Skip to content

Latest commit

 

History

History
62 lines (51 loc) · 3.59 KB

2022-11-30.md

File metadata and controls

62 lines (51 loc) · 3.59 KB

SPDX Defects Team meeting - Nov 30 2022

Attendees

  • Thomas Steenbergen
  • Rose Judge
  • Jeff Schutt
  • Bob Martin
  • Henk Birkholz
  • William Cox

Agenda

Approve past meeting minutes

Thomas was other occupied but was able to catch up

Provide feedback for SPDX Outreach doc on SPDX and Security

Thomas: After the meeting please provide feedback on https://docs.google.com/document/d/1Yd7ZKAl1l67FAqGOjLcr6MTr2e2KyhIGsB1NZ6M24Ro/edit

Create slide for Open Compliance Summit for Kate

SPDX Defects WG that were presented in SPDX General https://docs.google.com/presentation/d/1sKRHQV--tOo2mjBqHNdXy9YnSDlLOsaFgThtd5RjcIw/edit?usp=sharing 2.3 Highlights: * From Differences from Previous Versions

* Added hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 ) to the set recognized by 7.10 (Package Checksum field) and 8.4 (File checksum field)

* Update Annex F ( External Repository Identifiers ) to expand security references to include advisory, fix,  URL, SWID. Expand persistent identifiers to include gitoid.

* Update Annex G ( SPDX Lite Profile ) to include NTIA SBOM mandatory minimum fields as required.

* Added Annex K ( How To Use SPDX in Different Scenarios ) to illustrate linking to external security information, and illustrate how the NTIA SBOM mandatory minimum elements map to SPDX fields.

3.0 Highlights:  * Similar to 2.3, we plan to support in 3.0 linking to various security information including CSAF/CDX/VeX and VDR  * In addition to linking, we are evaluating minimal elements to embed in SPDX to convey security info in a simplified manner * Security Profile will inherit from Core Profile * Plan to define Security Profile relationships to Software Profile, Build Profile, AI-ML Profile, Hardware Profile, etc. * Intent to separate security profile metadata from SBOM metadata (snippet, file, package) and use relationships between the two * Working to support minimal VEX data fields in SPDX 3.0 *  3.0 Security Profile Blockers:  1) Time of participant 2) Items needed from SPDX Core not always clear, Defects WG is planning to schedule some 3 hour workshops to move the profile forward 3) Security profile needs the concept of a product (upcoming blocker) 4) Need for the W3C Prov-O provenance ontology from W3, e.g. to enable security agents to act on SBOMs

  • Would be nice to have the concept of a product in SPDX 3.0; currently there is a top level package describing the software running on a product
    • could we have a bare minimal product profile that inherits from element and has optional relationships to software and hardware  * SBOM must be associated with a product; product could contain hardware and software  * Top level package is typically representitive of the product  * Henk: Henk argurmented that we need a product in SBOM as a concept see for details https://www.ntia.doc.gov/files/ntia/publications/henk_birkholz_et_al._-_2021.06.16.pdf    ### Continue SPDX 3.0 Discussion  Propose to do a series of 2-3 hour workshop to move SPDX Security Profile forward