CBOM for “important” OSS projects working group

[maximilien]

A working group that could create and curate CBOM (cryptography bill of material) for “important” OSS projects.

Ideally the resulting CBOM and process to create and updating the CBOM would be submitted to the upstream project. This workgroup would help create these and eventually submit to upstream.

As a suggestion, If accepted by the TAC this group could create a CBOM subproject and start collecting the projects to tackle first and creating the CBOM on project releases to get started.

Please comment here on where the state of CBOM creation and tools are and whether this working group is warranted. If we have enough interest then I will bring it up to the next TAC.

[planetf1]

• liboqs has CBOM - they are crafted carefully based on the liboqs build process. A set of yaml files describes algorithms to be retrieved from upstream sources (such as PQclean), and the CBOM is then built using these definitions (basil?)
• At the end of last year I did some scans of a few open source projects with codeQL. At the time, though I did get info about cryptographic algorithms, it was a regular sarif output, not following SBOM schema - need to look into this.
• I'm expecting scanning to be very language & ci-process specific ie per project.
• To have a meaningfull CBOM at an application/system level, we also need the associated SBOM work to be done - for example the dependency chain. Even above hard dependencies, deployments may have specific additional 'dependencies' -- for example when using openssl, perhaps oqs-provider is installed. ... so we need to figure out the context/use cases around consuming the info

[planetf1]

There's lots of detail on the spec, and discussion about the importance, but unclear what tooling exists so far. A few links:

• OWASP Blog post (oct 23) - CycloneDX Cryptography Working Group (link to slack)
• CBOM capability (CycloneDX)
• cdxgen - Apache 2.0 licensed SBOM creation tool supporting many languages. CBOM support currently only covers Java
• cryptobom-forge - MIT licensed tool which parses CodeQL data to generate a 'CBOM' However output is in sarif format
• codeql - Blog post on introducing CBOM support in CodeQL - but see comment above. suspected sarif format

I think one of the challenges with CBOM is many libraries will contain both qs and non qs cryptographic algorithms so it will be hard (at least from a static analysis) to determine qs or not. However it will help to provide an initial list of where crypto is used for evaluation. run-time evaluation (resolved configuration, libraries/classes loaded, network traffic analysis etc) will be needed to ascertain what is actually in use.

To move forward with this we should understand what/if any activity is going on in the openssf community, as well as any spdx/cyclonedx workgroups

[planetf1]

Update from CycloneDX:

• Python support has just been added in cdxgen
• Blint - work is underway to add support for rust & C

[planetf1]

No CBOM specifically, but for SBOM (may be a delta for cbom)

• cyclonedx-rust-cargo

[planetf1]

Useful docs

• CycloneDX Authoritative guide
• Example BOM

[planetf1]

one popular open source component that can mitigate lack of PQC in other network components - ISTIO

• Project is now generating SPDX format SBOMs - initiative out of Test & Release working group
  • 2022 Presentation on istio bom
  • Latest release is 1.21.2
  • The 1.21.2 sbom refers to 252 'packages', though some are assemblies from others, and a lot are binaries (from the docker images)? One thing that seems absent is information about the go packages - needs more investigation in depth.
  • k8s sig has a bom generator which includes support for go dependency analysis - spdx format

[planetf1]

• SPDX Conversion tool (ie SPDX txt -> JSON) - ie open this with JSON Viewer.
• no CBOM content yet

[planetf1]

Discussed in PQCA meeting 20240605 - Q: Are there github actions that can generate sbom and/or cbom free (for open source), other than codeQL (open source only).

There do seem to be a number: https://www.google.com/search?q=github+action+sbom cc: @ryjones