owned this note
owned this note
Published
Linked with GitHub
###### tags: `SIG Software Supply Chain` `Supply Chain Maturity Workstream`
# CDF Supply Chain Maturity Workstream Meetings
[![HacmKD documents](https://hackmd.io/badge.svg)](https://hackmd.io/xq6lH4F7RUWmqZhluMcgLw?edit)
## Quick links
* [Logistics](#Logistics)
* [Agenda and Notes](#Agenda-and-Notes)
* [2023-01-10](#January-10-2023)
* ~~[2022-12-13](#December-13-2022)~~ -- *Cancelled*
* ~~[2022-11-29](#November-29-2022)~~ -- *Cancelled*
* [2022-11-15](#November-15-2022)
* [2022-11-01](#November-1-2022)
* [2022-10-18](#October-18-2022)
* [2022-10-04](#October-4-2022)
* [Meeting Template](#Meeting-Template)
## Logistics
* **Meeting notes on HackMD**: https://hackmd.io/zAtl6rXVRzG74zGkf6odKw
* **When**: Every other Tuesday at 16:00UTC (*See your timezone [here](https://dateful.com/time-zone-converter?t=4pm&tz2=UTC)*)
* **Zoom Bridge**: https://zoom.us/j/94947282554?pwd=UndPWjFkQTJSUGo4WTRZWjlDaEQvUT09
* **Zoom International dial-in numbers**: https://zoom.us/zoomconference
* **Meeting Recordings**: [CDF Youtube Channel SIG Software Supply Chain Playlist](https://youtube.com/playlist?list=PL2KXbZ9-EY9TT2rKSBv6-BUdKqsJg9rAL)
* **CDF Public Calendar**: [here](https://calendar.google.com/calendar/embed?src=linuxfoundation.org_mhf0kmgedn67ihni8r129avp24%40group.calendar.google.com&ctz=UTC)
## Agenda and Notes
Meeting agenda and notes are kept on [HackMD.io](https://hackmd.io/xq6lH4F7RUWmqZhluMcgLw) where everyone can add new topics to the agenda for upcoming meetings or take notes during the meetings. Please click edit button to edit the document.
### Next
* [ ] Attendees (affiliation)
* Name (Company)
* Name (Company)
* [ ] Welcome & intros
* [ ] Discussion topics/questions
* [ ] Topic 1 / Owner
* [ ] Topic 2 / Owner
* [ ] Action items
* [ ] Owner - Action
* [ ] Ankit Mohaptra to cover differences between SBOMS generated by Syft and other tools (like ko)
### January 10, 2023
* [x] Attendees (affiliation)
* David Bendory (Google)
* Parth Patel (Kusari)
* Asi Greenholts (Palo Alto Networks)
* [x] Welcome & intros
* David Bendory -- Tekton Manager at Google
* Asi Greenholts -- CICD researcher for Palo Alto Networks
* Parth Patel -- Tekton, GUAC, in-toto -- focus on Supply Chain Security
* [x] Discussion topics/questions
* [x] [Supply Chain Maturity Metrics](https://docs.google.com/document/d/1CDSbQezqauwL2BaFob7o2ztLk6dTQGZqZCMZ_szNhW8/edit?resourcekey=0-ooiOpNu2gyR-KOlMNOCcDA) / David Bendory -- draft review
* Doc is more expansive than "supply chain security" -- it includes additional metrics
* [ ] Action items
* [ ] David Bendory to incorporate input to iterate further on draft maturity doc
### December 13, 2022
*Cancelled* due to poor attendance.
### November 29, 2022
*Cancelled*
### November 15, 2022
* [x] Attendees (include affiliation)
* David Espejo, VMware
* Terry Cox, Bootstrap Ltd
* David Bendory, Google / Tekton
* Parth Patel, Kusari
* Rajat Gupta, Jenkins X
* Sudhindra Rao, Pyrsia
* Justin Abrahms, eBay
* [x] Welcome & intros
* Sudhindra Rao, Pyrsia
* [ ] Discussion topics/questions
* [ ] ~~Ankit Mohaptra to cover differences between SBOMS generated by Syft and other tools (like ko)~~
* [x] Terry Cox to present work done by SIG Best Practices
* One of the goals of SIG Best Practices: to bridge the knowledge gap between CI/CD seasoned practitioners and individuals/orgs getting started
* https://bestpractices.cd.foundation/
* [x] David Bendory to introduce [Brainstorming: Supply Chains Security Measures](https://docs.google.com/document/d/1rGvQv2GH8HYbQUZxg89LmWsYe8-MyeTEcj08nwULitw/edit?pli=1#)
* Join [this Google Group](https://groups.google.com/g/cdf-scm) for document view + comment access
* Feel free to request Edit privileges in the doc (opening it to public Edit seemed a bit adventurous)
* *Please contribute!!!*
* [ ] Action Items
* [ ] David Bendory to iterate metrics brainstorm into a prosaic draft for sharing and iteration
### November 1, 2022
* Attendees (include affiliation)
* David Bendory (Google)
* David Espejo (VMware/CDF)
* Omer Gil (Cider Security)
* Ankit D Mohapatra (Berkshire Grey)
* Parth Patel (Kusari)
* [X] Welcome & intros
* Omer Gil, leads research at Cider Security
* Justin Abrahams, eBay, leading Supply Chain security initiative
* Sunny Yip, day 1 at Kusari
* Roman Zhukov, supply chain security at Intel
* Isaac Hepworth, Google, SLSA and OpenSSF
* David Bendory, Tekton EM at Google
* Ankit Mohapatra, Jenkins X maintainer
* David Espejo, OSS Community Mgr, VMware. CDF Ambassador
* [ ] Discussion topics/questions
* [x] @Parth Patel - GUAC Demo
* GUAC is a collaboration among Google, Citi, and Kusari
* Graph for Understanding Artifact Composition
* Repo: https://github.com/guacsec/guac
* Status: Pre-Alpha
* Goal: aggregate supply chain security artifacts to enable policy decisions
* Collect from Rekor, GCS, Sigstore, GitHub; ingest everything into a graph DB for analysis
* Automatic ingestion of new artifacts as they materialize
* DB is a collection of artifact, package nodes with connecting edges
* queries like:
* "show me everything that depends on debian version x.y.z"
* "what are all the dependencies that are missing SBOM/SLSA/vulnz scan/etc."
* can drill down to the file level
* walk graph of shared data, shared dependencies
* goal: make GUAC an open public service for OSS
* not yet working on integrations to enable policy decisions based on GUAC
* @bendory This ties back to Supply Chain Maturity:
*
* [x] @Justin Abrahams - How do we rate SBOMs?
* Not all SBOMs are created equal. How complete is the SBOM? Does it include package names? Versions? License details?
* Q: "Is this SBOM actually good?" How valid and complete is the information?
* Can we create a scorecard?
* Next step: collect some "in the wild" SBOMs and come up with a scoring mechanism
* @Omer Gil - Do we have an objective of creating a maturity model?
* @bendory - Long-term "yes", but we're a long way from there; tools are still being explored and developed. But in the long-term, we would like to see a CD Maturity Model definition broadly adopted in the industry.
* [ ] Action items
* @Justin Abrahams - Share results from SBOM analysis and scoring brainstorm
* @Ankit Mohapatra - show differences between SBOM generated by syft and tools like ko (sbom generation at build time).
### October 18, 2022
* [X] Attendees (include affiliation)
* David Espejo (VMware)
* Parth Patel (Kusari)
* Jay White (Microsoft)
* Terry Cox (Bootstrap)
* [X] Welcome & intros
* [ ] Discussion topics/questions
* [ ] Goals of this workstream (cont.)
* [PP] For areas of consideration, include runtime attestation.
* Guac project: https://github.com/guacsec/guac
* [JW] Also considerate end-of-life, since we are talking 'lifecycle'
* [PP] What is the main deliverable from this WG?
* [TC] Make sure to allign with CDF's Best practices SIG so there's integration as there's potential overlap. How is this information going to be published? Other SIGs using docsy (collaborative docs editing). Happy to facilitate (Previous work: https://bestpractices.cd.foundation/)
* [JW] S2C Framework is now under OpenSSF
* [TC] There's got to be a good narrative on business reasons to do this, fill in conceptual gaps so is accesible for people from different levels of maturity in the field. CDF's Best Practices high level section on SSC
* [ ] Action items
* @Parth Patel to demo Guac in the next meeting
### October 4, 2022
* [X] Attendees (include affiliation)
* David Espejo (VMware)
* Ankit D Mohapatra (Berkshire Grey)
* David Bendory (Google)
* [X] Welcome & intros
* [ ] _Add discussion topics/questions_
* Goals of this workstream.
* How to measure quality of CD?
* Design metrics for CD maturity
* To have simple to understand 'ladder' of CD adoption, maturity, reliability
* Augmenting SLSA with another set of metrics, not changing SLSA
* [AM] Should 'Level 0' be defined as the adoption of any sort of CD practice to begin with? (eg Source Code Management, branching)
* **Discussion topics for next meeting**:
* define areas for consideration -> SCM, lifecycle automation, test coverage, presubmit validation, post-submit validation, static analysis, vulnerability analysis, rollout automation, artifact management, deployment management, Canary analysis, production monitoring, SLSA and SBOMs...
* presentation on what one or more organizations are doing in an area for consideration
* OpenSSF discussion: https://openssf.slack.com/archives/C01A1MA7A1K/p1664460001180279
* MS SSC project: https://github.com/microsoft/oss-ssc-framework/blob/main/specification/framework.md
* Resources
* Inaugural blog post: https://cd.foundation/blog/2022/09/22/software-supply-chain-sig-launches-maturity-model-workstream/
* Workstream README: https://github.com/cdfoundation/sig-software-supply-chain/tree/main/workstreams/scmm
---
### Meeting Template
*(copy-and-paste to set an upcoming agenda)*
* [ ] Attendees (affiliation)
* Name (Company)
* Name (Company)
* [ ] Welcome & intros
* [ ] Discussion topics/questions
* [ ] Topic 1 / Owner
* [ ] Topic 2 / Owner
* [ ] Action items
* Owner - Action