Won't be obvious, but related to my pedigree/provenance comments are two other concepts:

• Information about 'not' having a component
• SBOM completeness

I believe there is a distinction between data, information, and knowledge.

I would like to know (ie derive knowledge from information derived from data) that a product is or isn't exploitable via TTP-whatever (based on CVE-whatever). To achieve that knowledge, I may use different information depending on the situation:

• Case 1:
• I have data from build and deploy that lets me derive a complete, accurate (within what quality metrics I supply) component inventory SBOM that shows I definitively don't have the component affected by the CVE.
• Case 2:
• I have data from an executable scanner that gives me an incomplete SBOM but can definitively (within what quality metrics I supply) don't have the component affected by the CVE
• Case 3:
• I have data from build/deploy by which I have complete SBOMs for some components, but for some I only know the programming language – and it's not the programming language of the CVE (eg IRL I have a Raspberry Pi running my elixir software on top of Nerves OS which I know has zero java in it so can't be affected by Log4J)
• Lots of other cases not relevant to my argument at the moment.

There are many subtle information terms that need definition in the above:

• The concept of a 'complete' SBOM vs an 'incomplete' SBOM
• The concept of an SBOM declaring it doesn't have an component (note that is the root 'information' most useful in all 3 cases)
• Hidden, but present due to term 'accurate', are the concepts of:
• Information model – the 'schema' by which we can answer
• Information – the instantiation of the schema with actual info
• Ground Truth – to be accurate it means our 'information' as instantiated is congruent with 'ground truth'

I think we need to actually define the above concepte, at least by example, to be able to meaningfully resove some of the issues we discussed last meeting.

Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a componentSBOM...

Open Supplychain Information Modeling TC Post New Message Information about 'not' having a component Reply to Group Reply to Sender via Email Sep 5, 2024 12:39 PM Duncan Sparrell Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a component SBOM completeness   I believe there is a distinction between data, information, and knowledge. I would like to know (ie derive knowledge from information derived from data) that a product is or isn't exploitable via TTP-whatever (based on CVE-whatever). To achieve that knowledge, I may use different information depending on the situation: Case 1: I have data from build and deploy that lets me derive a complete, accurate (within what quality metrics I supply) component inventory SBOM that shows I definitively don't have the component affected by the CVE. Case 2: I have data from an executable scanner that gives me an incomplete SBOM but can definitively (within what quality metrics I supply) don't have the component affected by the CVE Case 3: I have data from build/deploy by which I have complete SBOMs for some components, but for some I only know the programming language – and it's not the programming language of the CVE (eg IRL I have a Raspberry Pi running my elixir software on top of Nerves OS which I know has zero java in it so can't be affected by Log4J) Lots of other cases not relevant to my argument at the moment.   There are many subtle information terms that need definition in the above: The concept of a 'complete' SBOM vs an 'incomplete' SBOM The concept of an SBOM declaring it doesn't have an component (note that is the root 'information' most useful in all 3 cases) Hidden, but present due to term 'accurate', are the concepts of: Information model – the 'schema' by which we can answer Information – the instantiation of the schema with actual info Ground Truth – to be accurate it means our 'information' as instantiated is congruent with 'ground truth' I think we need to actually define the above concepte, at least by example, to be able to meaningfully resove some of the issues we discussed last meeting. --  Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/     Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward   You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Won't be obvious, but related to my pedigree/provenance comments are two other concepts:

• Information about 'not' having a component
• SBOM completeness

I believe there is a distinction between data, information, and knowledge.

I would like to know (ie derive knowledge from information derived from data) that a product is or isn't exploitable via TTP-whatever (based on CVE-whatever). To achieve that knowledge, I may use different information depending on the situation:

• Case 1:
• I have data from build and deploy that lets me derive a complete, accurate (within what quality metrics I supply) component inventory SBOM that shows I definitively don't have the component affected by the CVE.
• Case 2:
• I have data from an executable scanner that gives me an incomplete SBOM but can definitively (within what quality metrics I supply) don't have the component affected by the CVE
• Case 3:
• I have data from build/deploy by which I have complete SBOMs for some components, but for some I only know the programming language – and it's not the programming language of the CVE (eg IRL I have a Raspberry Pi running my elixir software on top of Nerves OS which I know has zero java in it so can't be affected by Log4J)
• Lots of other cases not relevant to my argument at the moment.

There are many subtle information terms that need definition in the above:

• The concept of a 'complete' SBOM vs an 'incomplete' SBOM
• The concept of an SBOM declaring it doesn't have an component (note that is the root 'information' most useful in all 3 cases)
• Hidden, but present due to term 'accurate', are the concepts of:
• Information model – the 'schema' by which we can answer
• Information – the instantiation of the schema with actual info
• Ground Truth – to be accurate it means our 'information' as instantiated is congruent with 'ground truth'

I think we need to actually define the above concepte, at least by example, to be able to meaningfully resove some of the issues we discussed last meeting.

You bring up another term I think we need to define – "Assertion". Wrt data/info/knowledge I'll defer to standard DIKW pyramid and probably...

Open Supplychain Information Modeling TC Post New Message Re: Information about 'not' having a component Reply to Group Reply to Sender via Email Sep 5, 2024 3:50 PM Duncan Sparrell You bring up another term I think we need to define – "Assertion".   Wrt data/info/knowledge I'll defer to standard DIKW pyramid and probably Wikipedia is as good as any en.wikipedia.org/wiki/DIKW_pyramid   Wrt OSIM – I consider CycloneDX and SPDX to be data. As a human I can look a particular instantiation and call this CycloneDX file an SBOM, and call another one a VEX instead of an SBOM. And I can look at a third SPDX file and say 'it's the same SBOM as the first CycloneDX one". To be able to do that, I have in my head an 'information model' of what is an SBOM. Two different data formats give the same information (#1 &#3) vs not everything in that data format is an SBOM (#2). I want to codify (preferably with JADN but could live with ASN.1 if someone else does the ASN.1) what the 'information' is that makes 1&3 an SBOM, but 2 is not an SBOM.   --  Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/       Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward   Original Message: Sent: 9/5/2024 3:38:00 PM You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

You bring up another term I think we need to define – "Assertion".

Wrt data/info/knowledge I'll defer to standard DIKW pyramid and probably Wikipedia is as good as any

https://en.wikipedia.org/wiki/DIKW_pyramid

Wrt OSIM – I consider CycloneDX and SPDX to be data. As a human I can look a particular instantiation and call this CycloneDX file an SBOM, and call another one a VEX instead of an SBOM. And I can look at a third SPDX file and say 'it's the same SBOM as the first CycloneDX one". To be able to do that, I have in my head an 'information model' of what is an SBOM. Two different data formats give the same information (#1 &#3) vs not everything in that data format is an SBOM (#2). I want to codify (preferably with JADN but could live with ASN.1 if someone else does the ASN.1) what the 'information' is that makes 1&3 an SBOM, but 2 is not an SBOM.

Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a componentSBOM...

Open Supplychain Information Modeling TC Post New Message Information about 'not' having a component Reply to Group Reply to Sender via Email Sep 5, 2024 12:39 PM Duncan Sparrell Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a component SBOM completeness   I believe there is a distinction between data, information, and knowledge. I would like to know (ie derive knowledge from information derived from data) that a product is or isn't exploitable via TTP-whatever (based on CVE-whatever). To achieve that knowledge, I may use different information depending on the situation: Case 1: I have data from build and deploy that lets me derive a complete, accurate (within what quality metrics I supply) component inventory SBOM that shows I definitively don't have the component affected by the CVE. Case 2: I have data from an executable scanner that gives me an incomplete SBOM but can definitively (within what quality metrics I supply) don't have the component affected by the CVE Case 3: I have data from build/deploy by which I have complete SBOMs for some components, but for some I only know the programming language – and it's not the programming language of the CVE (eg IRL I have a Raspberry Pi running my elixir software on top of Nerves OS which I know has zero java in it so can't be affected by Log4J) Lots of other cases not relevant to my argument at the moment.   There are many subtle information terms that need definition in the above: The concept of a 'complete' SBOM vs an 'incomplete' SBOM The concept of an SBOM declaring it doesn't have an component (note that is the root 'information' most useful in all 3 cases) Hidden, but present due to term 'accurate', are the concepts of: Information model – the 'schema' by which we can answer Information – the instantiation of the schema with actual info Ground Truth – to be accurate it means our 'information' as instantiated is congruent with 'ground truth' I think we need to actually define the above concepte, at least by example, to be able to meaningfully resove some of the issues we discussed last meeting. --  Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/     Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward   You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

You bring up another term I think we need to define – "Assertion". Wrt data/info/knowledge I'll defer to standard DIKW pyramid and probably...

Open Supplychain Information Modeling TC Post New Message Re: Information about 'not' having a component Reply to Group Reply to Sender via Email Sep 5, 2024 3:50 PM Duncan Sparrell You bring up another term I think we need to define – "Assertion".   Wrt data/info/knowledge I'll defer to standard DIKW pyramid and probably Wikipedia is as good as any en.wikipedia.org/wiki/DIKW_pyramid   Wrt OSIM – I consider CycloneDX and SPDX to be data. As a human I can look a particular instantiation and call this CycloneDX file an SBOM, and call another one a VEX instead of an SBOM. And I can look at a third SPDX file and say 'it's the same SBOM as the first CycloneDX one". To be able to do that, I have in my head an 'information model' of what is an SBOM. Two different data formats give the same information (#1 &#3) vs not everything in that data format is an SBOM (#2). I want to codify (preferably with JADN but could live with ASN.1 if someone else does the ASN.1) what the 'information' is that makes 1&3 an SBOM, but 2 is not an SBOM.   --  Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/       Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward   Original Message: Sent: 9/5/2024 3:38:00 PM You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

You bring up another term I think we need to define – "Assertion".

Wrt data/info/knowledge I'll defer to standard DIKW pyramid and probably Wikipedia is as good as any

https://en.wikipedia.org/wiki/DIKW_pyramid

Wrt OSIM – I consider CycloneDX and SPDX to be data. As a human I can look a particular instantiation and call this CycloneDX file an SBOM, and call another one a VEX instead of an SBOM. And I can look at a third SPDX file and say 'it's the same SBOM as the first CycloneDX one". To be able to do that, I have in my head an 'information model' of what is an SBOM. Two different data formats give the same information (#1 &#3) vs not everything in that data format is an SBOM (#2). I want to codify (preferably with JADN but could live with ASN.1 if someone else does the ASN.1) what the 'information' is that makes 1&3 an SBOM, but 2 is not an SBOM.

Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a componentSBOM...

Open Supplychain Information Modeling TC Post New Message Information about 'not' having a component Reply to Group Reply to Sender via Email Sep 5, 2024 12:39 PM Duncan Sparrell Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a component SBOM completeness   I believe there is a distinction between data, information, and knowledge. I would like to know (ie derive knowledge from information derived from data) that a product is or isn't exploitable via TTP-whatever (based on CVE-whatever). To achieve that knowledge, I may use different information depending on the situation: Case 1: I have data from build and deploy that lets me derive a complete, accurate (within what quality metrics I supply) component inventory SBOM that shows I definitively don't have the component affected by the CVE. Case 2: I have data from an executable scanner that gives me an incomplete SBOM but can definitively (within what quality metrics I supply) don't have the component affected by the CVE Case 3: I have data from build/deploy by which I have complete SBOMs for some components, but for some I only know the programming language – and it's not the programming language of the CVE (eg IRL I have a Raspberry Pi running my elixir software on top of Nerves OS which I know has zero java in it so can't be affected by Log4J) Lots of other cases not relevant to my argument at the moment.   There are many subtle information terms that need definition in the above: The concept of a 'complete' SBOM vs an 'incomplete' SBOM The concept of an SBOM declaring it doesn't have an component (note that is the root 'information' most useful in all 3 cases) Hidden, but present due to term 'accurate', are the concepts of: Information model – the 'schema' by which we can answer Information – the instantiation of the schema with actual info Ground Truth – to be accurate it means our 'information' as instantiated is congruent with 'ground truth' I think we need to actually define the above concepte, at least by example, to be able to meaningfully resove some of the issues we discussed last meeting. --  Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/     Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward   You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

You bring up another term I think we need to define – "Assertion".

Wrt data/info/knowledge I'll defer to standard DIKW pyramid and probably Wikipedia is as good as any

https://en.wikipedia.org/wiki/DIKW_pyramid

Wrt OSIM – I consider CycloneDX and SPDX to be data. As a human I can look a particular instantiation and call this CycloneDX file an SBOM, and call another one a VEX instead of an SBOM. And I can look at a third SPDX file and say 'it's the same SBOM as the first CycloneDX one". To be able to do that, I have in my head an 'information model' of what is an SBOM. Two different data formats give the same information (#1 &#3) vs not everything in that data format is an SBOM (#2). I want to codify (preferably with JADN but could live with ASN.1 if someone else does the ASN.1) what the 'information' is that makes 1&3 an SBOM, but 2 is not an SBOM.

Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a componentSBOM...

Open Supplychain Information Modeling TC Post New Message Information about 'not' having a component Reply to Group Reply to Sender via Email Sep 5, 2024 12:39 PM Duncan Sparrell Won't be obvious, but related to my pedigree/provenance comments are two other concepts: Information about 'not' having a component SBOM completeness   I believe there is a distinction between data, information, and knowledge. I would like to know (ie derive knowledge from information derived from data) that a product is or isn't exploitable via TTP-whatever (based on CVE-whatever). To achieve that knowledge, I may use different information depending on the situation: Case 1: I have data from build and deploy that lets me derive a complete, accurate (within what quality metrics I supply) component inventory SBOM that shows I definitively don't have the component affected by the CVE. Case 2: I have data from an executable scanner that gives me an incomplete SBOM but can definitively (within what quality metrics I supply) don't have the component affected by the CVE Case 3: I have data from build/deploy by which I have complete SBOMs for some components, but for some I only know the programming language – and it's not the programming language of the CVE (eg IRL I have a Raspberry Pi running my elixir software on top of Nerves OS which I know has zero java in it so can't be affected by Log4J) Lots of other cases not relevant to my argument at the moment.   There are many subtle information terms that need definition in the above: The concept of a 'complete' SBOM vs an 'incomplete' SBOM The concept of an SBOM declaring it doesn't have an component (note that is the root 'information' most useful in all 3 cases) Hidden, but present due to term 'accurate', are the concepts of: Information model – the 'schema' by which we can answer Information – the instantiation of the schema with actual info Ground Truth – to be accurate it means our 'information' as instantiated is congruent with 'ground truth' I think we need to actually define the above concepte, at least by example, to be able to meaningfully resove some of the issues we discussed last meeting. --  Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/     Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward   You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Won't be obvious, but related to my pedigree/provenance comments are two other concepts:

• Information about 'not' having a component
• SBOM completeness

I believe there is a distinction between data, information, and knowledge.

I would like to know (ie derive knowledge from information derived from data) that a product is or isn't exploitable via TTP-whatever (based on CVE-whatever). To achieve that knowledge, I may use different information depending on the situation:

• Case 1:
• I have data from build and deploy that lets me derive a complete, accurate (within what quality metrics I supply) component inventory SBOM that shows I definitively don't have the component affected by the CVE.
• Case 2:
• I have data from an executable scanner that gives me an incomplete SBOM but can definitively (within what quality metrics I supply) don't have the component affected by the CVE
• Case 3:
• I have data from build/deploy by which I have complete SBOMs for some components, but for some I only know the programming language – and it's not the programming language of the CVE (eg IRL I have a Raspberry Pi running my elixir software on top of Nerves OS which I know has zero java in it so can't be affected by Log4J)
• Lots of other cases not relevant to my argument at the moment.

There are many subtle information terms that need definition in the above:

• The concept of a 'complete' SBOM vs an 'incomplete' SBOM
• The concept of an SBOM declaring it doesn't have an component (note that is the root 'information' most useful in all 3 cases)
• Hidden, but present due to term 'accurate', are the concepts of:
• Information model – the 'schema' by which we can answer
• Information – the instantiation of the schema with actual info
• Ground Truth – to be accurate it means our 'information' as instantiated is congruent with 'ground truth'

I think we need to actually define the above concepte, at least by example, to be able to meaningfully resove some of the issues we discussed last meeting.