Open sjn opened 9 months ago
Ongoing work is happening in the sjn/supplychain-graph-1 branch
Oof, it seems NIST has published something on this topic: https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf
They don't take package ecosystems into account at all, apparently?
Same, when looking through some slides from an SBOM workshop at NIST, they also seem to have a lacking idea of what/who's involved in a supply-chain: https://docs.google.com/presentation/d/1OSNYKfSX0sj0ywE3t9_WPYAaCMJnV1ZUztAZwJXmZVI/edit#slide=id.g24f12fef34e_0_10 (β¦and later slides)
Seems to me the NIST documents simply specify different kinds of SBOM that could be implemented throughout the chain.
My understanding is that:
Hm. I'm unsure. If we assume the following graph is a reasonable simplification of the supply-chain (taking into account the "OSS Steward" role)...
stateDiagram-v2
direction TB
state "π₯π¨π¦ Maintainer Environment" as environment_maintainer
state "π© Collaboration Ecosystem" as ecosystem_repo
state "π¨π© Language Ecosystem" as ecosystem_lang
state "π¨π© Package Ecosystem" as ecosystem_package
state "π₯ Attestation Authority π" as authority_attestation
state "π₯π¨π©π¦ OSS Steward π" as ecosystem_steward
state "π₯π¨ Integrator Environment" as environment_integrator
state "π₯π¨π¦πͺ Manufacturer Environment π" as environment_manufacturer
state "π¦ Production Environment" as environment_prod
state "π¦ Auditor π" as authority_auditor
[*] --> environment_maintainer
ecosystem_repo --> environment_maintainer
environment_maintainer --> ecosystem_repo
environment_maintainer --> ecosystem_lang
ecosystem_lang --> ecosystem_lang
ecosystem_repo --> ecosystem_lang
ecosystem_lang --> ecosystem_package
ecosystem_repo --> ecosystem_package
ecosystem_package --> ecosystem_package
ecosystem_package --> ecosystem_steward
ecosystem_lang --> ecosystem_steward
authority_attestation --> ecosystem_steward
ecosystem_repo --> environment_integrator
ecosystem_lang --> environment_integrator
ecosystem_package --> environment_integrator
ecosystem_steward --> environment_manufacturer
environment_integrator --> environment_prod
environment_manufacturer --> environment_prod
environment_prod --> authority_auditor
environment_manufacturer --> authority_auditor
authority_auditor --> [*]
%% Copyright Β© 2024 Salve J. Nilsen <sjn@oslo.pm>
%% Some rights reserved. Licenced CC-BY-SA-4.0
(source)
I'm thinking the following would make sense:
To get an idea of what an SBOM means in the CPAN ecosystem, put together a flowchart graph to illustrate the most important steps involved in the evolution of an SBOM document.