1 of 14

Considerations about �SBOM & VEX Practical Guide

OpenChain Project

2024-11-14

2 of 14

This is a ROUGH note, but I hope it will provide material for discussion in the SBOM Study Group.

Takashi Ninjouji

3 of 14

Enhance SBOM & VEX Practices Across the Supply Chain

Can we explore Practical HOW-TOs?

Distributor

Author

Consumer

SBOM

VEX

Operation

Attributes

SBOM & VEX

SDLC

SBOM

BSI. Level of Details

CISA. Maturity Levels

  • Minimum Expected
  • Recommended Practice
  • Aspirational Goal

“Delivery item SBOM” argued in: BSI. ”Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products - Part 2: Software Bill of Materials (SBOM) Version 2.0.0”

CISA. “When to Issue VEX Information”. https://www.cisa.gov/resources-tools/resources/when-issue-vex-information

CISA. “Types of Software Bill of Materials (SBOM)”. https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom

4 of 14

“OpenChain Confomant SBOM” Guide and �“OpenChain Confomant VEX” Guide

“OpenChain Conformant XXX” guide will cover:

  1. Information elements and expressions of [XXX]
  2. Creation procedures and methods, including [XXX] generation and editing
  3. Procedures and methods for sharing and post-receipt processing of [XXX]

Guide or Spec

Format

Target Industry

Telco SBOM guide

ISO/IEC 5962, SPDX 2.3

Telco (Neutral actually)

SPDX Lite (Annex of SPDX 2.2+)

ISO/IEC 5962, SPDX 2.3

Neutral (Mainly used in Automotive) (Relationship is optional)

SPDX Lite (SPDX 3.0 Lite Profile)

SPDX 3.0, 3.0.1

Neutral

CycloneDX (shows openchain conformant sample but insufficient)

ECMA-424, CycloneDX 1.6

Neutral

OpenChain Conformant SBOM guide

Neutral

(Covers: SPDX 2.2+, SPDX 3.0+, and CycloneDX 1.6+)

Neutral

(Considerations: NTIA Minimum, CISA Framing, BSI’s guide, and other standards, etc.)

Ex.

5 of 14

Data, Tooling and Workflow

  • Increase interoperability of data: Improve the accuracy of the mapping of SBOM attributes, and clarify the information expression and creation method
  • Automate sharing and Processing: Provide reference implementation (and/or Information) for the tools and workflows

[WIP] SBOM element comparison

https://docs.google.com/spreadsheets/d/1SuGv1L3H_-Iq6dmH7DnjDgAa90LCRnoHB3DTfuWh0Jg/edit?gid=1936044844#gid=1936044844

6 of 14

SBOM and VEX sharing across SDLC

PLAN

BUILD

TEST

CONFIGURE

PROCURE

DEVELOP

RELEASE

MAINTAIN

RETIRE (EOL/EOS)

INSTALL

SBOM

Document

VEX

Document

Source SBOM

Design SBOM

Build SBOM

Deployed SBOM

Runtime SBOM

(1),(4)

(1)

(5)

(3)

  1. Delivery, Release
  2. Update

  1. Delivery, Release
  2. Discovery, Incident
  3. Investigation, Update
  4. Fixed
  5. ANYTIME due to legal requirements

(2)

(2)

7 of 14

DevSecOps + BOMOps (In-house)

  • Automated workflow throughout SDLC
  • Inventory & Delivery Management: Software Composition, SBOM, VEX

PLAN

BUILD

TEST

CONFIGURE

PROCURE

DEVELOP

RELEASE

MAINTAIN

RETIRE (EOL/EOS)

INTALL

<>

Source package

Release Package

Source Code

Package

Build

Producer / Developer

Consumer / Customer

QA

Review & Approval

CI

VCS

SCA

Collaboration with:

  • Delivery & SBOM Management
  • Vulnerability Management

Reuse of Selected Components

(Approved components)

Inventory

8 of 14

SBOM format trend

  • Possibility that SPDX 3.0+ and 2.2+ (5962, v2.3.1) will coexist

SPDX : 5962 (2.2.1), 2.3, 3.0.1?, 3.1?

CycloneDX : 1.5, 424 (1.6), 1.7?

SPDX  : ISO/IEC 5962:2021 (2.2.1), 2.3

CycloneDX : 1.5, ECMA-424 (1.6)

SPDX   : ISO/IEC 5962:2021 (2.2.1), 2.3

5962 update?(3.0.1), 3.1

CycloneDX : 424 update? (1.7?)

SPDX

ISO/IEC 5962:2021

(2.2.1)

2.3

3.0

ECMA-424

1.7?

1.6

CycloneDX

2024.12?

CRA is published in the Official Gazette

Given the progress of the specification revision and tools' ecosystem, it is unlikely that SPDX 3.0+ will be required at this time (November 2024).

3.1.0?

ISO update?

3.0.1?

ECMA update?

2024.11

Even if the SPDX 3.0+ becomes more widespread, there is a possibility that the SPDX 2.2+ already in Supply Chain will also be supported.

9 of 14

VEX format trend

  • Possibility of 4 formats

SPDX

2.0

3.0

(ECMA-424)

1.7?

1.6

CycloneDX

2024.12

CRA is published in the Official Gazette

3.1.?

ISO update?

3.0.1?

ECMA update?

2024.4Q to 2025.1Q?

2024.11

CSAF

In actual use (ex. Red Hat)

OpenVEX

  • Focuses on supporting Minimum Requirement for VEX
  • Requires less information than other formats

Experimental, but the implementation is progressing

0.4.0

1.0?

* Need to check actual use case

CSAF : 2.0

SPDX : n/a

CycloneDX : ECMA-424 (1.6)

OpenVEX : 0.4?

CSAF : 2.0

SPDX : 5962 update (3.0.1)?, 3.1.?

CycloneDX : 424 update? (1.7?)

OpenVEX : 1.0?

CSAF : 2.0

SPDX : 3.0.1?

CycloneDX : 424 (1.6)

OpenVEX : 0.N?

Given the progress of the specification revision and tools' ecosystem, it is unlikely that SPDX 3.0+ will be required at this time (November 2024).

10 of 14

Types* of SBOM and VEX Operations

Operations that can most effectively manage and share the latest information are required.

File: Separate

Link: none

File: Separate

Link: S→V

File: Separate

Link: V→S

File: Embedded

Link: combined

SBOM

VEX

  • Can be updated separately
  • Necessary to provide link information to consumers
  • SBOM is updated in line with VEX updates
  • Only VEX can be updated
  • When SBOM has been updated, VEX also needs to be updated
  • Either SBOM (Software composition) or VEX is updated, the update must be made as a data file

* Original classification for this study

11 of 14

Types* of SBOM and VEX Operations

Operations that can most effectively manage and share the latest information are required.

* Original classification for this study

File: Separate

Link: none

File: Separate

Link: S→V

File: Separate

Link: V→S

File: Embedded

Link: combined

SBOM

VEX

  • Easy to introduce currently
  • Necessary to provide link information to consumers
  • Seems to be becoming popular
  • Easy to provide latest information of SBOM and VEX
  • Negative in BSI’s guide
  • Not Positive affirmation in CISA Framing
  • Often talked about around 2021
  • Some considerations with the update frequency of VEX

12 of 14

Example of SBOM and VEX Operations

SBOM : [Maturity : SPDX 2.2+ (Telco SBOM], [Need to investigate : CycloneDX (1.6)]  

VEX : [Maturity : CSAF (more texts)], [Easy to operate : OpenVEX (developing)

SBOM+VEX : [Maturity : CycloneDX (proceeding)], [Need to investigate : SPDX 3.0+ (Lite + Security)]

  • SPDX 2.2+ �(Telco SBOM)
  • CycloneDX 1.6
  • SPDX 3.0+ (Lite)
  • CSAF
  • CycloneDX 1.6
  • OpenVEX
  • SPDX 3.0+ (Security)
  • CycloneDX 1.6
  • SPDX 3.0+ �(Lite + Security)

SBOM

VEX

SPDX 3.0+ “Lite + Security” profile still need to investigate

SBOM assumes that OpenChain Conformant data is maintained

13 of 14

Document

URL

NTIA. Minimum Elements for Software Bill of Materials (SBOM)

CISA. Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) 3rd edition

BSI. Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products - Part 2: Software Bill of Materials (SBOM) Version 2.0.0

IMDRF. Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity

FDA. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

PCI. PCI-DSS v4.0 and PCI-SSF v1.2.1

OpenChain Project. OpenChain Telco SBOM Guide Version 1.0

14 of 14

SBOM and VEX sharing across SDLC (with EoX?)

PLAN

BUILD

TEST

CONFIGURE

PROCURE

DEVELOP

RELEASE

MAINTAIN

RETIRE (EOL/EOS)

INSTALL

SBOM

Document

VEX

Document

Source SBOM

Design SBOM

Build SBOM

Deployed SBOM

Runtime SBOM

(1),(4)

(1)

(5)

(3)

  1. Delivery, Release
  2. Update

(3. EOL/EOS*)

* Some opinions that EoX should be handled separately from SBOM.

  1. Delivery, Release
  2. Discovery, Incident
  3. Investigation, Update
  4. Fixed
  5. ANYTIME due to legal requirements

(2)

(2)

(3)