[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Agenda - Weekly SBOM WG Meeting



Kay,

Does Microsoft have any publicly accessible information that describes the objectives, testing methodology, and success metrics for the POC? 

I’m specifically interested in knowing more about the 2 BOM approach as that differs from other supply chain formats such as ePedigree. Some of the good ideas from ePedigree were used as inspiration in the development of CycloneDX, possibly others.

I’m also be interested in knowing how the success metrics will be compared to what other organizations are achieving with policy-based SBOM build pipelines. Is Microsoft aiming to achieve more than what’s currently possible or to simply validate the OMG format is capable of the use cases Microsoft has?

Anyway, any info would be useful.


—Steve


On Jan 28, 2020, 4:30 PM -0600, Kay Williams <kayw@microsoft.com>, wrote:

Hi all, here is an agenda for our meeting tomorrow at 12:00 PM Pacific, copied below for convenience:

 

Agenda and Notes:

  • Welcome new members!
    • Anura Fernando, Underwriters Laboratories
    • Ken Modeste, Underwriters Laboratories
    • Sean Barnum, MITRE
  • Upcoming Dates/Meetings
    • Next OMG Spec Submission - February 24
    • Next OMG Technical Meeting March 24 & 25 - Reston VA
      • Registration information here
      • Agenda outline here
  • Discussion
    • Model
      • Approach
        • Understand scenarios across existing communities
        • Work together on model that encompases and extends
      • TODO: address scenario/structural compatibility concerns
        • SPDX - schedule meetings next week?
          • Continue working through GitHub Issues
        • CycloneDX - meeting scheduled on Friday at 4 Eastern
      • TODO: Address naming compatibility concerns
        • Sean investigating options (e.g. aliasing)
    • Timing
      • Target Feb 24
      • Monitor based on progress over the coming week
    • Scenarios - Kay
      • Microsoft POC scenario as follows:
        • Internal build system produces artifacts and SBOM 1
        • Internal security scanning system
          • receives SBOM 1
          • scans SBOM 1 artifacts
          • produces scan results
          • produces SBOM 2
        • Internal release system uses SBOM 2 to apply policy, verify and release SBOM 1 artifacts.