[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Agenda - Weekly SBOM WG Meeting

To: "Subject: Re: Agenda - Weekly SBOM WG Meeting

From: Steve Springett <Date: Tue, 28 Jan 2020 19:52:30 -0600

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owasp.org; s=google; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=Scs9YH+yzTZ4JwKe51f/R1HGrbFYZ7XXi71mM5i1cyk=; b=ejikIMi8QA78FgwuCsKbiwdG48RcFy4DyHgHE9g/AGsVfyWN/IyRqXVbKQc2F8YoCw 6BL19dxI3FoFUqegnAptP9ul6LljZqXk2rwCEJbj71miQmHVo8h8K1r9snajNi8jlNq6 rFie7QHoFzMT7kDmvYJ1O6vEqYMThvWv/TqTvVSzBbWVNDNJPl+KLK3T0hv3iw6zTYK/ PUSBi4M9paGhpUpb68aS+5AkLcTGQ6UBH+SVuPY6b6wrk8e+PhyJmNRsSPDbhfZMLpNL 2Epk1T/PeytHCM1Whg64vux0U7SoLFzV0edYOC2faqR37tloH51nhQQ7D6TbP8hZ22je rK5g==

In-reply-to: <References: <

Kay,

Does Microsoft have any publicly accessible information that describes the objectives, testing methodology, and success metrics for the POC?

I’m specifically interested in knowing more about the 2 BOM approach as that differs from other supply chain formats such as ePedigree. Some of the good ideas from ePedigree were used as inspiration in the development of CycloneDX, possibly others.

I’m also be interested in knowing how the success metrics will be compared to what other organizations are achieving with policy-based SBOM build pipelines. Is Microsoft aiming to achieve more than what’s currently possible or to simply validate the OMG format is capable of the use cases Microsoft has?

Anyway, any info would be useful.

—Steve

On Jan 28, 2020, 4:30 PM -0600, Kay Williams wrote:

Hi all, here is an agenda for our meeting tomorrow at 12:00 PM Pacific, copied below for convenience:

Agenda and Notes:

Welcome new members!

Anura Fernando, Underwriters Laboratories

Ken Modeste, Underwriters Laboratories

Sean Barnum, MITRE

Upcoming Dates/Meetings

Next OMG Spec Submission - February 24

Next OMG Technical Meeting March 24 & 25 - Reston VA

Registration information here

Agenda outline here

Discussion

Model

Approach

Understand scenarios across existing communities

Work together on model that encompases and extends

TODO: address scenario/structural compatibility concerns

SPDX - schedule meetings next week?

Continue working through GitHub Issues

CycloneDX - meeting scheduled on Friday at 4 Eastern

TODO: Address naming compatibility concerns

Sean investigating options (e.g. aliasing)

Timing

Target Feb 24

Monitor based on progress over the coming week

Scenarios - Kay

Microsoft POC scenario as follows:

Internal build system produces artifacts and SBOM 1

Internal security scanning system

receives SBOM 1

scans SBOM 1 artifacts

produces scan results

produces SBOM 2

Internal release system uses SBOM 2 to apply policy, verify and release SBOM 1 artifacts.
- Follow-Ups:
  - RE: Agenda - Weekly SBOM WG Meeting
    - From: Kay Williams
  - References:
    - Agenda - Weekly SBOM WG Meeting
      - From: Kay Williams
    - Prev by Date: Agenda - Weekly SBOM WG Meeting
    - Next by Date: RE: Agenda - Weekly SBOM WG Meeting
    - Previous by thread: Agenda - Weekly SBOM WG Meeting
    - Next by thread: RE: Agenda - Weekly SBOM WG Meeting
    - Index(es):
      - Date
      - Thread