psmulovics
commented
2 weeks ago Peter Smulovics / Morgan Stanley
Open robmoffat opened 2 weeks ago
psmulovics
commented
2 weeks ago Peter Smulovics / Morgan Stanley
robmoffat
commented
2 weeks ago Rob Moffat / FINOS
mimiflynn
commented
2 weeks ago Mimi Flynn / Morgan Stanley
BrittanyIstenes
commented
2 weeks ago Brittany Istenes - FNMA
robmoffat
commented
2 weeks ago Second Tranche:
Issues:
Criteria:
Possible Solutions:
PS: No standard for where to get them from. Used to be that SBOMs are stored in the package, we don't do that anymore. Now we have services, how do we trust those services?
MF: The Fed has a portal for this. Just for federal bodies.
PS: Much less about generation. We have tools for this. We're going to look specifically at storage, retrieval, tampering, modification. Maybe we can start a trend, right now it's a nightmare and there's no real solution.
MF: I think we should reach out the SPDX working group and ask them about this.
PS: Morphir currently the only project generating and trying to publish SBOMs. They publish to Sonatype registry.
BW: We have interest in this. We're trying to keep track of this. I'd be interested in participating in this.
PS: We want to enable vendors to override SBOMs in a secure way, without changing the original package, this came out because of Log4J.
BW: So: vendor produces a package. They don't pin a dependency, it changes, then they need to produce a new version?
PS: A lot of companies have a dependency on Log4J, but they didn't generate their SBOMs properly. Opportunity to publish "errata" on SBOMs.
PS: We scanned our project and also received notification of the inclusion of Log4J. Both of these turned up errors in the SBOMs.
PS: Monkey patching also means that you end up with dependencies being included.
BW: Should we include SPDX and OpenChain? There should be prior art.
PS: Yes, we just want to standardise, rather than reinvent the wheel.
KX: Happy to share this idea internally if you come up with a one-pager.
RM: What does the solution look like?
PS: It could be one of the regulators maintaining this.
MF: It would need signing.
PS: EU and NA might have different content.
RM: Would MS ever want to override an SBOM?
PS: No, never. You might want to report an errata in the SBOM. Then you might have a system where there is a time limit. A faulty SBOM might be the same as a CVE, really. There might be a disclosure window.
RM: What if the company folded? Who would update the SBOM then?
PS: I think that should be the regulator then.
MF: It feels like SBOMs, you don't have an avenue to check things are correct.
PS: We have cases where things have been monkey-patched and then not showing up in the SBOM. Or people generating the SBOM and then suppressing the dependency. Or people renaming a class to avoid it showing up.
MF: How was this uncovered?
PS: Microsoft have a tool called MDE which checks for the binary characteristics in memory. It's a heuristic detection tool.
RM: I think FossID does something like this: https://fossid.com
RM: Who's working on this?
PS: Dinesh is looking at it from MS. It started from looking at issues in SBOM generation (like MDE)
PS: A project could contain URLs, and download random stuff from the internet. The code from those is not in your source code at all, it'll just be in memory.
none
katnovakovic
commented
2 weeks ago Katrina Novakovic, Citi
mimiflynn
commented
2 weeks ago Dr. Allan Friedman, Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency is the person I was referring to.
Time
10 AM ET, 3PM GMT
Untracked attendees
Meeting notices
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
Decisions Made
Action Items
Zoom Details
Join by Phone