Open Supplychain Information Modeling TC

 View Only
  • 1.  NTIA SBOM Working Group "Teapot" diagram

    Posted 09-27-2024 14:54
      |   view attached

    Attached is a diagram from the early days of the NTIA Software Transparency Working Group. The diagram was created to show relations of what was desired eventually in an SBOM and we used to then trim back to the 'crawl' which is where we were at that that time. So things like API calls, forking GitHub repos, and build tools were cans that were kicked down the road at that time, and for the most part still haven't been addressed. I'm including as a basis for discussion so we can decide if we want to use those terms ("includes", "based on", "made using", "subset of", 'calls at run time', 'loads at runtime', etc), modify them, or use different ones.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------


  • 2.  RE: NTIA SBOM Working Group "Teapot" diagram

    Posted 09-30-2024 10:45
    Thanks Duncan, this is a great artifact for discussion. A the top level my attention is drawn to the "Distributed in the product" heading in the main box. Already here there's an implicit assumption that we're talking about products which are "distributed" in some closed form... which SaaS, for one, is generally not. I'd be very interested in exploring how we think about bounding the unit which an SBOM describes - especially when it's *not* packaged software.

    On Fri, Sep 27, 2024 at 12:54 PM Duncan Sparrell via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Attached is a diagram from the early days of the NTIA Software Transparency Working Group. The diagram was created to show relations of what was... -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community

    Open Supplychain Information Modeling TC

    Post New Message
    NTIA SBOM Working Group "Teapot" diagram
    Reply to Group Reply to Sender via Email
    Sep 27, 2024 2:54 PM  |    view attached
    Duncan Sparrell

    Attached is a diagram from the early days of the NTIA Software Transparency Working Group. The diagram was created to show relations of what was desired eventually in an SBOM and we used to then trim back to the 'crawl' which is where we were at that that time. So things like API calls, forking GitHub repos, and build tools were cans that were kicked down the road at that time, and for the most part still haven't been addressed. I'm including as a basis for discussion so we can decide if we want to use those terms ("includes", "based on", "made using", "subset of", 'calls at run time', 'loads at runtime', etc), modify them, or use different ones.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  



     
    You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.





  • 3.  RE: NTIA SBOM Working Group "Teapot" diagram

    Posted 09-30-2024 11:31

    Thank.

    Wrt SaaS/teapot – recall it is a teapot, not a SaaS. But what if it did connect to SaaS? (or inventory my tea supplies, get a recipe, order new tea, load new software, whatever) – then it would be 'calls at runtime' (or maybe in some cases 'loads at runtime'). That is from the teapot view.

     

    But I would argue SaaS is 'distributed as a product' within the SaaS environment. It still executes somewhere. The 'as a product' might be debatable as 'product' being the correct word (as it's not like you are selling it to yourself) but this is 'product' is the larger meaning as something delivered to the machine it runs on.

     

    Definitely worthy of further discussion and getting the right words on paper to cover all the points. Probably won't be only one picture with one example.

     

    -- 

    Duncan Sparrell

    sFractal Consulting

    iPhone, iTypo, iApologize

    I welcome VSRE emails. Learn more at http://vsre.info/