SBOM Manipulation Tooling - 2023 Secure Open Source Software Summit Item

[idunbarh]

During the 2023 OpenSSF Secure Open Source Software Summit, an action item was create to help open source and standardize simple sbom manipulate tooling. A time table was also proposed.

• Requirements 4m (possible connection with EU)
  • Collect requirements on what this tooling should and should not do
• Tooling survey/donation +4m
  • Several companies stated they were maintaining private tooling with this functionality
  • This is an opportunity to survey the community for private tooling and determine if entities can donate a project(s)
• Consolidation +4m
  • Once the existing options are identified, lets consolidate these donated projects into a cohesive tool or tools
  • Create consistence documentation and example
• User education / adoption for these new capabilities.

To support the requirements phase, I started a google doc.

[idunbarh]

A new organization called bomctl for existing capability to be consolidated into a single project.

• https://github.com/bomctl/bomctl

[nishakm]

I am interested in moving some projects to a known org: https://github.com/opensbom-generator/ particularly https://github.com/opensbom-generator/sbom-composer with maybe a rewrite.

[idunbarh]

For those that would like to participate in a working meeting to work the requirements and consolidation, this doodle was created to capture a time to meet.