zAppBuild to generate SBOM as part of the build

[suman-gopinath]

As part of the US national cybersecurity executive order, there are certain security practices that organizations need to enforce. One such is the Software Bill of Materials (SBOM) as detailed in section (j) https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

What are the SBOM Minimum Requirements?

There are three key areas of requirements that software

1. Data Fields Component Definition: Unit of software that "Can be uniquely identified as a freestanding, trackable unit of software".
   Examples – a software product, a device, a library, a single file

   Actual fields required Supplier Name - The name of an entity that creates, defines, and identifies components. Component name - Designation assigned to a unit of software assigned by the original supplier. Version of the Component - Identifier used by the supplier to specify a change in software from a previously identified version. Other unique identifiers - Other identifiers that are used to identify a component or act as a look-up key for relevant databases. Dependency Relationship - Characterizing a relationship with an upstream component X is included in software Y. Author of the SBOM Data - The name of the entity that creates the SBOM data for this component Timestamp - Record of the date and time of the SBOM Assembly.

2. Automation Support Ability to create a machine-readable hierarchical representation of contents of the product/offering in CycloneDX

3. Practices and Processes Be transparent when there are unknowns. Identify and label missing information. Document dependencies showing primary components and identify their transitive dependencies Initially, one level deep with an expectation that further levels will be useful and may be requested in the future

Full Details:https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom 

https://ntia.gov/sites/default/files/publications/sbom_at_a_glance_apr2021_0.pdf https://ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf https://cyclonedx.org/guides/sbom/generation/

SBOM

[M-DLB]

Thanks @suman-gopinath - I've found this document that describes the CycloneDX JSON format: https://cyclonedx.org/docs/1.5/json/#metadata_component It's probably easier to start with this format first.

[suman-gopinath]

Assumptions: 1) Use CycloneDX format 2) Generated on every build (maybe with a flag)

First draft of fields for CycloneDX https://cyclonedx.org/specification/overview/ CycloneDX

• bomFormat - preset [CycloneDX]
• specVersion - preset [CycloneDX version]
• serialNumber - generated/modified (Every BOM generated SHOULD have a unique serial number. Must match regular expression: ^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$ )
• version - generated/modified (Default ‘1’ as serialNumber will be unique)
• metadata
  • timestamp:
  • lifecycles:
    • phase: build/post-build
    • authors: primarily for manually created SBOMs ?
    • component(what the BOM describes):
      • type: application/framework/library/data
      • name:
      • version:
• components: (each output of the build)
  • type: application/framework/library/data
  • name:
  • version: (git hash, if copybook is from a PDS, maybe PDS Name?)
• services: <A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.Brainstorm - what can this be for mainframe>
  • name:
• externalReferences ”External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.” Can this be NA?
• dependencies:
  • ref
  • dependsOn Can the remaining be defaulted/ignored for mainframe
• compositions: “Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described”
  • aggregate: Default: "not_specified" - Maybe this is where includes and copybooks go in??
• vulnerabilities: “Ignore for most z/OS apps. Might be applicable for java”
• annotations:
• formulation:
• properties:
• signature

[dennis-behm]

Please see the implementation of this feature as part of the packaging step: https://github.com/IBM/dbb/pull/240