Agenda - Weekly SBOM WG Meeting

Subject: Agenda - Weekly SBOM WG Meeting

From: Kay Williams <kayw@microsoft.com>

Date: Tue, 28 Jan 2020 22:29:43 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QRI3fpG7t4+pH3qPghsOhMT0tyIYi5dg4WrzFj8gz/k=; b=Z5Fv5FQgBYZFNtNULZsEsaPJGKJ2Fy7eJni4opZS9sba6VF0SVoIkhp6rqBrdpNVGMM5QTy9hHjRXvjw8ayd6fyfYGpNHml/RnaLRVQlnpShYF9T7ykrDkxQ6UOzgPhY1I9M4yZsR1bfdDkCg60eIwaBlvtr9GJGNP8MyzhFRK1dx8YunwLhVzCSmNbLv0wle9K9OlUa6Mjxc5EjPO++3nV0947YAz/xwWkkUO79QSAbDQbhKxEa1sEruIvr8SyA8HN7oc64Ynpaj2lj/DMxwLEbko1m0QWJd17tgZZM1EMFPyIidaT4Dl/mAldtHzC+R8wpO1X1c1M6hzOi/HEoZg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Uo5gLzTBOVLrFC10MYDEJFDcyUWWTtuiO4qHn/frRxxU3MHE82zD7Lt44KMvS8ME4FDnDgwXxz1QEogKulg+G5UKfZtHsE2Hl8qZ6ALKYDhhHt6sUqsM572pAnA7kzIU0ZEqfwW81v57ajsw6WBw0SzPE1ghW+kDdk2XJoDdceyY8ossbdVOPgfsQOV9qJaeyDl5QenLdORZIKUtq+Qdpvunq95wquYUNlg0UDgymmBF/KnVwIAMcNiZ/0QAxsVGfqsIgy0Ua9iGzZzILt10vhNtB96RSFip52nbg1hIyT+4fS/zDJiI3OHH0DXWGJba3ZSgZGQzt83Trb3t+oTkAQ==

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=kayw@microsoft.com;

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QRI3fpG7t4+pH3qPghsOhMT0tyIYi5dg4WrzFj8gz/k=; b=WPsxj6P4yqdzm/1RYgaW1BFkL/94YjVN9xX7OO+1rHeWjlFncOOlSJm7n9fXPMW6bfioKPN6XeQYpmAl6IeGCMvHyuAMC9NGaZaN2E7wa5hZAYUGIZwdAgqvWWNFVAocrhvjN1LWaFwdZqgFbmVR9oB2l4rjMmsiLDHtw9v7Oqs=

Msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=kayw@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-01-28T22:29:42.2413929Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=cfef504c-e271-46b9-b7cb-7ac5a6b90e31; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic

Thread-index: AdXWKbMEdWFLxXGIRwi1JYlH4UmWJw==

Thread-topic: Agenda - Weekly SBOM WG Meeting

Hi all, here is an agenda for our meeting tomorrow at 12:00 PM Pacific, copied below for convenience:

Agenda and Notes:

Welcome new members!

Anura Fernando, Underwriters Laboratories
Ken Modeste, Underwriters Laboratories
Sean Barnum, MITRE

Upcoming Dates/Meetings

Next OMG Spec Submission - February 24
Next OMG Technical Meeting March 24 & 25 - Reston VA

Registration information here
Agenda outline here

Discussion

Model

Approach

Understand scenarios across existing communities
Work together on model that encompases and extends

TODO: address scenario/structural compatibility concerns

SPDX - schedule meetings next week?

Continue working through GitHub Issues

CycloneDX - meeting scheduled on Friday at 4 Eastern

TODO: Address naming compatibility concerns

Sean investigating options (e.g. aliasing)

Timing

Target Feb 24
Monitor based on progress over the coming week

Scenarios - Kay

Microsoft POC scenario as follows:

Internal build system produces artifacts and SBOM 1
Internal security scanning system

receives SBOM 1
scans SBOM 1 artifacts
produces scan results
produces SBOM 2

Internal release system uses SBOM 2 to apply policy, verify and release SBOM 1 artifacts.

Follow-Ups:

Re: Agenda - Weekly SBOM WG Meeting
- From: Steve Springett <steve.springett@owasp.org>