 8, 2022 at 10:33 AM Brandon Lum via lists.spdx.org <lumb=google.com@...> wrote:
I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size and this (point to a URI) also allows one to defer authorization of the blob to a storage server and point to a collection of documents.

Still in draft, but this is a approximation of what we're using

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "http://google.com/sbom",
  "subject": [
    {
      "name": "binary-linux-amd64",
      "digest": {
        "sha256": "f2e59e0e82c6a1b2c18ceea1dcb739f680f50ad588759217fc564b6aa5234791"
      }
    }
  ],
  "predicate": {
    "sboms": [
      {
        "format": "SPDX",
        "digest": {
          "sha256": "02948ad50464ee57fe237b09054c45b1bff6c7d18729eea1eb740d89d9563209"
        },
        "uri": "https://github.com/lumjjb/sample-golang-prov/releases/download/v1.3/binary.spdx"
      }
    ],
    // BuildMetadata is optional, but is used for provenance verification in the event SLSA 
    // provenance is not available. Specific to github actions workflow.
    "build-metadata": {
      "artifact-source-repo": "https://github.com/lumjjb/sample-golang-prov",
      "artifact-source-repo-commit": "c8cb5f292c77064aeabb488ea4f5e483a5073076",
      "attestation-generator-repo": "https://github.com/lumjjb/slsa-github-generator-go",
      "attestation-generator-repo-commit": "6948f4c67f6bca55657fe1fb3630b55b1714ef2d"
    }
  }
}




On Mon, Aug 8, 2022 at 7:51 AM Steve Kilbane <stephen.kilbane@...> wrote:

May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.

 

A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.

 

steve

 

* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.

 

From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx

 

[External]

 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep 


Re: SPDX Signing #spdx

Brandon Lum
 

I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size and this (point to a URI) also allows one to defer authorization of the blob to a storage server and point to a collection of documents.

Still in draft, but this is a approximation of what we're using

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "http://google.com/sbom",
  "subject": [
    {
      "name": "binary-linux-amd64",
      "digest": {
        "sha256": "f2e59e0e82c6a1b2c18ceea1dcb739f680f50ad588759217fc564b6aa5234791"
      }
    }
  ],
  "predicate": {
    "sboms": [
      {
        "format": "SPDX",
        "digest": {
          "sha256": "02948ad50464ee57fe237b09054c45b1bff6c7d18729eea1eb740d89d9563209"
        },
        "uri": "https://github.com/lumjjb/sample-golang-prov/releases/download/v1.3/binary.spdx"
      }
    ],
    // BuildMetadata is optional, but is used for provenance verification in the event SLSA 
    // provenance is not available. Specific to github actions workflow.
    "build-metadata": {
      "artifact-source-repo": "https://github.com/lumjjb/sample-golang-prov",
      "artifact-source-repo-commit": "c8cb5f292c77064aeabb488ea4f5e483a5073076",
      "attestation-generator-repo": "https://github.com/lumjjb/slsa-github-generator-go",
      "attestation-generator-repo-commit": "6948f4c67f6bca55657fe1fb3630b55b1714ef2d"
    }
  }
}




On Mon, Aug 8, 2022 at 7:51 AM Steve Kilbane <stephen.kilbane@...> wrote:

May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.

 

A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.

 

steve

 

* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.

 

From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx

 

[External]

 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep 


Re: SPDX Signing #spdx

Steve Kilbane
 

May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.

 

A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.

 

steve

 

* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.

 

From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx

 

[External]

 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep 


Re: SPDX Signing #spdx

hectorf@...
 

Sandeep,

I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and potentially contains more metadata.

Hector


Re: SPDX Signing #spdx

Dick Brooks
 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep 

1 - 20 of 1598