search

OpenChain-Project / Security-Assurance-Specification

Other
21 stars 7 forks source link

[Improvement] Adjust SBOM definition to align with Licensing Spec 3.0 #31

Closed shanecoughlan closed 1 year ago

shanecoughlan commented 1 year ago

Align with Licensing Spec 3.0:

Changed SPDX definition to Software Bill of Materials definition citing SPDX as per OpenChain Monthly North America and Europe Call - 2023-06-06 and #35: https://github.com/OpenChain-Project/License-Compliance-Specification/issues/35

shanecoughlan commented 1 year ago

Change would be from:

2.14 - Software Bill of Materials (SBOM)

Information in a structured format such as SPDX ISO/IEC 5962:2021 that allows the exchange of information for a software package, which could usefully include name, version, origin, license, copyright and Known Vulnerabilities in a manner useful to third parties.

to

2.14 - software bill of materials (SBOM)

a “Software Bill of Materials” (SBOM) is a complete inventory for software, a list of ingredients that make up software components. An example is the specification created by the Linux Foundation's SPDX (Software Package Data Exchange) Working Group for exchanging bill of materials for a given software package, including associated license and copyright information (see spdx.org).

shanecoughlan commented 1 year ago

a “Software Bill of Materials” (SBOM) is a complete inventory for software, a list of ingredients that make up software components. An example is the specification created by the Linux Foundation's SPDX (Software Package Data Exchange) Working Group for exchanging bill of materials for a given software package, including associated license and copyright information (see spdx.org).

== Outcome of call 2023-06-20 ==

Use above text to align with licensing spec BUT with comments and a suggestion for both spec improvement on the next call.

== Concern flagged ==

Fukuchi San raised the point that complete != SPDX, or the be accurate there are now profiles and choices in SBOM specs like SPDX, so complete could imply things like ALL profiles are necessary.

The word complete also seems to be moving from what into how.

== Idea flagged ==

It was suggested to expand the SPDX example to point out a minimum viable product approach via SPDX Lite:

"An example is the specification created by the Linux Foundation's SPDX (Software Package Data Exchange) Working Group for exchanging bill of materials for a given software package, including associated license and copyright information (see spdx.org). This includes various options for different use-cases or minimal SBOMs through the SPDX Lite profile."

== Idea flagged ==

It was suggested by Singing and SZ to take something from our previous definition to help explain actual expectations for parties completely unfamiliar with SBOM:

"Regardless of the SBOM specification used, it could usefully include name, version, origin, license, copyright and Known Vulnerabilities in a manner useful to third parties."

== Idea flagged ==

It was suggested to simplify the sentence referencing SPDX to avoid duplication with the following sentence examples:

"a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. An example is the (Software Package Data Exchange) SPDX specification created by the Linux Foundation's SPDX Project to exchange bill of materials for a given software package (see spdx.org). This includes various options for different use-cases or minimal SBOMs through the SPDX Lite profile. Regardless of the SBOM specification used, it could usefully include name, version, origin, license, copyright and Known Vulnerabilities in a manner useful to third parties."

== Conclusion and Proposal ==

Both specs should align with:

"a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. An example is the (Software Package Data Exchange) SPDX specification created by the Linux Foundation's SPDX Project to exchange bill of materials for a given software package (see spdx.org). This includes various options for different use-cases or minimal SBOMs through the SPDX Lite profile. Regardless of the SBOM specification used, it could usefully include name, version, origin, license, copyright and Known Vulnerabilities in a manner useful to third parties."

Decision pending next call.

shanecoughlan commented 1 year ago

As per our call 2023-07-11 we will align with these definition on both, and open a new issue to discuss WHAT is a quality or complete SBOM for licensing or security use cases.

==

a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. An example is the (Software Package Data Exchange) SPDX specification created by the Linux Foundation's SPDX Project to exchange bill of materials for a given software package (see spdx.org). Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.

shanecoughlan commented 1 year ago

Here is the relevant new issue: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/32