[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SBOM Meeting Agenda - 10/30/2019

Hello all


Regarding the model, to try and accommodate the in-meeting requests/comments regarding relationships, licensing information granularity, support file organization, I created an updated proposition with the main salient aspects:

  1. Finer-grain associations capabilities for relationships (to align on SPDX capabilities)
  2. Finer-grain association capabilities for licensing information (to align on SPDX capabilities)
  3. File organizational capabilities (to align on SPDX capabilities)
  4. Finer-grain description of pedigree information (to align on in-toto capabilities)


The 1st  item lead to a move to a graph-aware model where main concepts are nodes/vertices, and their associations and relationships are links/edges.

Hence an enriched central element, the “Node” class (which was formerly the empty-shell-class named “Element”; renamed to highlight the graph nature of the elements but it can be easily reverted to “Element”),

  • with more properties, especially regarding identification as any node can be referenced in a relationship now
  • with more associations, to support the evolutions to “finer-grain association capabilities”


The 2nd  and 3rd  items lead to a move to a more structured way to detail the documented artifact:

  • the document still document a "main" artifact but the artifact can be composed of other artifacts, group of files, and files
  • all of the constituting elements can have their own licensing information and checksums
  • this is the modeling supported by the new “ComponentItem” and “FileGroup” classes


The 4th  item lead to a move to a more detailed pedigree information modeling

  • pedigree information is about a set of actions, using arguments
    • processing input elements (any kind of node elements)
    • producing output elements (any kind of node elements)
    • using instrumental elements (any kind of node elements, including using a tool with its configuration)
    • possibly chained together via the relationships authorized on any node element
  • this is the modeling supported by the new “Action” class in the “Activities” package


In term of inheritance, the whole model looks like

With, most notably, the pivotal “Node” class with enough properties to have its own existence, lifecycle, …


In term of associations, the whole model looks like:


And when focusing on each of the 3 packages

  • Definitions (still showing in grey the adherences to elements from other packages)
  • Relationships (still showing in grey the adherences to elements from other packages)
  • Activities (still showing in grey the adherences to elements from other packages)





I’m continuously updating the SBOM Google Drive with model refinement and fixes.



Philippe-Emmanuel Douziech
Principal Research Scientist, CAST Research Labs

M: +33 6 69 95 49 59

CAST | Software Intelligence for Digital LeadersBlog | LinkedIn | Twitter


From: Kay Williams <kayw@microsoft.com>
Sent: mardi 29 octobre 2019 22:29
To: 'sbom@omg.org' <sbom@omg.org>
Subject: SBOM Meeting Agenda - 10/30/2019


Hey everyone,


I have updated our Weekly Meeting Agenda and Notes document with a proposed agenda for tomorrow’s meeting, pasted below for convenience.  Please let me know if you have additions or changes.


Thanks everyone for your participation!



Agenda and Notes:

  • Housekeeping
    • Record meeting
  • Welcome new members 
    • Anna Debenham - Snyk
    • Allan Friedman - NTIA
    • JC Herz - Ion Channel
    • Ian Geoghegan - Microsoft, Software Supply Chain Security
    • Fahad Ahmad - Microsoft, Build Systems
  • Upcoming Meetings
    • Face to Face meeting Nov 18 in San Diego (CD Summit/Kubecon)?
      • Opportunity to meet; Kay exploring meeting locations
      • Kay, Santiago, Dan, Steve, others?
    • Face to Face meeting Dec 10/11 in Long Beach CA (OMG Technical Meeting)
      • Half day on 10th/full day on 11th
      • Dec 9 - presentation to OMG Architecture Board
      • Dec 12 - Architecture Board meets again
  • Model (here) - Philippe-Emmanuel Douziech
  • User scenarios (here) - Kay

Spec (here) - Bob