[JFYI] BSI TR-03183-2 v2.0.0 was published

fvsamson commented 1 month ago

It might be of interest for you that BSI TR-03183-2 "SBOM" v2.0.0 was published along with community drafts of part 1 ("General Requirements") and part 3 ("Vulnerability Reports and Notifications"): https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html Short link URL: https://www.bsi.bund.de/dok/TR-03183-en

_{Side note: The corresponding links with German web page text; the documents are all in English (i.e., all the same).
https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html
Short link URL: https://www.bsi.bund.de/dok/TR-03183}

P.S.: Only loosely related, but maybe also worth reading is BSI's generic web page on CSAF and the BSI TR-03191 "CSAF".

Generic web page on CSAF: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Industrielle-Steuerungs-und-Automatisierungssysteme/CSAF/CSAF_node.html Short link URL: https://www.bsi.bund.de/dok/en_csaf
TR-03191: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03191/TR-03191_node.html Short link URL: https://www.bsi.bund.de/dok/TR-03191-en _{With German landing pages:} _{1. Generic web page on CSAF: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Industrielle-Steuerungs-und-Automatisierungssysteme/CSAF/CSAF_node.html} _{2. TR-03191: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03191/TR-03191_node.html
Short link URL: https://www.bsi.bund.de/dok/TR-03191}

HTH.

riteshnoronha commented 1 month ago

@fvsamson awesome will readup and update the tool accordingly

surendrapathak commented 1 month ago

@fvsamson Thanks for sharing!

riteshnoronha commented 1 month ago

@fvsamson https://github.com/interlynk-io/sbomqs/pull/331 this is my initial understanding of the V2.0 guideline. I have created the Compliance Doc, Once we finalize a few points, i can get this implemented.

viveksahu26 commented 2 days ago

In the Issue:

It describe the entire scope of the feature (BSI v2 implementation) and its breakdown into smaller tasks.
Checklist of tasks such as:
- [ ] Add command for BSI V2.
- [ ] Update existing SBOM fields (e.g., all which were in bsi:1.1.).
- [ ] Update existing component fields (e.g., all which were in bsi:1.1.).
- [ ] Implement new SBOM fields (e.g., e.g., vuln, signature, bomlinks.).
- [ ] Implement new components fields (e.g., e.g., filename, executable, structured, etc.).
- [ ] Add tests for the new features.
- [ ] Update documentation for BSI v2 compliance.

interlynk-io / sbomqs

[JFYI] BSI TR-03183-2 v2.0.0 was published #329

In the Issue: