[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Updated User Scenarios Document



Regarding the current version of the proposed model, before addressing the illustration of the user scenarios from the user scenarios document, I wanted to share and explain the illustrations of the ways the current version of the proposed model can handle hierarchical / multi-level-of-granularity / need-to-know situations.


Starting from the same delivery (the multiple files from my tooling), I can


Some comments

  • regarding the vulnerability analysis,
    • the vulnerability database would be able to refer the SBOM unique ID (replacing/complementing CPE and other identification),
    • and, assuming this artifact is re-used somewhere else, I’ll be able to track the chain of transformation
    • it’s a matter of which level of details I require from my supplier.
  • regarding the IP analysis,
    • the standalone SBOM and the wrapper SBOM would have an SPDX licensing _expression_ that expresses the mix of licenses (so no information about unwanted licenses is missing)
    • the detailed SBOM would have an SPX licensing _expression_ at the file level
    • so, again, it’s a matter of which level which level of details I require from my supplier
  • regarding the provenance analysis, there is no limit in terms of chaining the SBOM together (be they physically store in one file, many files, one database, many databases, …)
  • regarding the pedigree analysis, there is still no limit in terms of provenance chaining and in terms of link structure (it may not be a tree-like structure, as illustrated by the in-toto simple flow presentation in Nashville, TN)
  • regarding the identity, I created the wrapper SBOM because it had a meaning for me (my tooling); otherwise, I could have limited myself to individual SBOM; I could create any number of wrapper SBOM depending on what I’m delivering


I hope this helps,

Let me know your thoughts




From: Kay Williams
Sent: jeudi 24 octobre 2019 01:27
To: Subject: Updated User Scenarios Document


Hi all,


I updated the user scenarios document following our meeting with a goal to capture (and in some cases further) our discussion.


Please have a look and share thoughts, feedback and questions.


I pushed the meeting along rather quickly today to keep us moving in our short time together.  Let’s have continued discussion over email, or feel free to suggest side meetings to cover topics in more detail.  All suggestions are welcome!


We are a team, let’s collaborate and learn – for the benefit of a higher-quality, more secure software ecosystem.