Notes: Generating a Software Bill of Materials (LFC192)

# Notes: Generating a Software Bill of Materials (LFC192) Course: https://training.linuxfoundation.org/training/generating-a-software-bill-of-materials-sbom-lfc192/ ### Playground https://sbom.democert.org/sbom/ ## Notes Tree perspectives across the supply chain - Produce Software (Supplier/Upstream) - Choose Software (Consumer/Downstream) - Operate Software (Use/In Organization) ![Produce Software (Supplier/Upstream)](https://hackmd.io/_uploads/HJixOOTga.png) ![Choose Software (Consumer/Downstream)](https://hackmd.io/_uploads/SyLbO_ala.png) ![Operate Software (Use/In Organization)](https://hackmd.io/_uploads/BJVfuOpl6.png) #### Quote > The licensing ones it's sort of like more focusing around the sources and then the linkage to the image, and the cybersecurity tends to focus on the linkage as well all the way down. ### What should a minimum viable SBOM contain? | NTIA SBOM Baseline | Definition | | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Supplier Name | Name or identity of the supplier of the component in the SBOM entry, including some capability to note multiple names or aliases. | | Component Name | Component (and supplier) names can be conveyed using a generic namespace:name construct. | | Unique Identifier | A unique identifier can be generated and used to help identify components. This identifier could be a version 4 or 5 UUID. | | Version String | Version information helps to identify a component. | | Component Hash | Adding a cryptographic hash of the component is the most precise way to identify a binary, as-built component in an SOM. The hash is effectively the unique identifier of a component, however other baseline identification information will be useful and even necessary. | | Relationship | Relationship is inherent in the design of the SBOM. The default relationship type is includes. | | Author Name | Author of the SBOM entry (this may not always be the supplier). | Source: NTIA [Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM)](https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf) ### How to represent minimum viable SBOM Info? | NTIA SBOM Baseline | SPDX | SWID | CycloneDX | | --------------------- | ---------------------------- | ------------------------------------------------- | ------------------------------------------------------ | | **Supplier Name** | (3.5) PackageSupplier: | <Entity> @role (softwareCreator/publisher), @name | publisher | | **Component Name** | (3.1) PackageName: | <softwareIdentity> @name | name | | **Unique Identifier** | (3.2) SPDXID: | <softwareIdentity> @tagID | bom/serialNumber and component/bom-ref | | **Version String** | (3.3) PackageVersion: | <softwareIdentity> @version | version | | **Component Hash** | (3.10) PackageChecksum: | <Payload>/../<File> @ [hash-algorithm]:hash | hash | | **Relationship** | (7.1) Relationship: CONTAINS | <Link> @rel, Chref | (Nested assembly/subassembly and/or dependency graphs) | | **Author Name** | (2.8) Creator: | <Entity> @role (tagCreator), @name | bom-descriptor:metadata/manufact ure/contact | ### Taxonomy used for Classifying SBOM Tools | **Category** | **Type** | **Description** | | ------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------- | | **Produce** | Build | Document is automatically created as part of building an artifact and contains information about the build. | | | Analyze | Analysis of source or binary files will generate the SBOM by inspection of the artifacts and any associated sources | | | Edit | A tool to assist a person manually entering or editing SBOM data | | **Consume** | View | Be able to understand the contents in human readable form (picture, figures, tables, text.). Use to support decision making & business processes. | | | Diff | Be able to compare multiple SBOMs and clearly see the differences (e.g. comparing two versions of a piece of software) | | | Import | Be able to discover, retrieve, and import an SBOM into your system for further processing and analvsis | | **Transform** | Translate | Change from one file type to another file type while preserving the same information. | | | Merge | Multiple sources of SOM and other data can be merged together for analysis and audit purposes | | | Tool support | Support use in other tools by APIs, object models, libraries, or other reference sources | ### SBOM tools with support for different SBOM formats http://tiny.cc/SPDX http://tiny.cc/SWID http://tiny.cc/CycloneDX ### Standard ISO/IEC 5230:2020 https://www.openchainproject.org/ ### Make license stored in Git human readable https://reuse.software/