|
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
It’s all moot now. The bill passed the House and Senate today and is on it’s way to the President’s desk. https://www.congress.gov/bill/117th-congress/house-bill/7776/text
All of the software supply chain provisions have been gutted in the final NDAA.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Brian Fox
Sent: Friday, December 16, 2022 5:43 PM To: spdx@... Subject: Re: [spdx] Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
You shared this previously https://insidecybersecurity.com/share/14118
I think that's a significant reason. And even as a proponent / agitator of SBOMs myself, I find the arguments they lay out compelling as we sit right now.
On Fri, Dec 16, 2022 at 4:33 PM Dick Brooks <dick@...> wrote:
|
|
|
|
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Brian Fox
You shared this previously https://insidecybersecurity.com/share/14118 I think that's a significant reason. And even as a proponent / agitator of SBOMs myself, I find the arguments they lay out compelling as we sit right now. On Fri, Dec 16, 2022 at 4:33 PM Dick Brooks <dick@...> wrote:
|
|
|
|
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Eliot,
I’m not familiar with the GSA work you mention. Can you provide a pointer to GSA documents indicating that SBOM’s are required.
I’ve seen where SBOM’s are required in the Department of State Evolve RFP.
Also, why would ITI and others be lobbying Congress to have SBOM removed from the NDAA, as the linked article indicates.
There must be a reason. I suspect it’s because Congress creates laws, and the NDAA law makes SBOM a legal requirement.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Eliot Lear
Sent: Friday, December 16, 2022 4:13 PM To: spdx@... Subject: Re: [spdx] Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Why? GSA is already specifying SBOMs. And is the list to encourage congressional lobbying? On 16.12.22 20:38, Dick Brooks wrote:
|
|
|
|
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Eliot Lear
Why? GSA is already specifying SBOMs. And is the list to
encourage congressional lobbying? On 16.12.22 20:38, Dick Brooks wrote:
|
|
|
|
Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
FYI:
Please get the word out to restore the SBOM provision in the NDAA.
“I don't see why any member of Congress would want to hamstring their own cybersecurity professionals from monitoring and mitigating software vulnerabilities that are detectable using an SBOM. Members of Congress please help your own cybersecurity professionals that work so hard to keep you and your districts safe from hacker attacks. Restore the SBOM provision in the NDAA.”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
|
|
|
Possible Vendor Day
Sending this to the SPDX list per Gary’s suggestion at today’s SPDX tech team meeting. .
Last Week I attended a FERC-DOE supply chain technical conference and a suggestion was made to host a “SBOM Vendor Day” to show the energy industry what is available for processing (creating/consuming) SBOM’s.
At this point it’s “just an idea” and there is nothing concrete. I’ve been collecting email from parties with an interest in participating in a SBOM Vendor Day, IF this “Vendor Day” concept comes to fruition.
Please email me if interested in participating in a SBOM Vendor Day presentation for the Energy industry.
FYI: So far OWASP and Microsoft have expressed interest in participating, IF this SBOM Vendor Day comes to fruition.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
|
|
|
Your feedback as open source licenses expert/user about OSLiFe-DiSC tool
Sihem Ben Sassi
Dear all, A step forward to automate license processing is to characterize legal terms dealt with by licenses and describe licenses accordingly in order to reach a standardized model. To that end, we developed the OSLiFe-DiSC tool (https://sihem.pythonanywhere.com/ -- please refresh the page if an error is displayed--) based on an open source licenses feature model. It allows (1) discovering licenses features (i.e. description according to the model), (2) selecting licenses satisfying desired features, and (3) comparing two licenses. A 8 minutes video demo (https://youtu.be/VwzBq7XBTvk) shows the OSLiFe-DiSC functionalities. I would ask you, as licenses expert and/or user, to try the tool and give your feedback by filling the questionnaire accessible through the peach colored button inside the OSLiFe-DiSC tool, or directly through https://cutt.ly/G0eiq92 If needed, you may see the manuscript available at https://cutt.ly/P0wsuA for more information about extracted legal terms represented by the features of the licenses model. Your feedback is very appreciated and needed. Best Regards, Sihem Ben Sassi PhD, HDR in computer sciences |
|
|
|
Re: Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Keith Zantow
Thank you, Gary! I wasn't sure where the right place was to ask this question. Issue submitted with example: https://github.com/spdx/spdx-online-tools/issues/414 On Wed, Dec 7, 2022 at 5:01 PM Gary O'Neall <gary@...> wrote:
|
|
|
|
Re: Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Gary O'Neall
Hi Keith,
The “Unexpected Error” usually indicates an issue with the validation tool itself. Can you post an issue at https://github.com/spdx/spdx-online-tools/issues and attach a file that reproduces the problem? Alternatively, you can email me the information at gary@....
Thanks,
From: spdx@... <spdx@...> On Behalf Of Keith Zantow via lists.spdx.org
Sent: Tuesday, December 6, 2022 1:19 PM To: spdx@... Subject: [spdx] Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Hi,
I'm using the SPDX online validator and I'm trying to understand what this error means. Could someone shed some light on it?
Analysis exception processing SPDX file: Unexpected Error: org.spdx.library.model.SpdxIdInUseException: Can not create Apache-2.0. It is already in use with type ListedLicense which is incompatible with type ExtractedLicensingInfo
Thanks much, -Keith Zantow |
|
|
|
Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Keith Zantow
Hi, I'm using the SPDX online validator and I'm trying to understand what this error means. Could someone shed some light on it? Analysis exception processing SPDX file: Unexpected Error: org.spdx.library.model.SpdxIdInUseException: Can not create Apache-2.0. It is already in use with type ListedLicense which is incompatible with type ExtractedLicensingInfo Thanks much, -Keith Zantow |
|
|
|
Re: SPDX creation phase
Having also been in that call I would also like this clarification. The idea behind having this information available is for the recipient to make her or his own judgement on how accurate they expect such to be.
If this has been solved in the SPDX community that would be great. 😊 Steve’s comments on different “stages” was not something I had considered, but it does potentially complicate things.
BR J
From: spdx@... <spdx@...>
On Behalf Of Steve Kilbane via lists.spdx.org
Sent: Thursday, 1 December 2022 12:20 To: spdx@... Subject: [spdx] SPDX creation phase
Hi all,
One of the suggestions in today’s call for the OpenChain Telco SIG, where we’re discussing proposals for an SBOM standard for the Telecommunications industry, was:
> SBOMs conforming to the Telco SBOM Specification need to contain the information when the SBOM was created in the “Created” SPDX field and at what phase of the software build it was created (“pre-build”, “build-time” or “post-build”) in the CreatorComment SPDX field.
(See https://github.com/OpenChain-Project/Telco-WG/pull/15)
I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when it’s already a solved problem.
Apologies if this isn’t the right group.
steve
|
|
|
|
FERC-DOE Supply Chain Technical Conference on December 7, 2022 at FERC HQ in Washington.
Hoping to meet some people at this supply chain technical conference in Washington on December 7.
Please come out and show your support for SBOM in software supply chains and meet many of the people working on supply chain initiatives in the electric industry.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
|
|
|
Re: SPDX creation phase
Gary O'Neall
Hi Steve,
I’m going to include the SPDX tech group on the email thread – sorry to many of you for the duplication.
Steve – If you’re a member of that email we can continue the thread there.
There is a Build Profile working group which is tackling very similar problems for the SPDX 3.0 spec led by Brandon and Nisha (cc’d) – you may want to connect with that group.
For SPDX 2.3, I have a couple of thoughts and suggestions. I think the Creation Information created date will provide the information on when the SBOM was created. We don’t have any fields at the SPDX Document level to store and retrieve the build phase information, but we have added 3 new fields at the package level which may be useful:
For a typical SBOM, the SPDX document will have a Document Describes which points to the package the SBOM is describing. Although it isn’t direct, you could use the Built Date and Release Date along with the Creation information to determine where in the lifecycle the SBOM was created. Since these are optional fields, the Telco SIG would need to specify that they be included for the package in the Document Describes field.
Using the comment field for information not in the SPDX spec is an acceptable practice – especially if the information is intended to be human readable. You can also use an Annotation on the SPDX document for the same purpose. The advantage of the Annotation is you can have more than one with each Annotation having a specific purpose. For example, you could have an Annotation “Build-Phase: pre-build” and an separate annotation for unrelated information.
Best regards, Gary
From: spdx@... <spdx@...> On Behalf Of Steve Kilbane
Sent: Thursday, December 1, 2022 3:20 AM To: spdx@... Subject: [spdx] SPDX creation phase
Hi all,
One of the suggestions in today’s call for the OpenChain Telco SIG, where we’re discussing proposals for an SBOM standard for the Telecommunications industry, was:
> SBOMs conforming to the Telco SBOM Specification need to contain the information when the SBOM was created in the “Created” SPDX field and at what phase of the software build it was created (“pre-build”, “build-time” or “post-build”) in the CreatorComment SPDX field.
(See https://github.com/OpenChain-Project/Telco-WG/pull/15)
I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when it’s already a solved problem.
Apologies if this isn’t the right group.
steve
|
|
|
|
Re: SPDX creation phase
Steve,
SBOM’s are created to serve a purpose, for example some SBOM’s are used for license management, some are used for dependency tracking and the one I’m most familiar with is an SBOM used by a software consumer in a software risk assessment.
In the risk assessment case it’s imperative that the SBOM describe the contents of a software package used for installation and execution in a consumers digital ecosystem. Data in this SBOM, i.e. component names and versions, is more compatible with vulnerability databases when searching for CVE’s filed against component software, i.e. Log4j is a good example.
I can’t speak to SBOM’s used for other purposes.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Steve Kilbane
Sent: Thursday, December 1, 2022 6:20 AM To: spdx@... Subject: [spdx] SPDX creation phase
Hi all,
One of the suggestions in today’s call for the OpenChain Telco SIG, where we’re discussing proposals for an SBOM standard for the Telecommunications industry, was:
> SBOMs conforming to the Telco SBOM Specification need to contain the information when the SBOM was created in the “Created” SPDX field and at what phase of the software build it was created (“pre-build”, “build-time” or “post-build”) in the CreatorComment SPDX field.
(See https://github.com/OpenChain-Project/Telco-WG/pull/15)
I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when it’s already a solved problem.
Apologies if this isn’t the right group.
steve
|
|
|
|
SPDX creation phase
Hi all,
One of the suggestions in today’s call for the OpenChain Telco SIG, where we’re discussing proposals for an SBOM standard for the Telecommunications industry, was:
> SBOMs conforming to the Telco SBOM Specification need to contain the information when the SBOM was created in the “Created” SPDX field and at what phase of the software build it was created (“pre-build”, “build-time” or “post-build”) in the CreatorComment SPDX field.
(See https://github.com/OpenChain-Project/Telco-WG/pull/15)
I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when it’s already a solved problem.
Apologies if this isn’t the right group.
steve
|
|
|
|
Re: Thurs SPDX General Meeting Reminder
Phil Odence
Small correction: Thurs is Dec 1.
From:
spdx@... <spdx@...> on behalf of Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> This month we’ll have a couple special presentations. Gary will give a debrief on Wednesday’s docfest. Alexios will walk is through the GitHub 3.0 directories so everyone knows how to contribute.
We’d like to add a regular General Meeting topic on presentation folks are delivering featuring SPDX. If you know if any recent or upcoming please add them to the repo created for this purpose: https://github.com/spdx/outreach/blob/main/SPDX-presentations.md
GENERAL MEETING
Meeting Time: Thurs, Dec 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval: https://github.com/spdx/meetings/blob/main/general/2022-11-03.md
Presentations – Gary and Alexios
Steering Committee Update - Phil
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian/Alexios
|
|
|
|
Thurs SPDX General Meeting Reminder
Phil Odence
This month we’ll have a couple special presentations. Gary will give a debrief on Wednesday’s docfest. Alexios will walk is through the GitHub 3.0 directories so everyone knows how to contribute.
We’d like to add a regular General Meeting topic on presentation folks are delivering featuring SPDX. If you know if any recent or upcoming please add them to the repo created for this purpose: https://github.com/spdx/outreach/blob/main/SPDX-presentations.md
GENERAL MEETING
Meeting Time: Thurs, Dec 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval: https://github.com/spdx/meetings/blob/main/general/2022-11-03.md
Presentations – Gary and Alexios
Steering Committee Update - Phil
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian/Alexios
|
|
|
|
Re: SBOM Survey
karen.bennet
This survey was a great start to gather feedback about SBOM, but it would be good to get some questions about AI sBOM, they need additional information collected On Thu, Nov 10, 2022 at 1:34 AM Wintersgill, Nathan <njwintersgill@...> wrote:
|
|
|
|
SBOM Survey
Wintersgill, Nathan
Dear SPDX Community, The SEMERU research lab from William and Mary is conducting an online survey to understand issues, needs, and opportunities related to software supply chain management through Software Bill of Materials (SBOMs). If you have knowledge of or experience with SPDX or other SBOM formats, we would value your participation in this study. We would greatly appreciate 20-30 minutes of your time to complete the survey: https://wmsas.qualtrics.com/jfe/form/SV_cO4qm1gk3AFunJk. If you decide to participate, we kindly ask you to complete the survey as soon as possible, ideally within a week. Participating will enter you into a lottery to win one of 10 $50 Amazon gift cards. Your participation will help us in our mission to better understand the current state of SBOMs in practice and help us provide better resources and tools to developers for managing and securing their own software supply chains. If you have any questions about our research, our methods, or our survey please do not hesitate to ask. If you have any colleagues who you believe may have valuable domain knowledge and experience, please forward this email and survey to them. This research is conducted under protocol PHSC-2022-07-14-15722 approved by the IRB at William and Mary. Thank you for your time, Oscar Chaparro - Assistant Professor (oscarch@...) Denys Poshyvanyk - Professor (dposhyvanyk@...) Trevor Stalnaker - Ph.D. student (twstalnaker@...) Nathan Wintersgill - Ph.D. student (njwintersgill@...) |
|
|
|
FOSDEM 2023 - SBOM devroom info and CfP
Alexios Zavras
[this is also available as https://gist.github.com/zvr/c852b4a560ac2c67885c473034cd4a93]
# FOSDEM 2023 - SBOM devroom info and CfP
## Overview
[FOSDEM] is one of the world's premier meetings of free software developers, with thousands of people attending each year. FOSDEM 2023 will take place on the weekend of 4-5 February 2023 and it will be an in-person event in Brussels once again!
For the first time, a track ("devroom") about Software Bill of Materials (SBOM) has been accepted in the conference.
## Details
The devroom will take place for half a day (09:00-12:50), on Sunday morning, as an in-person event in a room to be announced at a later time.
The SBOM Devroom at FOSDEM 2023 is an informal, technical, in-person event oriented to authors, users, and enthusiasts of FLOSS programs that produce, consume, or transform SBOMs.
While other domains like construction, mechanical engineering, or even computer hardware have long used the concept of Bill of Materials (BOMs), software traditionally has not followed this best practice. There have been efforts running for over a decade to address this, and recent developments have pushed forward the use and wide adoption of Software BOMs. Since most of today’s software is made up of Open Source, it is important that this information can be accurately conveyed. It includes, but is not limited to, metadata such as name and version but also licensing or security information.
The goal of the devroom is for interested people to get in touch with each other, exchange ideas and opinions, have interesting and hopefully productive discussions, and finally what is most important: to have fun.
**We are looking for presenters!**
## Call for participation
We are interested in presentations on any topic related to Software Bill of Materials: content, definitions, standardization efforts, tools, etc.
An indicative, non-exclusive, list of topics:
- Tools that produce SBOMs or related information - Tools that consume SBOMs to generate other information - Case studies and lessons learned from real-life use or introduction of SBOMs - Use of different types of SBOMs (e.g., Source, Build, Runtime, etc.) - Linking and verification of SBOMs to other relevant artifacts - Special areas of interest not covered by current SBOM formats, that need discussion to be included
Any effort that would lead on increasing collaboration between different approaches and tools are particularly encouraged.
### Key dates
- 28 November: Submission deadline - 16 December: Announcement of selected talks - 5 February: SBOM devroom in FOSDEM - You must be available in person to present your talk
### Submission process
Please use the [Pentabarf] system to submit a talk proposal for the devroom. On the "General" tab, please look for the "Track" option and choose "Software Bill of Materials devroom". Note: if you have used FOSDEM Pentabarf before, please do _not_ create a new account/username but rather use your existing one.
### First-time speakers
FOSDEM devrooms are a welcoming environment for people who have never given a talk before. Please feel free to contact the devroom administrators personally if you would like to ask any questions about it.
### Submission guidelines
The Pentabarf system will ask for many of the essential details. Remember to re-use your account from previous years if you have one.
We will be looking for relevance to the conference and devroom themes, but essentially any presentation about SBOMs would qualify. Please note that the audience is expected to be _developers_ of Free and Open Source Software and will most probably be _knowledgeable_ in at least some aspects of SBOMs. Therefore aim your presentation accordingly.
Feel free to indicate your preferred duration for your presentation between 5 and 30 minutes, but please note that the final decision on duration will be made by the devroom administrators based on the number of accepted proposals. As the overall duration of the devroom is fixed and rather short, no presentation will exceed 30 minutes (including Q&A), so that more speakers can participate. Keep in mind that, as the event will be in-person, we also need to account for switching between speakers. Shorter presentation are **strongly** encouraged!
Please note FOSDEM aims to record and live-stream all talks. The CC-BY license is used for the recordings.
## Volunteers needed
To make the devroom run successfully, we are always looking for volunteers. If you will be attending the devroom and would like to help, please reach out to the organizers!
## Spread the word and discuss
If you know of any mailing lists or other online venues where this info and CfP would be relevant, please feel free to forward this document.
## Contact
The organizers of the devroom can be reached by sending email to sbom-devroom-manager@.... Please do not hesitate to contact us if you have any inquiry or suggestion for the devroom.
For any private queries, you may also contact the organizers directly: - Alexios Zavras fosdem@... - Kate Stewart stewart@...
[FOSDEM]: https://fosdem.org [Pentabarf]: https://penta.fosdem.org/submission/FOSDEM23/
-- zvr
Intel Deutschland GmbH |
|
|
