Open Supplychain Information Modeling TC

 View Only
  • 1.  Claim-based SBOM Definition

    Posted 11-05-2024 11:28
    Hey all, in our last meeting I took the action to sketch out a claim-based definition of SBOM-which sidesteps the epistemological dimension, i.e., how do we reconcile various parties' varying knowledge about software composition; how do we approach evolving clarity around software composition; against which standard do we judge if an SBOM is "correct" or "complete". And so on.

    I know I'm late but in time for our discussion today I'll throw out the below straw dog. I'd love to hear your thoughts.

    Isaac

    A Software Bill of Materials (SBOM) is a CLAIM made by some known IDENTITY regarding the COMPOSITION of an unambiguously identified piece of software.

    With this definition, the following are all SBOMs:

    1. I know nothing about the software npm:foo@1.3.2

    2. [someone else] knows that npm:foo@1.3.2 doesn't contain the component bar.

    3. [someone else] knows that npm:foo@1.3.2 contains the components

    4. [someone else] knows that npm:foo@1.3.2 contains the components

      • npm:baz@5.3
        from producer X
        which has license Y
        and has EOL date Z
        and depends on

        • npm:qux@4.6.2
          from producer A
          which has license B
          and has EOL date C

        • npm:quux@0.9.1
          from producer D
          which has license E
          and has EOL date F

    5. [someone else] knows that npm:foo@1.3.2 does not contain any C++

    Note that with this definition there's no objective standard for "correctness" of an SBOM. The five SBOM examples above are all valid claims by different identities. All may be true and correct at once, even with varying levels of information content.

    Examples #2 and #3 conform to the "component list" FLAVOR of SBOM.




  • 2.  RE: Claim-based SBOM Definition

    Posted 11-05-2024 12:11
    Should "knows" be "asserts" or "claims"?

    iPhone, iTypo, iApologize





  • 3.  RE: Claim-based SBOM Definition

    Posted 11-05-2024 12:17
    Heh, I hesitated on that part too.

    In my examples, "I know that X" is the claim attributed to me. Folks evaluating this claim should take into account
    - how much they trust me
    - how much they trust me to make claims about software composition in general
    - how much they trust me to make claims about this piece of software specifically
    - how much they trust me to make claims of this strength and level of detail
    - how recent the claim is, perhaps
    - and so on

    (slide 16 of ssci.io/attestations-deck speaks to these principles in the context of software attestations generally).

    "I claim that X" or "I assert that X" work too I think?

    Isaac

    On Tue, Nov 5, 2024 at 10:10 AM Duncan Sparrell via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Should "knows" be "asserts" or "claims"? iPhone, iTypo, iApologize -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community

    Open Supplychain Information Modeling TC

    Post New Message
    Re: Claim-based SBOM Definition
    Reply to Group Reply to Sender via Email
    Nov 5, 2024 12:11 PM
    Duncan Sparrell
    Should "knows" be "asserts" or "claims"?

    iPhone, iTypo, iApologize


      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  




     
    You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.



    Original Message:
    Sent: 11/5/2024 12:11:00 PM
    From: Duncan Sparrell
    Subject: RE: Claim-based SBOM Definition

    Should "knows" be "asserts" or "claims"?

    iPhone, iTypo, iApologize




  • 4.  RE: Claim-based SBOM Definition

    Posted 11-06-2024 10:40

    Wrt agreement to add this text to FAQ, I would recommend a PR against https://github.com/oasis-tcs/osim/blob/main/FAQ/sbom.md.

    I would recommend adding this next text to the existing definition as opposed to replacing the previous text. We had previously agreed to the SBOM definition as copied from the NTIA and CISA work. I think the above text enhances the definition as there are some aspects of existing wording worth keeping so I think keeping the entire original text is useful since it is in a lot of USG docs.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------



  • 5.  RE: Claim-based SBOM Definition

    Posted 11-06-2024 14:53

    On Wed, Nov 6, 2024 at 8:39 AM Duncan Sparrell via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Wrt agreement to add this text to FAQ, I would recommend a PR against github.com/oasis-tcs/osim/blob/main/FAQ/sbom.md. I would recommend adding... -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community

    Open Supplychain Information Modeling TC

    Post New Message
    Re: Claim-based SBOM Definition
    Reply to Group Reply to Sender via Email
    Nov 6, 2024 10:40 AM
    Duncan Sparrell

    Wrt agreement to add this text to FAQ, I would recommend a PR against github.com/oasis-tcs/osim/blob/main/FAQ/sbom.md.

    I would recommend adding this next text to the existing definition as opposed to replacing the previous text. We had previously agreed to the SBOM definition as copied from the NTIA and CISA work. I think the above text enhances the definition as there are some aspects of existing wording worth keeping so I think keeping the entire original text is useful since it is in a lot of USG docs.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  




     
    You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.



    Original Message:
    Sent: 11/6/2024 10:40:00 AM
    From: Duncan Sparrell
    Subject: RE: Claim-based SBOM Definition

    Wrt agreement to add this text to FAQ, I would recommend a PR against https://github.com/oasis-tcs/osim/blob/main/FAQ/sbom.md.

    I would recommend adding this next text to the existing definition as opposed to replacing the previous text. We had previously agreed to the SBOM definition as copied from the NTIA and CISA work. I think the above text enhances the definition as there are some aspects of existing wording worth keeping so I think keeping the entire original text is useful since it is in a lot of USG docs.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------

    Original Message:
    Sent: 11-05-2024 12:16
    From: Isaac Hepworth
    Subject: Claim-based SBOM Definition

    Heh, I hesitated on that part too.

    In my examples, "I know that X" is the claim attributed to me. Folks evaluating this claim should take into account
    - how much they trust me
    - how much they trust me to make claims about software composition in general
    - how much they trust me to make claims about this piece of software specifically
    - how much they trust me to make claims of this strength and level of detail
    - how recent the claim is, perhaps
    - and so on

    (slide 16 of ssci.io/attestations-deck speaks to these principles in the context of software attestations generally).

    "I claim that X" or "I assert that X" work too I think?

    Isaac

    On Tue, Nov 5, 2024 at 10:10 AM Duncan Sparrell via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Should "knows" be "asserts" or "claims"? iPhone, iTypo, iApologize -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community

    Open Supplychain Information Modeling TC

    Post New Message
    Re: Claim-based SBOM Definition
    Reply to Group Reply to Sender via Email
    Nov 5, 2024 12:11 PM
    Duncan Sparrell
    Should "knows" be "asserts" or "claims"?
    iPhone, iTypo, iApologize
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  
    Original Message: Sent: 11/5/2024 11:28:00 AM
     
    You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.



    Original Message:
    Sent: 11/5/2024 12:11:00 PM
    From: Duncan Sparrell
    Subject: RE: Claim-based SBOM Definition

    Should "knows" be "asserts" or "claims"?

    iPhone, iTypo, iApologize