Enabling SBOM across repositories

[codeboten]

This issue is to capture discussions happening in various SIGs around creating a software bill of materials.

[codeboten]

https://github.com/open-telemetry/opentelemetry-java/pull/5948

[ocelotl]

There seems to be at least 3 SBOM formats. We probably should decide on which one we want to use first.

[mlieberman85]

SWIDs claim to be an SBOM format but are more of an identifier format, but also not really a great solution there. Realistically the decision really is between SPDX and CycloneDX, though they are mostly interchangeable unless you have a very specific use case. My perspective comes from CNCF TAG Security, work with OpenSSF and work with SPDX community.

If folks are interested I can pull in experts to discuss with your community.

[ocelotl]

Just for the record, I used syft and cyclonedx-py to generate SBOMs for the OTel Python opentelemetry-sdk package in SPDX and CycloneDX formats.

[ocelotl]

SWIDs claim to be an SBOM format but are more of an identifier format, but also not really a great solution there. Realistically the decision really is between SPDX and CycloneDX, though they are mostly interchangeable unless you have a very specific use case. My perspective comes from CNCF TAG Security, work with OpenSSF and work with SPDX community.

If folks are interested I can pull in experts to discuss with your community.

I am interested :v:, which is this use case you mention above, @mlieberman85?

[codeboten]

If folks are interested I can pull in experts to discuss with your community.

This would be great @mlieberman85!

[mlieberman85]

SWIDs claim to be an SBOM format but are more of an identifier format, but also not really a great solution there. Realistically the decision really is between SPDX and CycloneDX, though they are mostly interchangeable unless you have a very specific use case. My perspective comes from CNCF TAG Security, work with OpenSSF and work with SPDX community. If folks are interested I can pull in experts to discuss with your community.

I am interested ✌️, which is this use case you mention above, @mlieberman85?

So the use cases where they're not right now are mostly focused on specific fields that might be in one but not the other. For example there's AI/ML model specific bill of materials fields in CycloneDX released already, and a similar SPDX feature is still being developed.

Let me reach out to some of the folks in the community and tag them in this thread.

[mlieberman85]

Adding @puerco who is an expert in the community.

[puerco]

Hello happy to help out! Do you have a tracker of projects that need to build their SBOMs?