SBOM sg #5��What are the challenges�that we still have.
OpenChain SBOM study Group
LICENSE: CC0
ACTION x
BUILD
BINARY
PACKAGE
MODIFY
BINARY
PACKAGES
AGGREGATE
outputs
inputs
PUBLIC
SOURCE
PACKAGES
PRIVATE
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGE
DEFINITIONS and ICONS
PRIVATE
SOURCE
PACKAGES
A source code package whose source code is publicly available on GitHub etc.
A source code package that is shared only between two or more specific parties, and the source code is not publicly available.
SBOM
SBOM
DOCUMENT
Software component information
A file that contains software component information in a specific format such as SPDX or CycloneDX.
WHAT IS THE HIGH QUALITY OF SBOM SBOM DOCUMENT?
WHAT IS THE HIGH QUALITY SBOM DOCUMENT?
https://github.com/interlynk-io/sbomqs?tab=readme-ov-file#what-is-a-high-quality-sbom
A high quality SBOM should aplly support managing software assets, license information and Intellectual Property as well as provide a base for configuration management, vulnerability handling and incident response.
↓
The quality of the SBOM DOCUMENT depends on whether the SBOM DOCUMENT contains information that uniquely identifies software, license, intellectual property, and vulnerability information.
Break down the SLSA software supply chain �FROM SOURCE TO BINARY
LISTING ALL ACTORS
ACTION 1
PUBLIC
SOURCE
PACKAGE
outputs
ACTION 2
PRIVATE
SOURCE
PACKAGE
outputs
ACTION 3
PUBLIC
SOURCE
PACKAGE
outputs
inputs
PUBLIC
SOURCE
PACKAGE
MODIFY
ACTION 5
PRIVATE
SOURCE
PACKAGE
outputs
inputs
PRIVATE
SOURCE
PACKAGE
MODIFY
ACTION 4
PUBLIC
SOURCE
PACKAGE
outputs
inputs
PRIVATE
SOURCE
PACKAGE
MODIFY
ACTION 6
PRIVATE
SOURCE
PACKAGE
outputs
inputs
PUBLIC
SOURCE
PACKAGE
MODIFY
ACTION 7
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGES
ACTION 10
outputs
inputs
AGGREGATE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGES
ACTION 8
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGES
ACTION 11
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGES
ACTION 9
outputs
inputs
AGGREGATE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGES
ACTION 12
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGES
SOURCE OPERATIONS
ACTION 15
outputs
inputs
BINARY
PACKAGE
BUILD
PUBLIC
SOURCE
PACKAGES
ACTION 13
outputs
inputs
BINARY
PACKAGE
BUILD
PUBLIC
SOURCE
PACKAGE
ACTION 14
outputs
inputs
BINARY
PACKAGE
BUILD
PRIVATE
SOURCE
PACKAGE
ACTION 16
outputs
inputs
BINARY
PACKAGE
BUILD
PRIVATE
SOURCE
PACKAGES
ACTION 17
outputs
inputs
BINARY
PACKAGE
PUBLIC
SOURCE
PACKAGE
BINARY
PACKAGES
BUILD
ACTION 19
outputs
inputs
BINARY
PACKAGE
BUILD
PUBLIC
SOURCE
PACKAGES
BINARY
PACKAGES
ACTION 20
outputs
inputs
BINARY
PACKAGE
BUILD
PRIVATE
SOURCE
PACKAGES
BINARY
PACKAGES
ACTION 18
outputs
inputs
BINARY
PACKAGE
PRIVATE
SOURCE
PACKAGE
BINARY
PACKAGES
BUILD
ACTION 21
outputs
inputs
BINARY
PACKAGE
BINARY
PACKAGE
BINARY
PACKAGES
AGGREGATE
SOURCE TO BINARY OPERATIONS
SBOM
DOCUMENT
SBOM
DOCUMENT
SBOM
DOCUMENT
SBOM
DOCUMENT
SBOM
DOCUMENT
SBOM
DOCUMENT
SBOM
DOCUMENT
SBOM
DOCUMENT
SBOM
DOCUMENT
DEVELOP CHAIN
FOR
PUBLIC SOURCE PACKAGES
EXAMPLE
OSS PACKAGE DISTRIBUTOR
ACTION 18
outputs
inputs
BINARY
PACKAGE
PRIVATE
SOURCE
PACKAGE
BINARY
PACKAGES
BUILD
OSS PACKAGE DISTRIBUTOR
ACTION 2
PRIVATE
SOURCE
PACKAGE
outputs
EXAMPLE
PROPRIETARY APP CREATOR
TYPE: BUILD SBOM
NAME
VERSION
LICENSE
DEPENDENCIES
Unique id
Supplier
CATEGORY | CHALLENGE | SOLUTION IDEA |
IDENTITY | Distributors use different names and versions in many cases, and making it difficult to identify the same package. | Use purl? |
| | |
| | |
EXAMPLE
PROPRIETARY APP CREATOR
PROPRIETARY LIB
DISTRIBUTOR
ACTION 18
outputs
inputs
BINARY
PACKAGE
PRIVATE
SOURCE
PACKAGE
BINARY
PACKAGES
BUILD
ACTION 2
PRIVATE
SOURCE
PACKAGE
outputs
TYPE: BUILD SBOM
NAME
VERSION
LICENSE
DEPENDENCIES
Unique id
Supplier
… HOW ABOUT PRIVATE SOURCE PACKAGE INFORMATION?
CATEGORY | CHALLENGE | SOLUTION IDEA |
IDENTITY | Distributors use different names and versions in many cases, and making it difficult to identify the same package. | Use purl? |
DEFINITION | What should we fill the private package information in SBOM DOCUMENT? No third-party verifiable package name, version and no purl | |
| | |
DISCUSS Challenges with GitHub Discussions
https://github.com/OpenChain-Project/SBOM-sg/discussions/categories/sbom-document-challenges
From the viewpoint of the SBOM DOCUMENT Quality,
Once resolved as a solution, define them as SBOM DOCUMENT quality indicators.
Consider Mergeable ACTIONs
From the viewpoint of Vulnerabilities and License management
ACTION x
PUBLIC
SOURCE
PACKAGE
outputs
ACTION x
PRIVATE
SOURCE
PACKAGE
outputs
ACTION x
PUBLIC
SOURCE
PACKAGE
outputs
inputs
PUBLIC
SOURCE
PACKAGE
MODIFY
ACTION x
PRIVATE
SOURCE
PACKAGE
outputs
inputs
PRIVATE
SOURCE
PACKAGE
MODIFY
ACTION x
PUBLIC
SOURCE
PACKAGE
outputs
inputs
PRIVATE
SOURCE
PACKAGE
MODIFY
ACTION x
PRIVATE
SOURCE
PACKAGE
outputs
inputs
PUBLIC
SOURCE
PACKAGE
MODIFY
ACTION x
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGES
ACTION x
outputs
inputs
AGGREGATE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGES
ACTION x
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGES
ACTION x
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGES
ACTION x
outputs
inputs
AGGREGATE
PRIVATE
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGES
ACTION x
outputs
inputs
AGGREGATE
PUBLIC
SOURCE
PACKAGE
PUBLIC
SOURCE
PACKAGE
PRIVATE
SOURCE
PACKAGES
The aggregate nodes can be merged by defining the number of input packages as [0..n].
[0..n]
[0..n]
[0..n]
[0..n]
SOURCE OPERATIONS
ACTION x
outputs
inputs
BINARY
PACKAGE
BUILD
PUBLIC
SOURCE
PACKAGES
ACTION x
outputs
inputs
BINARY
PACKAGE
BUILD
PUBLIC
SOURCE
PACKAGE
ACTION x
outputs
inputs
BINARY
PACKAGE
BUILD
PRIVATE
SOURCE
PACKAGE
ACTION x
outputs
inputs
BINARY
PACKAGE
BUILD
PRIVATE
SOURCE
PACKAGES
ACTION x
outputs
inputs
BINARY
PACKAGE
PUBLIC
SOURCE
PACKAGE
BINARY
PACKAGES
BUILD
ACTION x
outputs
inputs
BINARY
PACKAGE
BUILD
PUBLIC
SOURCE
PACKAGES
BINARY
PACKAGES
ACTION x
outputs
inputs
BINARY
PACKAGE
BUILD
PRIVATE
SOURCE
PACKAGES
BINARY
PACKAGES
ACTION x
outputs
inputs
BINARY
PACKAGE
PRIVATE
SOURCE
PACKAGE
BINARY
PACKAGES
BUILD
ACTION x
outputs
inputs
BINARY
PACKAGE
BINARY
PACKAGE
BINARY
PACKAGES
AGGREGATE
[1..n]
[1..n]
[1..n]
[1..n]
The build nodes can be merged by defining the number of input packages as [1..n].
SOURCE TO BINARY OPERATIONS
ENTITY 1
OPEN
SOURCE
outputs
ENTITY 2
PROPRIETARY
SOURCE
outputs
ENTITY 3
OPEN
SOURCE
OPEN
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 4
OPEN
SOURCE
PROPRIETARY
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 5
PROPRIETARY
SOURCE
OPEN
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 6
PROPRIETARY
SOURCE
PROPRIETARY
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 7
BUILD
BINARY
PACKAGE
CONFIG
OPEN
SOURCE
outputs
inputs
ENTITY 8
BUILD
BINARY
PACKAGE
CONFIG
PROPRIETARY
SOURCE
outputs
inputs
ENTITY 9
BUILD
BINARY
PACKAGE
CONFIG
OPEN
SOURCE
outputs
inputs
BINARY
PACKAGES
ENTITY 10
BUILD
BINARY
PACKAGE
CONFIG
PROPRIETARY
SOURCE
outputs
inputs
BINARY
PACKAGES
ENTITY 11
BINARY
PACKAGE
BINARY
PACKAGE
inputs
outputs
BINARY
PACKAGES
AGGREGATE
Proprietary Source Packages
Open Source Packages
ENTITY 1
ENTITY 7
ENTITY 1
ENTITY 3
ENTITY 7
ENTITY 9
ENTITY 11
ENTITY 1
ENTITY 1
ENTITY 3
ENTITY 11
ENTITY 2
ENTITY 8
ENTITY 2
ENTITY 6
ENTITY 8
ENTITY 10
ENTITY 11
ENTITY 2
ENTITY 2
ENTITY 6
ENTITY 11
ENTITY 1
ENTITY 4
ENTITY 1
ENTITY 4
ENTITY 8
Simplify
In terms of whether the “SOURCE” has a globally unique ID such as purl.
ENTITY 1
OPEN
SOURCE
outputs
ENTITY 2
PROPRIETARY
SOURCE
outputs
ENTITY 3
OPEN
SOURCE
OPEN
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 4
OPEN
SOURCE
PROPRIETARY
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 7
BUILD
BINARY
PACKAGE
CONFIG
OPEN
SOURCE
outputs
inputs
ENTITY 8
BUILD
BINARY
PACKAGE
CONFIG
PROPRIETARY
SOURCE
outputs
inputs
ENTITY 9
BUILD
BINARY
PACKAGE
CONFIG
OPEN
SOURCE
outputs
inputs
BINARY
PACKAGES
ENTITY 10
BUILD
BINARY
PACKAGE
CONFIG
PROPRIETARY
SOURCE
outputs
inputs
BINARY
PACKAGES
ENTITY 11
BINARY
PACKAGE
BINARY
PACKAGE
inputs
outputs
BINARY
PACKAGES
AGGREGATE
Open Source Packages
ENTITY 1
ENTITY 7
ENTITY 1
ENTITY 3
ENTITY 7
ENTITY 9
ENTITY 11
ENTITY 1
ENTITY 1
ENTITY 3
ENTITY 11
Proprietary Source Packages
ENTITY 2
ENTITY 8
ENTITY 1
ENTITY 4
ENTITY 8
ENTITY 9
ENTITY 11
ENTITY 2
ENTITY 1
ENTITY 4
ENTITY 11
Re-numbering
ENTITY 1
OPEN
SOURCE
outputs
ENTITY 2
PROPRIETARY
SOURCE
outputs
ENTITY 3
OPEN
SOURCE
OPEN
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 4
OPEN
SOURCE
PROPRIETARY
SOURCE
outputs
inputs
ADD/REMOVE
MODIFY
ENTITY 5
BUILD
BINARY
PACKAGE
CONFIG
OPEN
SOURCE
outputs
inputs
ENTITY 6
BUILD
BINARY
PACKAGE
CONFIG
PROPRIETARY
SOURCE
outputs
inputs
ENTITY 7
BUILD
BINARY
PACKAGE
CONFIG
OPEN
SOURCE
outputs
inputs
BINARY
PACKAGES
ENTITY 8
BUILD
BINARY
PACKAGE
CONFIG
PROPRIETARY
SOURCE
outputs
inputs
BINARY
PACKAGES
ENTITY 9
BINARY
PACKAGE
BINARY
PACKAGE
inputs
outputs
BINARY
PACKAGES
AGGREGATE
※ Here, “PROPRIETARY SOURCE” means source code that cannot be represented by the globally unique ID such as purl in SBOMs.
QUESTION:
Does this extract all the necessary entities for software development?
Open Source Packages
ENTITY 1
ENTITY 5
ENTITY 1
ENTITY 3
ENTITY 5
ENTITY 7
ENTITY 9
ENTITY 1
ENTITY 1
ENTITY 3
ENTITY 9
Proprietary Source Packages
ENTITY 2
ENTITY 6
ENTITY 1
ENTITY 4
ENTITY 6
ENTITY 8
ENTITY 9
ENTITY 2
ENTITY 1
ENTITY 4
QUESTION:
Does this flow chart represent the entire software development and supply chain for the software development?
ENTITY 8
ENTITY 9
Open Source Packages
ENTITY 1
ENTITY 5
ENTITY 1
ENTITY 3
ENTITY 5
ENTITY 7
ENTITY 9
ENTITY 1
ENTITY 1
ENTITY 3
ENTITY 9
Proprietary Source Packages
ENTITY 2
ENTITY 6
ENTITY 1
ENTITY 4
ENTITY 6
ENTITY 8
ENTITY 9
ENTITY 2
ENTITY 1
ENTITY 4
ENTITY 9
O-1
O-2
O-3
O-4
O-3
P-1
P-2
P-3
P-4
P-3
O-3
Points at which SBOMs are distributed.
O-1
O-4
-
,
P-1
P-4
-
QUESTION:
Is there any other points where SBOMs may be distributed?
Open Source Packages
ENTITY 1
ENTITY 5
ENTITY 1
ENTITY 3
ENTITY 5
ENTITY 7
ENTITY 9
ENTITY 1
ENTITY 1
ENTITY 3
ENTITY 9
Proprietary Source Packages
ENTITY 2
ENTITY 6
ENTITY 1
ENTITY 4
ENTITY 6
ENTITY 8
ENTITY 9
ENTITY 2
ENTITY 1
ENTITY 4
ENTITY 9
O-1
O-2
O-3
O-4
O-3
P-1
P-2
P-3
P-4
P-3
O-3
Points at which SBOMs are distributed.
O-1
O-4
-
,
P-1
P-4
-
For ENTITY 1, 3 at O-1:
ENTITY 5, 7 ask ENTITY 1, 3 at O-1:
Question:
Are there any other items required for each point, for each entity other than the question on the left?
Open Source Packages
ENTITY 1
ENTITY 5
ENTITY 1
ENTITY 3
ENTITY 5
ENTITY 7
ENTITY 9
ENTITY 1
ENTITY 1
ENTITY 3
ENTITY 9
Proprietary Source Packages
ENTITY 2
ENTITY 6
ENTITY 1
ENTITY 4
ENTITY 6
ENTITY 8
ENTITY 9
ENTITY 2
ENTITY 1
ENTITY 4
ENTITY 9
O-1
O-2
O-3
O-4
O-3
P-1
P-2
P-3
P-4
P-3
O-3
Points at which SBOMs are distributed.
O-1
O-4
-
,
P-1
P-4
-
For ENTITY 1, 3 at O-1:
ENTITY 5, 7 ask ENTITY 1, 3 at O-1:
TASK:
At each point, at each entity, please summarize the same information as the question on the left.
ACTION x
BUILD
BINARY
PACKAGE
CONFIG
OPEN
SOURCE
PROPRIETARY
SOURCE
ADD/REMOVE
MODIFY
BINARY
PACKAGES
AGGREGATE
outputs
inputs