[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Summary of Tool to Tool Software Bill of Materials first get together and next steps
- To: firstname.lastname@example.org
- Subject: Summary of Tool to Tool Software Bill of Materials first get together and next steps
- From: "Martin, Robert A." <email@example.com>
- Date: Wed, 9 Oct 2019 18:21:48 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:subject:to:message-id:date:mime-version:content-type:content-transfer-encoding; s=selector1; bh=Cizz2mf+9JfAGpTI7CP0qJRvUDi4KKsqQq2eYR24bmQ=; b=cDaDQzpCdJVonqqiCvjnbKQ6cVgSuesU7Wu7mX51ge/b71yOuLAX2H/3uCg0ZiJ3t77drfC+hL0ojrSefXM0d92WLC1DwtU59Ho7R5we8DwKgZnMRC3lJRT/Nq2Qt06gniXSqysNFFn9Ttd81e6xBJI82CR9EClgPQowhAn/Ipk=
- Organization: MITRE
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.1.1
The group that convened in Nashville, hosted by the Consortium for
Information and Software Quality (CISQ), had a very productive 3 days.
It was very invigorating to find like-minded people who want to address
software supply chain issues and see the potential of a standardized
tool-to-tool Software Bill of Materials.
The slides we used to guide the meeting and the 4 presentations about
how TUF, in-toto, Grafeas, and SPDX would integrate/leverage a
standardized tool-to-tool SBOM can be found in the Google Drive for this
Also included is the updated "Standardizing SBOM within the SW
Development Tooling Ecosystem" whitepaper that captures the small
changes and tweaks we made in the Usage Scenario descriptions during the
There are things in the whitepaper that I'll bring to the NTIA
discussions as I have in the past.
As shown on slide 6 of the "CISQ SBOM Workshop Nashville 2019 days 1-3"
slide deck, 12 people were able to join me in Nashville, including:
• Bill Curtis (CISQ)
• Philippe-Emmanuel Douziech (CAST)
• Santiago Torres-Arias (in-toto/NYU)
• David Nalley (BlackBerry - Apache Foundation)
• William Cox (Black Duck by Synopsys)
• Steve Lasker (Microsoft - Azure Container Registry)
• Brian Russell (Google - CD Foundation)
• Nitesh Bakliwal (Microsoft - Windows)
• Kate Stewart (Linux Foundation)
• William Bartholomew (GitHub)
• Kay Williams (Microsoft - Azure - CD Foundation)
• Gerald Heidenreich (Microsoft - Engineering System)
Several other people had attempted to be in Nashville but their
schedules didn't allow it, including:
• Brian Fox (Sonatype)
• Michael Pittenger (Insignary)
• Javier Perez (ClearSource/Veracode)
• Art Manion (Software Engineering Institute)
Additionally, several other organizations have been reviewing the
previous versions of the whitepaper and will be receiving updates on the
ongoing efforts of this group. They include: Oracle, Snyk, WhiteSource,
Checkmarx, Eclipse Foundation, JFrog, and Parasoft.
This message will hopefully provide context for the next steps discussed
in Nashville for those of you who couldn't be there.
Next Steps from Nashville:
● Effort will be driven out of the Consortium for Information and
Software Quality (https://www.it-cisq.org/) leveraging efforts to-
date in the industry.
● Bill Curtis (CISQ) to create an SBOM Working Group Mailing List
● Weekly Meetings (Zoom meeting details after signature block)
○ Wednesdays 60 Minutes
■ Pacific 12 PM
■ Central 2 PM
■ East 3 PM
■ Paris 9 PM
Agenda for 10/2 Weekly Meeting
● Review draft model - Philippe-Emmanuael Douziech
● Review draft document - Bob Martin
● Review draft example scenarios - William Bartholomew
The discussions over the three days concluded with a consensus of
working towards a submission to the next OMG member meeting using a
model-based description of the tool-to-tool SBOM elements and their
relationships/constraints to allow for a platform independent
description that any tool that can understand XMI would be capable of
Developing libraries and utilities that hide the XMI from tool
developers will also be a part of the strategy.
We will be using the field definitions from SPDX where we can as well as
leveraging the work from others on this topic as we capture the details.
Philippe-Emmanuel Douziech is taking the lead on the UML model; William
Bartholomew is drafting the example scenarios that will be used to
explain how to leverage the elements of the SBOM for different
environments and scenarios; and I will be crafting the draft document to
hold all of the above as well as the RFC required form.
The OMG meeting is the week of December 9, which means the specification
would need to be submitted 4 weeks earlier (11 Nov), a very aggressive
OMG meetings are quarterly so the next submission date would be 24 Feb
(4 weeks before the 23 Mar OMG meeting).
Robert (Bob) Martin
Sr. Secure SW & Technology Principal Eng.
Trust & Assurance Cyber Technologies Dept
Cyber Solutions Technical Center