Comments below. >>
Does Microsoft have any publicly accessible information that describes the objectives, testing methodology, and success metrics for the POC?
>> Not yet - we are still early in our POC thinking. We are planning to be as transparent as possible, however, and share our plans, progress and results with this forum.
I’m specifically interested in knowing more about the 2 BOM approach as that differs from other supply chain formats such as ePedigree. Some of the good ideas from ePedigree were used as inspiration in the development of CycloneDX, possibly others.
>> I was not previously aware of ePedigree. Is this it? https://www.xymogen.com/about-us/epedigree/
I’m also be interested in knowing how the success metrics will be compared to what other organizations are achieving with policy-based SBOM build pipelines. Is Microsoft aiming to achieve more than what’s currently possible or to simply validate the OMG format is capable of the use cases Microsoft has?
>> I am not aware of success metrics for other organizations with policy-based SBOM build pipelines. Is there information you can share? Are there other organizations we can bring into this effort so that we can share learning?
Anyway, any info would be useful.
Hi all, here is an agenda for our meeting tomorrow at 12:00 PM Pacific, copied below for convenience:
Agenda and Notes:
- Welcome new members!
- Anura Fernando, Underwriters Laboratories
- Ken Modeste, Underwriters Laboratories
- Sean Barnum, MITRE
- Upcoming Dates/Meetings
- Next OMG Spec Submission - February 24
- Next OMG Technical Meeting March 24 & 25 - Reston VA
- Understand scenarios across existing communities
- Work together on model that encompases and extends
- TODO: address scenario/structural compatibility concerns
- SPDX - schedule meetings next week?
- Continue working through GitHub Issues
- CycloneDX - meeting scheduled on Friday at 4 Eastern
- TODO: Address naming compatibility concerns
- Sean investigating options (e.g. aliasing)
- Target Feb 24
- Monitor based on progress over the coming week
- Scenarios - Kay
- Microsoft POC scenario as follows:
- Internal build system produces artifacts and SBOM 1
- Internal security scanning system
- receives SBOM 1
- scans SBOM 1 artifacts
- produces scan results
- produces SBOM 2
- Internal release system uses SBOM 2 to apply policy, verify and release SBOM 1 artifacts.