|
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into
different categories of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home.
😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you
should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'
|
|
|
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
That help?
Kate
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into
different categories of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home.
😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you
should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'
|
|
|
Steve Kilbane
toggle quoted message
Show quoted text
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf
I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our
website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those
items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license
so we can all play along at home. 😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If
you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com'
|
|
|
Yessssss…
It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
From:
<spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Thursday, November 18, 2021 at 01:28
To: "spdx@..." <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
toggle quoted message
Show quoted text
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf
I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving
what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories
of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home.
😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The
recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com'
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you
should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'
|
|
|
Michael Dolan
You may also want to look at the SLSA framework.
Yessssss…
It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf
I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving
what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories
of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home.
😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The
recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com'
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you
should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'
|
|
|
toggle quoted message
Show quoted text
From: spdx@... <spdx@...> On Behalf Of
Michael Dolan via lists.spdx.org
Sent: Donnerstag, 18. November 2021 16:07
To: spdx@...
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
You may also want to look at the SLSA framework.
Yessssss…
It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf
I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories
of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home.
😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you
should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com'
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended
recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this
email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com'
|
|
|
