- Alexios Zaras
- Bob Martin
- David Kemp
- Dick Brooks
- Jennie Kauffmann
- Joshua Watt
- Kate Stewart
- Kevin Cressman
- Matt Roberts (OpenC2)
- Nisha Kumar
- Rose Judge
- Sen Hastings
- William Bartholomew
- 2023 Planning
- Updates from subteams
-
Implementers Forum - next wednesday, start with discussion from DocFest.
- Adolfo meeting in February
- Spec - specific fields.
- Golden Set of examples
-
Looking for Adolfo on update CI/CD to validate examples being checked in.
-
Brining in some of OpenSSF
-
Quality
- What makes a good SPDX document?
- Validates, NTIA minimum
- Agreement of what is a qualilty SBOM - used for different purposes.
- Chainguard hosting a panel discussion, what makes quality SBOM on Jan 18th.
- % of licenses filled, % of noassertion - tooling to measure SBOM quality.
- SBOM's created for specific purpose - for Risk Assessment, may not need Licensesing, and have minimum elements, and content needs to align with NVD for
- Bob - Meeting on 24th/25th - update on NVD & CVE efforts. Panel on VEX and SBOMs. Disconnects to iron out.
- Nisha - biggest frustration is identifying the component itself. Make use of several pieces of meta data. Straightforward for some software components. Tools tackling low hanging fruit, but not sure what to do with other stuff. Package managers don't always give configuration effectively. Tools and infrastructure knowledge are needed for effective triangulation. Knowledge is spread out amongst multiple people. If doing manually - document why this is the right source. OpenJDK vs. Oracle Java, etc. Not everyone knows how to triangulate what packages are where they came from.
- Rose - quality is different to different use cases - guidance based on usage intention of SBOM. Intended Usage of SBOM.
- How to Use different types? Management of issues associated with Quality of SBOM.
- Dick looking for tooling from SPDX to CDX - referred to Steve.
-
FOSDEM
- Will have an SBOM Devroom - getting back answers from those with difficulty traveling.
- All others confirmed. Looking for proposing a new discussion - looking for panel ideas - email to devroom organizers.
- The organizers of the FOSDEM SBOM devroom can be reached by sending email to [email protected]. Please do not hesitate to contact us if you have any inquiry or suggestion for the devroom.
-
Security Working sessions
- Come up with model similar to build profile, and solidifying relationships to be submitted.
- Thomas or Jeff - looking for update from.
-
Dick referenced ICT-SCRM Task Force CISA side
- Software assurance, processing SBOMs.
- What to request and how to interpret what they get back.
- Sub teams working on draft work. Open question how to get external review for some of these deliverables.
- https://www.cisa.gov/ict-scrm-task-force
-
David Update
- serialization, taking offline with recommendations. Some discussions with Max. Asking to add a serialization folder to repo. Serialization concepts. Content in folder. spdx/spdx-3-model#57. Note: this is limited to JSON discussions at this point.
- The README describes Information Model based serialization design, and specific JSON values shown on the logical diagram. https://github.com/davaya/spdx-3-model/tree/serialization/serialization
-
Joshua update
- SBOMs of SBOMs.... needing a serialization format, looking for bare JSON
- Some things need serialization. current blocker.
-
Nisha Update
- TUF - metadata in a certain format, different serializations, no control over serializations, so hashing becomes problematic. How to solve this is ambiguous, and used a work around. Specification for an evelope. Outside metadata. JSON object describing, avoids dealing with serialization. For purpose of integrity checking. Signatures around Data.
- Desire to go to element level, and supporting different serialization formats, is part of our SPDX approach. Canonical form of JSON, is needed.
-
Hardware Profile - targetting to 3.1
- Sen is interested in being included
- William knows folks who will be interested as well.
- Resolve: Agents & Identities in 3.0 Model approach
- Review of the canonical Serialization rules defined to date, then review PR.
- Update on where we are with Security & Licensing profiles.
- Other PRs against SPDX 3.0 to be included.