-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using SBOM Everywhere to amplify guidance through other public workstreams #46
Comments
This is an awesome idea. It seems like I missed the most interesting meeting in a year. I would love to take a closer look at these Documents from Allan. I can already add some information to the second point. SPDX and CycloneDx have already published guidance on mapping the NTIA requirements to their schemas. The thing is, the mapping to the Schemas is done differently in CycloneDx and SPDX. CycloneDx is more strict with its mapping than SPDX. I gave this issue a closer look in my Master Thesis in chapter 7.3.1 see here. Maybe we could fix this, also with help from Allan, who recently mentioned updating the NTIA min elements to make them more straightforward. |
If mapping is on the radar, I would suggest using https://scvs.owasp.org/bom-maturity-model/ as the taxonomy and map each spec to it. There’s an example profile that conveys NTIA minimum elements to the taxonomy. But in doing so, it is highly important to read each spec before mapping. Every conversion tool I’ve seen gets it wrong. |
There are already differences between the various national guidelines. If I am creating a SBOM, I would not want to create a different SBOM to meet the different national guidelines; I would want to create a single SBOM which met ALL of the guidelines (a superset). However, as we have already seen, even meeting the NTIA guidelines are difficult mainly due to interpretation of what the fields need to contain (in particular supplier). It would be really useful to ensure that the guidelines are harmonised to make it easier for software producers to conform with and also to provide guidance for the consumers of SBOMs to interpret the data within a SBOM. And for SBOM consumers, I would want to easily assert the quality of the SBOM as the SBOM is likely to form part of a key decision making process within an organisation. Does the SBOM confirm with national guideline X might be a useful starting point before harmonizing of guidance is established. Bear in mind that we need to be focusing on CONTENT and not FORMAT and the work which @stevespringett references would be a good vehicle to adopt. |
+1 |
During the meeting on 2024-03-12 a topic came up about how we could work together with other groups, especially government groups, to amplify what we are all doing. The notes from the meeting are below
Amplifying SBOM Everywhere Guidance through CISA SBOM Workstreams
This SIG has some unique opportunities other SBOM focused groups do not as we are a truly neutral venue. We should take advantage of this status to further some SBOM related efforts that will help the entire industry.
A few examples that came up during the discussion
There are certainly other things we could work on. Please add ideas or comments to this issue to track such efforts. We can split out specific work into issues as needed.
The text was updated successfully, but these errors were encountered: