[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Summary of Tool to Tool Software Bill of Materials first get together and next steps


The group that convened in Nashville, hosted by the Consortium for Information and Software Quality (CISQ), had a very productive 3 days.

It was very invigorating to find like-minded people who want to address software supply chain issues and see the potential of a standardized tool-to-tool Software Bill of Materials.

The slides we used to guide the meeting and the 4 presentations about how TUF, in-toto, Grafeas, and SPDX would integrate/leverage a standardized tool-to-tool SBOM can be found in the Google Drive for this effort.

Also included is the updated "Standardizing SBOM within the SW Development Tooling Ecosystem" whitepaper that captures the small changes and tweaks we made in the Usage Scenario descriptions during the meeting.

There are things in the whitepaper that I'll bring to the NTIA discussions as I have in the past.

As shown on slide 6 of the "CISQ SBOM Workshop Nashville 2019 days 1-3" slide deck, 12 people were able to join me in Nashville, including:

       • Bill Curtis (CISQ)
       • Philippe-Emmanuel Douziech (CAST)
       • Santiago Torres-Arias (in-toto/NYU)
       • David Nalley (BlackBerry - Apache Foundation)
       • William Cox (Black Duck by Synopsys)
       • Steve Lasker (Microsoft - Azure Container Registry)
       • Brian Russell (Google - CD Foundation)
       • Nitesh Bakliwal (Microsoft - Windows)
       • Kate Stewart (Linux Foundation)
       • William Bartholomew (GitHub)
       • Kay Williams (Microsoft - Azure - CD Foundation)
       • Gerald Heidenreich (Microsoft - Engineering System)

Several other people had attempted to be in Nashville but their schedules didn't allow it, including:

       • Brian Fox (Sonatype)
       • Michael Pittenger (Insignary)
       • Javier Perez (ClearSource/Veracode)
       • Art Manion (Software Engineering Institute)

Additionally, several other organizations have been reviewing the previous versions of the whitepaper and will be receiving updates on the ongoing efforts of this group. They include: Oracle, Snyk, WhiteSource, Checkmarx, Eclipse Foundation, JFrog, and Parasoft.

This message will hopefully provide context for the next steps discussed in Nashville for those of you who couldn't be there.

Next Steps from Nashville:

  ● Effort will be driven out of the Consortium for Information and
    Software Quality (https://www.it-cisq.org/) leveraging efforts to-
    date in the industry.

  ● Bill Curtis (CISQ) to create an SBOM Working Group Mailing List

  ● Weekly Meetings (Zoom meeting details after signature block)
    ○ Wednesdays 60 Minutes
       ■ Pacific 12 PM
       ■ Central 2 PM
       ■ East 3 PM
       ■ Paris 9 PM

Agenda for 10/2 Weekly Meeting
  ● Review draft model - Philippe-Emmanuael Douziech
  ● Review draft document - Bob Martin
  ● Review draft example scenarios - William Bartholomew

The discussions over the three days concluded with a consensus of working towards a submission to the next OMG member meeting using a model-based description of the tool-to-tool SBOM elements and their relationships/constraints to allow for a platform independent description that any tool that can understand XMI would be capable of supporting.

Developing libraries and utilities that hide the XMI from tool developers will also be a part of the strategy.

We will be using the field definitions from SPDX where we can as well as leveraging the work from others on this topic as we capture the details.

Philippe-Emmanuel Douziech is taking the lead on the UML model; William Bartholomew is drafting the example scenarios that will be used to explain how to leverage the elements of the SBOM for different environments and scenarios; and I will be crafting the draft document to hold all of the above as well as the RFC required form.

The OMG meeting is the week of December 9, which means the specification would need to be submitted 4 weeks earlier (11 Nov), a very aggressive schedule.

OMG meetings are quarterly so the next submission date would be 24 Feb (4 weeks before the 23 Mar OMG meeting).


Robert (Bob) Martin
Sr. Secure SW & Technology Principal Eng.
Trust & Assurance Cyber Technologies Dept
Cyber Solutions Technical Center
MITRE Corporation