Coder Social home page Coder Social logo

sbom-everywhere's Introduction

OSSF SBOM Everywhere SIG

  • TODO: Add Description

Motivation

  • The initial motivation for the formation of the OSSF SBOM Everywhere SIG is born from OpenSSF's The Open Source Software Security Mobilization Plan. SBOM standardization and consensus from within the open source community is integral to adoption of universal constructs that reveal themselves via the exploration of use cases beyond a compliance check box. [Executive Order ]

Objective

Draft

The 3 overarching goals from the White House meeting

  • Securing OSS Production: focus on preventing security defects and vulnerabilities in code and open source packages in the first place
  • Improving Vulnerability Discovery & Remediation: improving the process for finding defects and fixing them
  • Shorten Ecosystem Patching Response Time: Shorten the response time for distributing and implementing fixes.

The goals for this group as defined in the mobilization plan

  • The requirements needed to build use cases using SBOMs are clearly understood, documented and implemented in current SBOM specifications
  • There are “friction free” open source tools that generate SBOMs that meet these requirements
  • There is readily accessible education, awareness and implementation guidance and 3rd party support

Scope

Draft The mobilization plan defines scope as By focusing on tools and advocacy, we can remove the barriers to generation, consumption, and overall adoption of SBOMs everywhere, we can improve the security posture of the entire open source ecosystem: producers, consumers, and maintainers.

Formatting Specifications

For the purposes of establishing ubiquity to ensure sustainability for SBOM related tooling, and future solutions for consumption, “supported” formats must be defined. At this time there are two supported formats that will be in scope for the purposes of this group: CycloneDX and SPDX.

Utilization of these specifications would likely be discretionary and interchangeable depending on the use case and SBOM type and the requirements of individual organizations and internal tooling.

This group's interpretation is

  • Use cases
  • Defining types of SBOMs
    • Source
    • Binary analysis
    • Build
    • Deploy Runtime
  • Generation
    • Formats - clearly define expectations
  • Consumption
    • How do we track and encourage the consumption of the artifacts
    • something about tools
  • Adoption (how do we encourage others to create and use SBOMs)
    • Something about producers, consumers, and maintainers
    • Where does the burden lie on accountability and enforcement?
    • something about tools
      • Tools are everywhere, what do we do with this?
    • something about advocacy
  • Attestation?
    • Not part of tooling, this needs to be a policy decision in these conversations, don't worry about the technical details (yet)
    • Where does this fit in? Producers, consumers, ???
    • https://github.com/in-toto/attestation
  • Compliance (regulated industry)

The Federal Government exists at every point of the Software Delivery Lifecycle, hence their minimum requirements are good guides to establish a baseline scope.

Prior Work

NTIA

NTIA's legwork has been a guiding source having done the most comprehensive research to date.

CISA

OSWAP SCVS

Tickets related to BOM Maturity model:

Get Involved

Quick Start

  • Areas that need contributions
  • Build information if applicable
  • Where to file issues
  • Etc.

Meeting times

We are currently holding our meetings during the Security Tooling WG meeting. Look for the "Security Tooling Working Group" entry in the calendar.

Governance

The CHARTER.md outlines the scope and governance of our group activities.

  • TODO: Fill out charter

Members

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.