Tool-to-Tool Software Bill of Materials Exchange
This is a joint working group of CISQ and the Object Management Group (OMG). Defining an exchangeable tool-to-tool software bill of materials (SBOM) metamodel is the primary goal of this working group. The work leverages the efforts of the National Telecommunications and Information Agency’s (NTIA’s) Software Component Transparency initiative but with a focus on the exchange of SBOMs between and among the software development tools that create, revise, manage, orchestrate, and/or otherwise manipulate software.
Like a bill of materials for physical items, the SBOM is a comprehensive inventory of the software raw materials, subassemblies, parts and components, needed to create a software product. Typically, an SBOM is hierarchical in nature and multi-level.
With today’s software creation processes, many of these subassemblies will take the form of third-party components from open source software or other commercial providers. Concerns about the origin and chain of custody can also be captured and conveyed with an SBOM, along with relevant information about the process(es) and choices that the software creation activity underwent that can influence the customers’ acceptance and confidence in the software’s quality and appropriateness for the intended use by the customer.
As shown in our list of participants, this working group has representatives across many relevant efforts, tool creators, and vendors. Together we are integrating current ideas, user scenarios and approaches into a single SBOM standard that can be supported by all.
The kick-off of this effort was 24 September 2019 with a three-day workshop on the concept and ideas for a tool-to-tool focused initiative.
The current timetable calls for a draft UML-based specification by early February 2020. Subsequent evolution and refinement of the metamodel and specification are anticipated through early May 2020 and a completed specification for June of 2020.
- Bob Martin (MITRE)
- Dr. Bill Curtis (CISQ)
- Kay Williams (Microsoft - Azure - CD Foundation)
- Ken Modeste (UL)
- Philippe-Emmanuel Douziech (CAST)
- Santiago Torres-Arias (in-toto/NYU)
- David Nalley (BlackBerry - Apache Foundation)
- William Cox (Black Duck by Synopsys)
- Steve Lasker (Microsoft - Artifact Storage, Open Container Initiative)
- Brian Russell (Google - CD Foundation)
- Nitesh Bakliwal (Microsoft - Windows)
- Kate Stewart (Linux Foundation - SPDX)
- William Bartholomew (GitHub)
- David Edelsohn (IBM - GCC)
- Jason Shaver (Microsoft - Developer Division)
- Fahad Ahmad (Microsoft - Build Systems)
- JC Herz (Ion Channel)
- Adam Baldwin (npm, Inc.)
- Thomas Steenbergen (HERE - OSS Review Toolkit)
- Sean Barnum (MITRE)
- Anura Fernando (UL)
- Allan Friedman (NTIA)
- Gerald Heidenreich (Microsoft - CloudBuild)
- Dan Lorenc (Google - CD Foundation)
- Jeffrey Martin (White Source Software)
- Michael Muller (CAST)
- Bryan Sullivan (Microsoft - Security and Compliance)
- Brian Fox (Sonatype)
- Steve Springett (OWASP, CycloneDX)
- Fred Blaise (CloudBees - Jenkins)
- Mark Galpin (JFrog)
- Gary O'Neall (Source Auditor - SPDX)
- Anna Debenham (Snyk)
- Duncan Sparrell (sFractal Consulting)
- Philippe Ombredanne (nexB - ScanCode)
- Solomon Rubin (FOSSA)