- Thomas Steenbergen
- Rose Judge
- Jeff Schutt
- Bob Martin
- Henk Birkholz
- William Cox
- Approve past minutes
- Create slide for Open Compliance Summit for Kate
- Provide feedback for https://docs.google.com/document/d/1Yd7ZKAl1l67FAqGOjLcr6MTr2e2KyhIGsB1NZ6M24Ro/edit
- Continue on SPDX 3.0
Thomas was other occupied but was able to catch up
Thomas: After the meeting please provide feedback on https://docs.google.com/document/d/1Yd7ZKAl1l67FAqGOjLcr6MTr2e2KyhIGsB1NZ6M24Ro/edit
SPDX Defects WG that were presented in SPDX General https://docs.google.com/presentation/d/1sKRHQV--tOo2mjBqHNdXy9YnSDlLOsaFgThtd5RjcIw/edit?usp=sharing 2.3 Highlights: * From Differences from Previous Versions
* Added hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 ) to the set recognized by 7.10 (Package Checksum field) and 8.4 (File checksum field)
* Update Annex F ( External Repository Identifiers ) to expand security references to include advisory, fix, URL, SWID. Expand persistent identifiers to include gitoid.
* Update Annex G ( SPDX Lite Profile ) to include NTIA SBOM mandatory minimum fields as required.
* Added Annex K ( How To Use SPDX in Different Scenarios ) to illustrate linking to external security information, and illustrate how the NTIA SBOM mandatory minimum elements map to SPDX fields.
3.0 Highlights: * Similar to 2.3, we plan to support in 3.0 linking to various security information including CSAF/CDX/VeX and VDR * In addition to linking, we are evaluating minimal elements to embed in SPDX to convey security info in a simplified manner * Security Profile will inherit from Core Profile * Plan to define Security Profile relationships to Software Profile, Build Profile, AI-ML Profile, Hardware Profile, etc. * Intent to separate security profile metadata from SBOM metadata (snippet, file, package) and use relationships between the two * Working to support minimal VEX data fields in SPDX 3.0 * 3.0 Security Profile Blockers: 1) Time of participant 2) Items needed from SPDX Core not always clear, Defects WG is planning to schedule some 3 hour workshops to move the profile forward 3) Security profile needs the concept of a product (upcoming blocker) 4) Need for the W3C Prov-O provenance ontology from W3, e.g. to enable security agents to act on SBOMs
- Would be nice to have the concept of a product in SPDX 3.0; currently there is a top level package describing the software running on a product
- could we have a bare minimal product profile that inherits from element and has optional relationships to software and hardware * SBOM must be associated with a product; product could contain hardware and software * Top level package is typically representitive of the product * Henk: Henk argurmented that we need a product in SBOM as a concept see for details https://www.ntia.doc.gov/files/ntia/publications/henk_birkholz_et_al._-_2021.06.16.pdf ### Continue SPDX 3.0 Discussion Propose to do a series of 2-3 hour workshop to move SPDX Security Profile forward