Open Supplychain Information Modeling TC

 View Only
  • 1.  SBOM Definition

    Posted 09-03-2024 10:55

    I threw a new comment in the SBOM/SBOM+ issue:

    https://github.com/oasis-tcs/osim/issues/31#issuecomment-2326731430

     

    I'll repeat it here to aid in discussions at today's meeting:

     

    Wrt: "A document which contains that minimum set and some other information is still an SBOM (and may also be other things)"

     

    I see there being different aspects to the issues that I am having a hard time articulating. I'm going to use the term 'collection' to be the thing @hepwori is calling an SBOM wrt to the 'and may also be other things'. Ie Collection is the collection of all these other things together that we are calling an SBOM. And I'm going to use 'view' (or maybe 'profile' or hopefully someone has a better word) to be the different 'types'/views/profiles for each of the different needs. IE SBOM is the 'collection' and component/licensing/EoX/vulnerabilities/exploitability/.... are the different 'views'.

     

    Personally I wish SBOM was the name of the 'component view' and some other name was the name of the 'collection'. But if we go with SBOM as the term meaning the collection, then we need to define the name for the 'view' that doesn't have the other stuff and is just the 'classic SBOM, ie the components'. So I'm calling that the component view or component profile.

    I would argue that to be an SBOM, you need at least a rudimentary component view (may be just one component) to then attach the other views (eg licensing). But for some use cases and some views, you need a 'better'/'complete'/... component view. Eg for some licensing use cases, you just need the license of the thing you buy and don't need a complete component view (depending on contract T's and C's but assuming seller assumes risk if they sold something with wrong license due to some license issue in a component). But vuln management might need a 'complete' component view to know that CVE whatever doesn't impact the product.

     

     

     

    -- 

    Duncan Sparrell

    sFractal Consulting

    iPhone, iTypo, iApologize

    I welcome VSRE emails. Learn more at http://vsre.info/