Update SBOM generation to meet new guidance from CISA

[sethmlarson]

Proposal:

CISA has published the third revision of SBOM guidance, which at the moment isn't approved but is headed towards final rounds of review. Currently our SBOMs met the old revision which is "Minimum Elements of an SBOM" published by NTIA.

The new guidance uses a "maturity level", ranging from minimum required to aspirational. Below I've used the "aspirational" maturity level for all the criteria.

I checked our SBOM documents against the document to see how much would be needed to follow this new set of guidance. It turns out, not too much! Here's the breakdown:

Elements that need more work:

• [ ] Author Name: We need to add an email address
• [ ] SBOM Type: We need to upgrade to SPDX 3 for this field
• [ ] Supplier Name: Need to double-check that these names conform. Also need to update where we add Heritage information.
• [ ] Unique Identifier: We're almost there, there's at least one project we should request a CPE for.
• [ ] Heritage: We don't encode this information today. Some of our components are slightly modified from upstream dependency, should be automatable.
• [ ] Relationship Completeness
• [ ] License
• [ ] Copyright Notice

Elements we already conform with:

• Timestamp
• Primary Component
• Component Name
• Component Version
• Cryptographic Hashes
• Relationships
• Redacted and Unknown Components and Attributes

Has this already been discussed elsewhere?

This is a minor feature, which does not need previous discussion elsewhere

Links to previous discussion of this feature:

No response

[sethmlarson]

CISA has published the guidance and at first glance doesn't appear that the draft and the final revision differ in terms of what we need to do: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024