sevansdell
commented
1 month ago Closing due to lack of progress. This could be reopened if someone has time to write it up.
Closed sevansdell closed 1 month ago
sevansdell
commented
1 month ago Closing due to lack of progress. This could be reopened if someone has time to write it up.
During the xz util vulnerability response, OSSF staff asked TAC if each OSSF project had an SBOM to use to analyze to see if any OSSF projects were vulnerable. I think this is a very relevant question. I have started https://github.com/ossf/tac/issues/306 to start driving towards this best practice to create and maintain inventories for OSSF projects for any downstream consumer to use, one of which could be OSSF.
I would like to have a follow up conversation between the TAC and OSSF staff for future incidents, if this incident response is a capability the OSSF should stand up, who should own and maintain the process, to include how the TAC can help support by asking projects to capture those inventories in an SBOM that could be leveraged by an OSSF program for consumption and analysis.
If so, in the OSSF vuln response program, each SBOM could be consumed as an inventory into a centralized dependency location, such as an OSSF instance of GUAC, to analyze if any OSSF projects had the xz util CVE. This would empower OSSF staff to provide a coordinated response on behalf of OSSF stating any impact to OSSF.
Perhaps also this could be added to GUAC PoC https://github.com/ossf/tac/issues/266 to demonstrate the connection between upstream OSS SBOMs and a downstream end user consuming the inventory to wrap a process around the inventory to identify vulnerabilities when they occur over time.