Tool-to-Tool Software Bill of Materials Exchange
Objective
This is a joint working group of CISQ and the Object Management Group (OMG) with the objective of defining an (SBOMs) and other items needing BOMs.
The exchange of SBOMs is the first goal of this working group. The work leverages the efforts of the National Telecommunications and Information Agency’s (NTIA’s) Software Component Transparency initiative but with a focus on the exchange of SBOMs between and among the software development tools that create, revise, manage, orchestrate, and/or otherwise manipulate, assess, or audit software.
Like a bill of materials for physical items, the SBOM is a comprehensive inventory of the software raw materials, subassemblies, parts and components, needed to create a software product. Typically, an SBOM is hierarchical in nature and multi-level.
With today’s software creation processes, many of these sub-assemblies will take the form of third-party components from open source software or other commercial providers. Concerns about the origin and chain of custody can also be captured and conveyed with an SBOM, along with relevant information about the process(es) and choices that the software creation activity underwent that can influence the customers’ acceptance and confidence in the software’s quality and appropriateness for the intended use by the customer.
Timetable & Approach
The kick-off of this effort was 24 September 2019 with a three-day workshop on the concept and ideas for a tool-to-tool focused initiative. In March 2020 we shifted our approach to more directly align this effort with the work coming out of the NTIA's Software Transparency initiative and it's Framing group work.
Focusing on the “Baseline Component Information” portion, or “core” part of that work first, we are planning our work to start with the core portion and then elaborate from there with the additional facets/compliance points/profiles of additional SBOM supporting information for other uses cases. See this video for an short explanation of the “Crop Circle” depiction of this concept.
The current timetable now calls for a draft UML-based specification by late fall 2020. Subsequent evolution and refinement of the metamodel and specification are anticipated through early winter 2020 and a completed specification for submission to the OMG at their June 2021 meeting covering the core bill of materials fields, integrity implementation approaches, and a defects profile.
Chairs
- Bob Martin (MITRE)
- Dr. Bill Curtis (CISQ)
- Kay Williams (Microsoft - Azure - CD Foundation)
Participants
- Ken Modeste (UL)
- Philippe-Emmanuel Douziech (CAST)
- Santiago Torres-Arias (in-toto/Purdue)
- Diahann Gooden (BlackBerry)
- William Cox (Black Duck by Synopsys)
- Steve Lasker (Microsoft - Artifact Storage, Open Container Initiative)
- Brian Russell (Google - CD Foundation)
- Nitesh Bakliwal (Microsoft - Windows)
- Kate Stewart (Linux Foundation - SPDX)
- William Bartholomew (GitHub)
- David Edelsohn (IBM - GCC)
- Jason Shaver (Microsoft - Developer Division)
- Thomas Steenbergen (HERE - OSS Review Toolkit)
- Sean Barnum (MITRE)
- Charles Schmidt (MITRE)
- Kriti Pandit (Microsoft - Windows)
- Michael Richardson (Sandelman Software Works Inc.)
- Sridhar Poduri (Microsoft - Supply Chains)
- Alexander Stein (Flexion)
- Deep Datta (JFrog)
- Shelly Waite-Bey (Waite SLTS - Cybersecurity, Compliance and AI)
- Dan Beard (Medcrypt - Heimdall)
- Manish Jadhav (Vigilant Ops - InSight)
- Gerald Heidenreich (Microsoft - CloudBuild)
- Vijay Chari (Radiometer IDC - Medical Devices)
- Allan Friedman (NTIA)
- Gerald Heidenreich (Microsoft - CloudBuild)
- Dan Lorenc (Google - CD Foundation)
- Jeffrey Martin (White Source Software)
- Michael Muller (CAST)
- Bryan Sullivan (Microsoft - Security and Compliance)
- Brian Fox (Sonatype)
- Fred Blaise (CloudBees - Jenkins)
- Mark Galpin (JFrog)
- Gary O'Neall (Source Auditor - SPDX)
- Anna Debenham (Snyk)
- Duncan Sparrell (sFractal Consulting)
- Philippe Ombredanne (nexB - ScanCode)
- Solomon Rubin (FOSSA)
- Adrian Diglio (Microsoft - Engineering Systems)
- Steve Winslow (Linux Foundation)
- Henk Birkholz (Fraunhofer SIT - IETF RATS and RIM)
- Paul Anderson (GrammaTech)
- Gareth Rushgrove (Snyk)
- Dick Brooks (Reliable Energy Analytics)
- Adam Boulton (Blackberry - Jarvis)
- Justin Cormack (Docker)
- Jack Conroy (Verizon)
- Lila Kee (GMO GlobalSign)