There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

You may also want to look at the SLSA framework. 

Yessssss…

 

It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

 

From: <spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Thursday, November 18, 2021 at 01:28
To: "spdx@..." <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hi Vicky,

 

There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

 

https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape

 

(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)

 

steve

 

From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

[External]

 

There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

 

We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX

 

Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy,  please fill in the template and add a comment.    Jack's done a great job in moving what we've got in that document to our website.

 

Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. 

 

That help?

 

Kate

 

On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'