OpenChain-Project / Reference-Material

This repository contains the reference material related to the OpenChain Project
Other
77 stars 57 forks source link

Question: Is there official standard documents template for below mentioned main cases to share sbom to one legal entiry to another? #6

Open dineshr93 opened 3 years ago

dineshr93 commented 3 years ago

Hi Shane & others

Generally there is a two documents required to share sbom contained OSS IP details for 2 overall cases. Case 1: Docx or pdf OSS report to be shared along with our direct product or services Case 2: Excel or other format to share oss details among Tier n's (Tier 1, Tier 2 ... etc & OEM) so that OEM can collate & use document from Case 1.

I searched here not sure where to get them.. (Tracing a doc is little tough)

Can you please help me?

Thanks

zesoup commented 3 years ago

Hey Dinesh,

could you go in more detail? Are you refering to a template that enables exchange of the sbom across legal entities, e.g concerning confidentiality or are you looking for standard ways to express your sbom and maybe additional information? A valid SPDX-Document in a recent version would be the go-to answer for the exchange format and data fields. In regards to additional explanatory full-text-files i believe there is no template available.

kind regards

dineshr93 commented 3 years ago

Hi @zesoup

Thanks For case1 is about OSS disclosure. Each firm has their own format examples1: https://www.logmein.com/legal/open-source-disclosure example2: https://www.blackridge.us/legal/open-source-disclosure and we have our own way of expressing.

Now question is Should there be a standard format for this?

For case2: Not many in supply chain is using spdx. Each receiver OEMS & Tiers requests different data in different excel format. Should the entities adhering to openchain standard, should be asked to follow same format of exchange(spdx or excel etc) so atleast there is an harmony in data exchange?

Current scenario is different OEMS requesting OSS data in different format for them to collate into one single disclosure document as in case 1

zvr commented 3 years ago

One standard format for exchanging this information is called SPDX (Software Package Data Exchange), soon to be ISO 5962. You can find lots of info at https://spdx.dev/.

The format specifies the data that should be included. It also specifies various formats for this information (JSON, XML, tag-value text, etc.). We have not defined a .docx or .pdf template, although spreadsheet was one of the accepted formats. The better use comes from the SBOM (Software Bill of Materials) being in a machine-readable format that can be processed automatically.

zesoup commented 3 years ago

For case 2, openchain mentions spdx as a/the valid option but makes no attempt to dictate this standard. We've talked about this in the specification meetings a few times. Dictating a standard for sboms and compliance artifacs comes with drawbacks so we shouldn't do it lightly. I am completely on your side that most supplychains are not prepared for spdx or any other standard for that matter. In my experience the problem is not "which (S)BoM standard to choose from" but rather implementing and being willing to adhere to a standard in the first place.

One missing standard in regards to compliance artifacts that comes to mind would be the Notice-File(s). These come in a wide variety and although everyone seems on the same page content-wise, i believe there is no "official" template for those which might help.

kneep commented 3 years ago

AFAIK, there is not standard. SPDX is one option but seems not that human-friendly. In my opinion, SPDX is more like a format that is supposed to be used as sources to convert to a more human readable doc from. And I quite agree with @zesoup that the most important thing is delivering these compliance files first, not what these files look like. I'd rather talk about the specific format standard when the whole industry reaches a relatively high maturity.

But there are some essential elements that a NOTICE file should have, such as component name, component version, copyright holder(s) and full text of the identified licenses. Finding out the copyright holders of a component is not an easy job. I saw many NOTICE files omitted this part. The layout of the file could be very flexible.

shanecoughlan commented 3 years ago

Hi Dinesh!

We actually have a solution in the market that sounds like it suits your use-case of - basically - an Excel software bill of materials. It is called “SPDX Lite” and it is an optional component of SPDX 2.2. It was created by Japanese companies like Hitachi, Toshiba and Fujitsu for precisely the use case you mention.

You can read about it here: https://spdx.github.io/spdx-spec/appendix-VIII-SPDX-Lite/

It is very short, compact and effective for human readability.

Regards

Shane