|
SPDX and NTIA SBOM Minimum elements
#spdx
Patil, Sandeep
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ? Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ? Regards Sandeep |
|||||||||||||
|
|
|||||||||||||
|
SPDXID
#spdx
Patil, Sandeep
Hi ,
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like "SPDXRef-[cpe id]" or "SPDXRef-[pURL]" Any further guidance on this will help. Regards Sandeep |
|||||||||||||
|
|
|||||||||||||
|
Re: End Of Life Tag in spdx
#spdx
Kate and Sandeep,
Our customers are also interested in this information. There are two concepts to consider: Commercial Status: <enumeration value="Available"></enumeration> <enumeration value="Retired"></enumeration> <enumeration value="EOL"></enumeration> <enumeration value="BetaTest"></enumeration> <enumeration value="Pilot"></enumeration> <enumeration value="Abandoned"></enumeration>
Support Status: <enumeration value="Supported"></enumeration> <enumeration value="Unsupported"></enumeration> <enumeration value="Community"></enumeration>
Both are described in the open-source Vendor Response File (VRF) XML schema available here: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVendorSchema.xsd
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: Friday, May 6, 2022 3:34 PM To: SPDX-general <spdx@...> Subject: Re: [spdx] End Of Life Tag in spdx #spdx
Hi Sandeep,
There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3. When it comes in, please feel free to review and make sure it's going to suffice for your needs.
For now, with 2.2 documents, suggest you use the Package Comment field (https://spdx.github.io/spdx-spec/package-information/#720-package-comment-field) and standardize on a tag (like EndOfSupport: ) and the date.
Will that work for now?
Thanks,
On Fri, May 6, 2022 at 2:27 PM Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: End Of Life Tag in spdx
#spdx
Kate Stewart
Hi Sandeep, There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3. When it comes in, please feel free to review and make sure it's going to suffice for your needs. For now, with 2.2 documents, suggest you use the Package Comment field (https://spdx.github.io/spdx-spec/package-information/#720-package-comment-field) and standardize on a tag (like EndOfSupport: ) and the date. Will that work for now? Thanks, Kate On Fri, May 6, 2022 at 2:27 PM Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...> wrote: Hi All, |
|||||||||||||
|
|
|||||||||||||
|
End Of Life Tag in spdx
#spdx
Patil, Sandeep
Hi All,
We have requirement to specify End Of Life as part of package information in SBoM , Is there way current SPDX format support this ? Regards Sandeep |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Thurs General Meeting Reminder
Kate Stewart
The video has been posted here: Thanks again to Joshua for sharing with us! On Wed, May 4, 2022 at 4:22 PM Christopher Lusk <clusk@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Thurs General Meeting Reminder
Christopher Lusk
From: spdx@... <spdx@...> On Behalf Of
Phil Odence via lists.spdx.org
Sent: Wednesday, May 4, 2022 9:17 AM To: SPDX-general <spdx@...> Subject: [External] [spdx] SPDX Thurs General Meeting Reminder
No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.
GENERAL MEETING
Meeting Time: Thurs, May 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/main/general/2022-04-07.md
Special Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian
|
|||||||||||||
|
|
|||||||||||||
|
SPDX Thurs General Meeting Reminder
Phil Odence
No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.
GENERAL MEETING
Meeting Time: Thurs, May 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/main/general/2022-04-07.md
Special Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian
|
|||||||||||||
|
|
|||||||||||||
|
~24 hours left to propose SPDX talks to All Things Open!
VM (Vicky) Brasseur
All Things Open (ATO) is one of the largest open source conferences in the world now. In 2022 it’ll be in-person only, in its normal location of the Raleigh Convention Center in Raleigh, North Carolina, USA.
ATO 2022 happens October 30-November 2 (yes, over Halloween, ugh). This is either soon after or contemporaneous with the release of 3.0.
Considering the size of the potential audience (thousands) and the diversity of the event (both in attendees and in topic tracks), it would be great if folks could propose some SPDX-related talks. For instance:
The ATO CFP form allows for submitting 15 minute keynote slots this year! That would be a great place for Kate, Jilayne, or someone to talk about the impact of supply chain stuff and where SPDX 3.0 fits in!
Anyway, time’s running short. The CFP closes EOD tomorrow!
Here’s the link and more information: https://www.allthingsopen.org/call-for-papers-2022/
--V
Internal to Wipro |
|||||||||||||
|
|
|||||||||||||
|
The OpenChain Industry Survey 2022 - SPDX Included
The OpenChain Industry Survey 2022 covers a big topic: the global status of corporate engagement and management of open source. Please help by completing the survey from your perspective before May 1st.
English: https://forms.gle/9Jf9h1J6AwzFpMz89 Simplified Chinese: https://wj.qq.com/s2/9935077/5841/ Japanese: https://forms.gle/A2qdawgY9h7CWr3q8 (Thank you China and Japan work groups! :) ) We are considering open source from a “strategy” perspective rather than a “development” perspective. Our goal is to help inform project, product and supply chain decisions in the year ahead. This goes far beyond compliance, OSPO and any other single topic. However, we are explicitly unpacking industry engagement with SPDX. This survey is licensed under CC-0 so feel free to take it as the basis for your own surveys in the future. |
|||||||||||||
|
|
|||||||||||||
|
Special Presentation and SPDX Thurs General Meeting Reminder
Phil Odence
NOTE: I am a little behind and have not posted the minutes from the March meeting in GH. In advance of that, I have included that minutes in roughg form at the bottom of this email.
PRESENTATION: Please join us for this presentation to kick off the meeting. Yocto have been very supportive of SPDX and active in incorporating the technology.
SPDX in the Yocto Project – Joshua Watt Abstract: As Software Bills of Material (SBoMs) become more important in the software industry, the generation of high quality SBoMs from the beginning of the Software Supply Chain has also become more important. The Yocto Project is designed to build up software images from source, and such is a prime candidate to generate these SBoMs at the point where software packages are compiled and assembled into customer images. Joshua will talk about how the Yocto Project is able to do this, and some of the interesting quirks encountered when implementing this feature.
Joshua Watt is a Software Engineer for Garmin, where he has been working for the past 13 years. He has been a developer with OpenEmebedded and the Yocto Project for the past 7 years, and is a member of the OpenEmbedded Technical Steering Committee.
GENERAL MEETING
Meeting Time: Thurs, April 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md
Special Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian
|
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Company Membership
Phil Odence
Brian,
We will send an email to Primary Contacts from member companies who have signed up by tomorrow. There will be instructions, but essentially we’ll need to hear from the primary contact who the nominee is and then the nominiee will need to fill out an online form.
Phil
From:
spdx@... <spdx@...> on behalf of Brian Fox <brianf@...> Once signing up, how are nominations made?
On Tue, Mar 29, 2022 at 10:17 PM Steve Winslow <swinslow@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Company Membership
Steve Winslow
Hi Brian, Since the cutoff date is EOD day, sometime in the next few days / next week we'll send an email with nomination instructions to the primary contacts from each of the members who have signed up by then. We may need a bit of time to work with the LF to collect the contact details from the signups, but we'll circulate the next steps to the members shortly thereafter. Best, Steve On Thu, Mar 31, 2022 at 1:16 PM Brian Fox <brianf@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Company Membership
Brian Fox
Once signing up, how are nominations made? On Tue, Mar 29, 2022 at 10:17 PM Steve Winslow <swinslow@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Company Membership
Steve Winslow
Hello SPDX community, Just wanted to send a reminder from Phil's original email announcing the SPDX project membership process -- see his email below. As mentioned previously, companies / organizations that become a member of SPDX prior to April 1 (before this coming Friday) will be able to nominate an individual from their organization for consideration for the initial Member Representative seats on the SPDX Steering Committee. On or shortly after April 1, we will send out details about the nomination process to all member companies as of that date, so that nominations can be submitted and the 1 or 2 Member Representatives chosen by the Steering Committee before their annual term begins on May 1. If you'd like for your company to nominate someone for consideration for the initial Member Representatives, please make sure that your company signs up as a member of SPDX on or before this Thursday, March 31. Please note that just being listed as an "SPDX Supporter" on https://spdx.dev is not itself the same as becoming a member of the project; you'll need to sign up as a member using the process Phil described below. (Of course, membership will still be open after that date, and future members could participate in nominations for future years' Member Representatives.) Best, Steve
|
|||||||||||||
|
|
|||||||||||||
|
Special Presentation and SPDX Thurs General Meeting Reminder
Phil Odence
REMINDER: Encourage your LF member company to join SPDX https://enrollment.lfx.linuxfoundation.org/?project=spdx . Companies that join by April 1 may nominate a candidate for Steering Committee this year.
PRESENTATION: Please join us for a very interesting presentation to kick off the meeting.
How RKVST Uses SPDX for Software Transparency by Jon Geater, CTO Jitsuin Abstract: One crucial aspect to deriving Trust in connected systems is software transparency, and SBOM (AKA “what’s in the box?”) is a crucial part of this, so SPDX is a very interesting place for Jon and RKVST to engage. We’ll be briefly exploring the deeper requirements of software transparency for context and look forward to a discussion on how best to apply and assist the SPDX community in meeting these. Jon: Jon Geater is chair of the Security and Trustworthiness Working Group in the Digital Twin Consortium and lead author of the Security Maturity Model for Digital Twins in the Industry Internet Consortium. In both of these forums, and with his company’s SaaS platform RKVST, he works to press forward the state of the art in Dynamic Resilience: a practical approach to security and safety in today’s fast-changing, highly connected world based on contextual decision-making and Zero Trust principles. As a co-founder of OASIS KMIP, former governing board member of Linux Foundation’s Hyperledger project, and former board member and chair of the Security Task Force at GlobalPlatform, Jon has a strong and dedicated commitment to open standards in cyber security.
GENERAL MEETING
Meeting Time: Thurs, Mar3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md
Special Presentation – SteveH
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||
|
|
|||||||||||||
|
SPDX Feb General Meeting MInutes
Phil Odence
https://github.com/spdx/meetings/blob/master/general/2022-02-03.md
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
SPDX General Meeting Minutes - Feb 3, 2022Administrative
Steve Hendrick w/report on SBOM readiness
Tech Team Report - Gary/Kate/ThomasSpecDefects
Core 3.0
2.3 Release
ToolsDocFest (Rose)
GSOC
Tooling Release
Legal Team Report - Jilayne/Paul/SteveLicense List
Outreach Team Report - Sebastian
Attendees
|
|||||||||||||
|
|
|||||||||||||
|
Special Presentation and SPDX Thurs General Meeting Reminder
Phil Odence
Please join us for a very interesting presentation to kick off the meeting:
Preview of LF Study on SBOM Readiness by Steve Hendrick Abstract: The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness, produced in partnership with SPDX, OpenChain, and OpenSSF, reports on the extent of organizational SBOM readiness and adoption and its significance to improving cybersecurity throughout the open source ecosystem. The study comes on the heels of the US Administration’s Executive Order on Improving the Nation’s Cybersecurity, and the disclosure of the most recent and far-reaching log4j security vulnerability. Its timing coincides with increasing recognition across the globe of the importance of identifying software components and helping accelerate widespread implementation of cybersecurity best practices to mitigate the impact of software vulnerabilities. Steve: Steve Hendrick, who authored the SBOM readiness report, is a Vice President of research for the Linux Foundation and well traveled in application development and deployment software. Prior to his current role at the Linux Foundation, Steve spent 30 years as an industry analyst working for IDC, ESG, and EMA driving application development and deployment research. Steve has authored over 1,000 research reports and served as primary investigator on over 100 surveys.
GENERAL MEETING
Meeting Time: Thurs, Feb3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-01-06.md
Special Presentation – SteveH
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||
|
|
|||||||||||||
|
Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Thanks, Rose – much appreciate the quick response and for all that you do for the SPDX community.
Looking forward to participating in the DocFest.
Cheers and best regards,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Rose Judge <rjudge@...>
Sent: Wednesday, January 12, 2022 11:51 AM To: dick@...; spdx@... Subject: Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Hi Dick,
Instructions to participate with target sets/objects will be mailed out on Monday. We are finalizing the targets as we speak.
Thanks for your interest and patience. Excited to have you as part of this event!
-Rose From: Dick Brooks <dick@...>
Rose,
Where can I find the target set objects to create/submit an SPDX SBOM?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Rose Judge
Hello SPDX community,
SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts.
https://forms.gle/Mq7ReinTY6gDL4cs9
|
|||||||||||||
|
|
|||||||||||||
|
Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Rose Judge
Hi Dick,
Instructions to participate with target sets/objects will be mailed out on Monday. We are finalizing the targets as we speak.
Thanks for your interest and patience. Excited to have you as part of this event!
-Rose From: Dick Brooks <dick@...>
Rose,
Where can I find the target set objects to create/submit an SPDX SBOM?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Rose Judge
Sent: Wednesday, January 12, 2022 11:39 AM To: Spdx-tech@...; spdx@... Subject: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Hello SPDX community,
SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts.
https://forms.gle/Mq7ReinTY6gDL4cs9
|
|||||||||||||
|
|
|||||||||||||
