Hi Daniel,

I take it by refID you’re referring to the SPDX ID for the packages.

There are a few tools out that that can build SBOM’s with the dependency maps.  You can find information on some of the tools here: https://spdx.dev/resources/tools/ - but I’ll admit this page may not be completely up to date and doesn’t answer your question specifically.

I will point to one of the tools I maintain – the SPDX Maven Plugin.  This provides a “documentDescribes” SPDX Package for the package being built by Maven and dependency information for all Packages referenced.  By default, transitive dependencies are included in the SBOM – but there is an option to turn that off and only include the top level dependencies.

I believe the opensbom-generator also produces SBOM’s with the dependency information – but those on this email list maintaining this repo can correct me if I’m wrong.

Other’s – feel free to chime in with other tools.

Regards,
Gary

https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

Note references to SBOM and NIST/CISA role in driving regulations.

Thanks,

Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

Hello all,

Max Huber of TNG Technology Consulting will be presenting on Thursday:

• In this presentation, Max will give a brief update of the recentdevelopment in the Python Tools. It went through a huge refactoring andis now ready for 3.0. Max will also present, how it can be a helpful tool to test assumptions and serializations of SPDX3
• Max started developing with SPDX more then 7 years ago, when he added SPDX2.0 import and export support to FOSSology. Since then, he is a active member in the SPDX community. He also participates in a lot of compliance tooling projects.

Please note that last meeting’s minutes are not yet “pulled” into GitHub, so I have included at the bottom. 

Also, a reminder that March 15 is the deadline for nominating Leads for the three vacancies, one on each team. And, shortly, a notification will be going out to main points of contact at SPDX member companies to solicit Member Rep nominations in the same timeframe. (See my Feb 15 email for details.)

Best,

Phil

Meeting Time: Thurs, March 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

Administrative Agenda

Attendance

Minutes Approval: At the bottom of this email

Steering Committee Update - Phil

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack/Sebastian/Alexios

****

#SPDX General Meeting Minutes - February 2, 2023

Administrative

• Lead by Phil Odence
• Minutes from last meeting approved.

Attendance: 25

Steering Committee Update - Phil

• Any one have special presenation ideas?
• Steering Committee membership heads up
• GSOC
• Cyclone DX meeting

Tech Team Report - William, Kate

• https://github.com/spdx/meetings/blob/goneall-patch-7/tech/2022-12-20.md
• SPDX 3.0
• Core Profile - William/Gary/Kate
• good progress making it through the remaining model punch list
• started documenting the spec itself in the SPDX 3 model repo: github.com/spdx/spdx-3-model
• model up and profile groups are filling in
• Licensing Profile - Steve/Alexios
• Security Profile - Thomas/Jeff
• Build Profile - Brandon/Nisha
• Usage Profile - Ito/Ninjouji/Asaba/Kobota
• AI & Dataset Profile - Gopi/Karen/Kate
• One group, two different profiles
• Functional Safety - Nicole/Kate
• Good progress
• Presentation from Nicole at Fosdem
• will be streamed
• May need to add some new types and relationships
• Canonicalization
• Serialization
• Hardware Profile
• Implementers `* Working on what makes a quality SBOM
• Tools
• Python version officially released on PyPI
• Performance improvements on the Java tooling
• Good activity and improvements on the Golang tools
• Rust tools in process
• Help welcome on all of the above

Legal Team Update - Jilayne/Steve/Paul

• 3.20 release
• pushed back to mid Feb (instead of end of Jan)
• about 40 open issues related to new license requests (lots from Fedora)
• could use help sorting through
• how to help is well-documented
• Change proposal in play
• https://github.com/spdx/change-proposal/blob/main/proposals/ExceptionRef.md
• Proposal for better ways to handle exceptions that are not on SPDX License List
• Submitted by Alexios; discussed on mid-Jan legal call
• 2 potential implementations being prepared and then we will revisit in mid-Feb

Outreach Team Update - Sebastian/Alexios/Jack

• Website is in play
• Proceeding nicely
• Using a programming environtment called Nix
• Will allow staging to review changes easily
• All community members will be able to access this
• Reviewing charter for team
• Will run by Steering Committee
• Next few weeks

Attendees

• Alex Rybak (Revenera)
• Alfred L Strauch
• Artem Mygaiev
• Bob Martin
• Brad Goldring - GTC Law Group
• Bruce Robertson
• David Edelsohn, IBM
• Jari Koivisto, KPMGI
• Jeff Hart, M2 Technology
• Jack Manbeck, TI
• Jilayne Lovejoy, Red Hat
• Jim Vitrano
• Joseph Silvia, OrielStat
• Juliya Rubin
• Karen Bennet
• Kate Stewart
• Mark Atwood, Amazon
• Mike McDonel, Manifest
• Phil Odence, Black Duck Audits, Synopsys
• Sanat Basavaraj Bennur
• Saul Wold, Wind River
• Sebastian Crane
• Steven Carbno , Smart Talk Beacon
• Trevor Stalnaker, W&M Researcher
• William Cox, Synopsys

Hi Keith,

Please feel free to create an issue and/or a pull requests for the 2.2 JSON schema update.

If there are no objections, we can merge it into the 2.2 spec branch.

Thanks,
Gary

Dear SPDX community,

We are approaching the end of the current term for several members of the SPDX Steering Committee. We are reaching out to let the community know about the upcoming nomination and selection process for new Steering Committee members.

The governance page on the SPDX website lists the current Steering Committee and terms. As you can see, the following Steering Committee positions will be need to be filled through this process:

• 1 Team Lead position (a two year term) for each of the Tech, Legal and Outreach Teams;
• 1-2 Member Representatives from the SPDX members (a one-year term).

Additionally, the Steering Committee will select a new Chair for a one-year term.

The Steering Committee will fill the roles effective May 1, 2023.

The Steering Committee would also like to take a moment to thank those whose terms are ending. Many thanks to Bob Martin and May Wang who have served as SPDX’s first-ever Member Representatives this year. And a special thanks to Gary O’Neal (Tech Team), Paul Madick (Legal Team) and Jack Manbeck (Outreach Team), each of whom have been part of SPDX’s leadership for years and have put in countless hours to help the project get to where it is today. My own term is ending as well.

Below you will find more information regarding the selection process, nomination dates and next steps / action items. If you are interested in nominating someone for a position, please review the main SPDX Project Governance Policy.

Best,

Phil, for the SPDX Steering Committee

= = = = =

Team Leads:

Each Team may have 1-3 leads, selected by the Steering Committee:

• Technical Team: maintains and publishes the SPDX Specifications and tools
• Legal Team: maintains and publishes the SPDX License List and associated collateral
• Outreach Team: promotes the use of SPDX by the broader community and ecosystem

Currently, each of the Teams has 3 Team Leads and each has Lead with a term is ending on May 1, 2023.

Any Participant in the SPDX project may submit a nomination (for themselves or for another person) for a Team Lead position by replying directly to me (Phil).

Each Team Lead nominee will be asked to complete a nominee form (as similarly described above for Member Representative nominees). The Steering Committee will then review the nomination forms, discuss with the nominees, and select 1 nominee for each Team to serve as a Team Lead and to participate on the Steering Committee for a two-year term beginning May 1, 2023.

Process and Key Dates:

• By March 15, 2023:
• Any Participant may submit a nomination (for themselves or for another person) to become a Team Lead of one of the Teams by replying to this email.
• Nominations must be received no later than March 15.
• By March 22, 2023:
• After being nominated, each nominee will be invited to and must complete a nominee form as described above, which must be received no later than March 22.
• March 23 to April 30, 2023:
• The existing Team Leads will review the nominations, discuss and select a new additional Team Lead for each Team, and will notify the selected nominees to confirm.
• May 1, 2023:
• The Steering Committee will notify the SPDX community of the new Team Leads.
• The new Team Leads’ terms will begin.

Member Representatives:

The Member Representatives consist of 1-2 individuals, nominated by Members of the SPDX project (companies) and selected by the Steering Committee to represent the interests of the Members of the SPDX community.

Project membership in SPDX is available at no charge to organizations and companies that are Linux Foundation members. However, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member. If your organization is not yet a member of SPDX, you can go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

Each SPDX Member organization may nominate one person from their organization as a candidate for consideration to participate on the SPDX Steering Committee. Each Member Representative nominee will be asked to complete a nominee form to describe their skills, experience, interest and participation in SPDX. The Steering Committee will then review the nomination forms and select 1-2 nominees to serve as Member Representatives and to participate on the Steering Committee for a one-year term beginning May 1, 2023.

Process and Key Dates:

• By March 15, 2023:
• Existing Members and any organizations that become new Members may submit a nominee prior to March 15. Shortly, an email will be sent to the designated “Primary Contact” for each SPDX Member with information about how to nominate a candidate.
• Nominations must be received no later than March 15.
• By March 22, 2023:
• After being nominated, each nominee must complete a nominee form, which must be received no later than March 22.
• March 23 to April 30, 2023:
• The existing Team Leads will review the nomination forms, discuss and select 1-2 Member Representatives, and will notify the selected nominees to confirm.
• May 1, 2023:
• The Steering Committee will notify the SPDX community about the new Member Representatives.
• The new Member Representatives’ terms will begin.

Pull request not yet approved in GH, so here are the minutes. Sorry they are ugly and indentation isn’t working right. All good in GH.

Extending the meeting for  2023…and beyond! Please accept this recurring invitation.

 “Dial In” info:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Standard Agenda:

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-05-06

SPDX Governance Evolution – Phil/Steve

Technical Team Report – Kate/Gary/Others

  Tooling Update  - Gary

  Specification and Profiles 

• Core  - William/Gary/Kate
• Licensing – Steve/Alexios
• Security-Thomas/Jeff
• Build- Brandon/Nisha
• Usage – ito/Ninjouji/Asaba/Kobota
• AI- Gopi/Karen/Kate
• Dataset- Gopi/Karen/Kate
• Functional Safety- Nicole/Kate

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Sebastian/Alexios/Jack

Hi everyone!

As every year, Google runs their Summer of Code program, where contributors get the opportunity to become part of Open Source communities. The SPDX Project has participated in the program in a number of years in the past. The way it works is that we publish project ideas and, if selected, newcomers to open source express their interest in them. The ones finally selected will spend their summer writing code under the guidance of mentors from our project. In order for contributors to join our community and help us, we have to publish a set of ideas where help is needed!

Therefore, this is a plea for ideas – and more importantly, mentors who can guide the new contributors and help them accomplish their projects!

Firstly, we are looking for project ideas! Either small or large, either incremental improvements to existing open source code or new pieces of software; everything is welcome!

Please read the basics on https://google.github.io/gsocguides/mentor/defining-a-project-ideas-list.html and then write a couple of lines on your great idea.

I’ve (hastily) created a special repo for all this: https://github.com/spdx/GSoC

Feel free to create PRs with your ideas!

Perhaps even more important than ideas, we are also looking for mentors! Please get in contact via the repo if you are willing to help new members become active participants to SPDX this summer. Each project should have at least two mentors (a primary and a secondary one) who will guide the contributors in their journey.

Feel free to open an issue in the repo if you want to discuss in more detail any of the above.

Looking forward to lots of participation!

-- zvr

PS. I’ve already added a project idea: help on the spec generation from our model files.

Off the top of my head I can think of other ideas like:

• Outreach: help with the website
• Legal: help with license submission tools, help with bulk import from other license lists
• Tech: help with SPDXv3 implementation in Java, Go, etc.

But all these need mentors, otherwise they cannot be realistically proposed.

Researchers at Indiana University’s Luddy School of Informatics, Computing, and Engineering are looking for participants in the study of SBOM feature preferences. This is an online and asynchronous study about which features impinge trustworthiness.  We ask you for fewer than fifteen minutes of your time to perform the virtual card sorting exercise and answer a few questions.

The features we ask you to evaluate are drawn from the best practices in SPDX. In this study, you will be asked about your preferences of factors. Upon agreeing to participate in the study you will be asked to perform a card sorting activity and answer a series of survey questions. http://factors.usablesecurity.site/

Please feel more than welcome to share with others that may be interested in labeling and SBOM.

Thank you for your time and consideration.

Peter Caven
L. Jean Camp

Thanks, Max. I think that “bug” has been there for a while. I will endeavor to eliminate it going forward.

Thanks for pointing it out.

Phil

Hey Phil,

just checked the meeting time and there seems to be an inconsistency:

  8am PT / 10 am CT / 11am ET 

mapps to 

  16:00 UTC

I assume that 16:00 UTC, as it is the usual time, is right?

Best

Max

On Wed, 2023-01-04 at 20:56 +0000, Phil Odence via lists.spdx.org

wrote:

> Meeting Time: Thurs, Jan5, 8am PT / 10 am CT / 11am ET /

> 15:00 UTC. https://urldefense.com/v3/__http://www.timeanddate.com/worldclock/converter.html__;!!A4F2R9G_pg!bWd3rF8EjW7s9brSyWmr2O-RuoX8paEeB6ECvZk4Nipc9JxTlJC091gerznSmnodvEuOwe3jl3m5h1pXyyNuLNNbIgg4HM16$

-- 

TNG Technology Consulting GmbH, Beta-Str. 13a, 85774 Unterföhring

Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres

Aufsichtsratsvorsitzender: Christoph Stock

Sitz: Unterföhring * Amtsgericht München * HRB 135082

Happy New Year, all. I hope you have a meeting on your calendar for Thursday. In case there is an issue, the conference info is included below.

No special presentation this month.

Also please note that last meeting’s minutes are not yet “pulled” into GitHub, so I have included at the bottom.

Meeting Time: Thurs, Jan5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

Administrative Agenda

Attendance

Minutes Approval: At the bottom of this email

Steering Committee Update - Phil

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack/Sebastian/Alexios

#SPDX General Meeting Minutes - Dec 1, 2022

Administrative

• Lead by Phil Odence
• Minutes from last meeting approved

Attendance: 16

Steering Committee Update - Phil

• Lots of discussion of participation
• Certainly could use help on
• Tech- drafting 3.0
• Legal- license review
• Outreach- website
• Stay tuned for SPDX for Security article

Special Presentations

• Contribution to SPDX 3.0 Specification - Alexios
• Preliminary feedback from DocFest - Gary

Tech Team Report - Gary, William, Kate

• SPDX 2.3
• Updated .pdf from Jack; review and logging needed
• Python tools updated to reflect 2.3 - looking for testers at https://github.com/spdx/tools-python
• SPDX 3.0
• Core Profile - William/Gary/Kate
• Worked through bulk of outstanding punchlist, now just focusing on identity/agent clarifications.
• Established workflow to collect profile contributions (see talk from Alexios above)
• Licensing Profile - Steve/Alexios
• Profile contributions to SPDX 3.0 unblocked.
• Security Profile - Thomas/Jeff
• In addition to linking to VEX documents, team is evaluating minimal VEX elements to embed in SPDX to convey security info in a simplified manner
• Documenting Security Use Cases in 3.0
• Planning 3 hour workshops on 12/15 & 12/21 to move preliminary security profile information into the model.
• Build Profile - Brandon/Nisha
• Draft relationship and build element completed (https://github.com/spdx/spdx-3-build-profile)
• Created examples to validate two use cases, one github actions and YOCTO (including nested build)
• Dependency on identity/agent 3.0 model discussion.
• Working on presentation about Build and Safety for OCS Japan event.
• Usage Profile - Ito/Ninjouji/Asaba/Kobota
• Basic set of fields established but some possible overlap with Build Profile, to be discussed next week.
• Planning for presentation at SPDX Minifest at OCS Japan
• AI & Dataset Profile - Gopi/Karen/Kate
• Working on examples using Dataset profile, to look for coverage.
• Have worked though 3 Datasets, so far no adjustments needed, looking to get more examples from OpenDataology group.
• Will start to work through AI application examples in December, and upstream dataset profile
• Standford Cybersecurity talk mention of our work at: https://youtu.be/ZGnQGfzhwjI
• Prep for SPDX Minifest at OCS Japan
• Functional Safety - Nicole/Kate
• Diagraming of all safety artifacts in progress
• Some possible new relationships under consideration to be added.

Legal Team Update - Jilayne/Steve/Paul

• 3.19 released yesterday
• focused on documentation, made good improvements (more to do)
• some process discussions still in the works
• reworked FAQs, now in the repo so easier to update, welcome suggestions / additions via PRs
• 3.20 - lots of submissions ready for review
• most coming from Fedora adopting SPDX IDs
• previously, SPDX had based several additions off of Fedora's "good" licenses
• many are things that aren't just in Fedora -- e.g. Warner from FreeBSD has been weighing in; many are old licenses
• Process of how to review licenses -- aiming to make more accessible to people
• may have a training session for the community
• watch the spdx-legal mailing list for updates

Outreach Team Update - Sebastian/Alexios/Jack

• Working on messaging around SPDX and security -- making clearer and simpler for others to reuse as well
• Started to collect presentations about SPDX, or about SBOMs generally that mention SPDX -- will look to publish somewhere collectively - https://github.com/spdx/outreach

Attendees

• Alex Rybak (Revenera)
• Alexios Zavras
• Bob Martin
• Bryan Cowan (Fortress)
• Gale McCommons (Comcast)
• Gary O'Neall
• Jilayne Lovejoy
• Karen Bennet
• Marc-Etienne Vargenau
• Mary Hardy (Microsoft)
• Maximilian Huber
• Michael Herzog
• Paul Madick
• Phil Odence (Black Duck Audits, Synopsys)
• Ritesh Sonawane
• Steve Winslow

‘‘SEC. 524B. ENSURING CYBERSECURITY OF DEVICES.

‘‘(3) provide to the Secretary a software bill of

20 materials, including commercial, open-source, and

21 off-the-shelf software components;

This text is referring  to medical devices.

https://www.appropriations.senate.gov/imo/media/doc/JRQ121922.PDF

Thanks,

Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

Hello Everyone,

I’ve heard the SBOM provision that was in the NDAA is under consideration for the Omnibus Bill.

I sent written testimony to the Senate Appropriations Committee deliberating the Omnibus Bill and posted a nearly identical version of my written testimony online:

https://energycentral.com/c/pip/letter-congress-please-don%E2%80%99t-hamstring-your-cybersecurity-staff

Please show your support for SBOM by sending written testimony to Congress.

Thanks,

Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788