Working Group

Tool-to-Tool Software Bill of Materials Exchange

image

Objective

This is a joint working group of CISQ and the Object Management Group (OMG). Defining an exchangeable tool-to-tool software bill of materials (SBOM) metamodel is the primary goal of this working group. The work leverages the efforts of the National Telecommunications and Information Agency’s (NTIA’s) Software Component Transparency initiative but with a focus on the exchange of SBOMs between and among the software development tools that create, revise, manage, orchestrate, and/or otherwise manipulate software.

Like a bill of materials for physical items, the SBOM is a comprehensive inventory of the software raw materials, subassemblies, parts and components, needed to create a software product. Typically, an SBOM is hierarchical in nature and multi-level.

With today’s software creation processes, many of these subassemblies will take the form of third-party components from open source software or other commercial providers. Concerns about the origin and chain of custody can also be captured and conveyed with an SBOM, along with relevant information about the process(es) and choices that the software creation activity underwent that can influence the customers’ acceptance and confidence in the software’s quality and appropriateness for the intended use by the customer.

Timetable

The kick-off of this effort was 24 September 2019 with a three-day workshop on the concept and ideas for a tool-to-tool focused initiative.

The current timetable calls for a draft UML-based specification by early November 2019. Subsequent evolution and refinement of the metamodel and specification are anticipated through early February 2020 and a completed specification for March of 2020.

Chairs

  • Bob Martin (MITRE)
  • Dr. Bill Curtis (CISQ)
  • Kay Williams (Microsoft - Azure - CD Foundation)

Participants

  • Philippe-Emmanuel Douziech (CAST)
  • Santiago Torres-Arias (in-toto/NYU)
  • David Nalley (BlackBerry - Apache Foundation)
  • William Cox (Black Duck by Synopsys)
  • Steve Lasker (Microsoft - Artifact Storage, Open Container Initiative)
  • Brian Russell (Google - CD Foundation)
  • Nitesh Bakliwal (Microsoft - Windows)
  • Kate Stewart (Linux Foundation - SPDX)
  • William Bartholomew (GitHub)
  • David Edelsohn (IBM - GCC)
  • Jason Shaver (Microsoft - Developer Division)
  • Fahad Ahmad (Microsoft - Build Systems)
  • JC Herz (Ion Channel)
  • Adam Baldwin (npm, Inc.)
  • Gerald Heidenreich (Microsoft - CloudBuild)
  • Dan Lorenc (Google - CD Foundation)
  • Jeffrey Martin (White Source Software)
  • Michael Muller (CAST)
  • Bryan Sullivan (Microsoft - Security and Compliance)
  • Brian Fox (Sonatype)
  • Steve Springett (OWASP, CycloneDX)
  • Fred Blaise (CloudBees - Jenkins)
  • Ido Green (JFrog)
  • Gary O'Neall (Source Auditor - SPDX)
  • Anna Debenham (Snyk)
  • Ian Geoghegan (Microsoft - Software Supply Chain Security)
  • Duncan Sparrell (sFractal Consulting)

Get Involved

Bob Martin (MITRE)

Initiative Files

Google Drive

GitHub Repository

Access

Discussion Archive

Mail Thread Index