ossf / sbom-everywhere

Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption
Apache License 2.0
72 stars 26 forks source link

OSSF SBOM Everywhere SIG

Home of the OpenSSF SBOM Everywhere SIG. We're glad you're here!

Get Involved

Meeting times

Current Projects

SBOM Catalog

To provide a better overview of the available tooling and their capabilities, this group maintains an SBOM Catalog which can be found under the following link:

https://sbom-catalog.openssf.org/

If you want to get involved, please see the document here

TODO

More data needs to be added to the catalog

Establishing SBOM Best Practices for open source projects

The goal of this project is to understand what open source projects need to start publishing SBOMs

[https://docs.google.com/document/d/15_FKO8D03VSYDTNsMQZtn1aRfgVmModF-NM6VBnlrZA/](Draft document)

TODO

This document needs to be better defined to construct a plan to help open source projects

Best Practices for Naming and Directory Conventions for SBOMs (Software Bill of Materials) in Open Source Projects

This document describes where to put an SBOM to be distributed and how to name it. It currently has a very narrow scope.

TODO

It needs to be expanded to cover other use cases

[https://github.com/ossf/sbom-everywhere/blob/main/reference/sbom_naming.md](Reference doument)

Motivation

Objective

The 3 overarching goals from the White House meeting

The goals for this group as defined in the mobilization plan

Scope

The mobilization plan defines scope as By focusing on tools and advocacy, we can remove the barriers to generation, consumption, and overall adoption of SBOMs everywhere, we can improve the security posture of the entire open source ecosystem: producers, consumers, and maintainers.

Formatting Specifications

For the purposes of establishing ubiquity to ensure sustainability for SBOM related tooling, and future solutions for consumption, “supported” formats must be defined. At this time there are two supported formats that will be in scope for the purposes of this group: CycloneDX and SPDX.

Utilization of these specifications would likely be discretionary and interchangeable depending on the use case and SBOM type and the requirements of individual organizations and internal tooling.

This group's interpretation is

The Federal Government exists at every point of the Software Delivery Lifecycle, hence their minimum requirements are good guides to establish a baseline scope.

Prior Work

NTIA

NTIA's legwork has been a guiding source having done the most comprehensive research to date.

CISA

OWASP SCVS

Governance

The CHARTER.md outlines the scope and governance of our group activities.