SlideShare une entreprise Scribd logo
1  sur  42
An Overview of SPDX
3.0
OpenChain Webinar #50
Anti-Trust Policy Notice
● Linux Foundation meetings involve participation by industry competitors, and it is the intention
of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust
and competition laws. It is therefore extremely important that attendees adhere to meeting
agendas, and be aware of, and not participate in, any activities that are prohibited under
applicable US state, federal or foreign antitrust and competition laws.
● Examples of types of actions that are prohibited at Linux Foundation meetings and in
connection with Linux Foundation activities are described in the Linux Foundation Antitrust
Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about
these matters, please contact your company counsel, or if you are a member of the Linux
Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP,
which provides legal counsel to the Linux Foundation.
SBOM & SPDX Update
3
Common Understanding of “SBOM”
“An SBOM is a formal record containing
the details and supply chain relationships
of various components used in building
software.
These components, including libraries and
modules, can be open source or
proprietary, free or paid, and the data can
be widely available or access-restricted.”
Source: NTIA’s SBOM FAQ
NTIA SBOM Guidance
Source:https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf.
NTIA Software Bill Of Materials (SBOM) Guidance -
Minimum Elements
Source: https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
SPDX 2.2 +
(ISO/IEC 5962:2021)
supports all required
minimum elements
(as well the optional that
are mentioned in report)
Checker available at:
https://github.com/spdx/ntia
-conformance-checker
Derived from : NTIA’s Survey of Existing SBOM Formats and Standards
When should
an SBOM be
created or
consumed?
SBOM Type Definition
Design SBOM of intended design of included components (some of which may not exist) for a new
software artifact.
Source SBOM created directly from the development environment, source files, and included
dependencies used to build an product artifact.
Build SBOM generated as part of the process of building the software to create a releasable artifact
(e.g., executable or package) from data such as source files, dependencies, built components,
build process ephemeral data, and other SBOMs.
Deployed SBOM provides an inventory of software that is present on a system. This may be an
assembly of other SBOMs that combines analysis of configuration options, and examination of
execution behavior in a (potentially simulated) deployment environment.
Runtime BOM generated through instrumenting the system running the software, to capture only
components present in the system, as well as external call-outs or dynamically loaded
components. In some contexts, this may also be referred to as an “Instrumented” or “Dynamic”
SBOM.
Analyzed SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and
virtual machine images) after its build. Such analysis generally requires a variety of heuristics.
In some contexts, this may also be referred to as a “3rd party” SBOM.
Source: CISA SBOM Types work in progress - to appear on CISA SBOM site soon.
Derived from : NTIA’s Survey of Existing SBOM Formats and Standards
Generate
SBOMs
where the
data is
Source
Runtime
Design
Deployed
Build
Package Information
SPDX v2.3 Document must contain:
SPDX Document
Creation Information
Package Information
Other Licensing Information
Other Licensing
Information Detected
Other Licensing Information
File Information
Other Licensing Information
Annotations Information
Other Licensing Information
Relationships between SPDX
Elements Information
Other Licensing Information
Snippet Information Charter: To create a set of data
exchange standards that enable
companies and organizations to
share human-readable and machine-
processable software package
metadata to facilitate software
supply chain processes.
Software Package Data
Exchange (SPDX®) specification
is a standard for communicating
the component and metadata
information associated with
software
SPDX v2.3 Document may contain:
ISO/IEC 5962:2021
11
Source: https://www.iso.org/standard/81870.html
accessed on 2021/11/19
● Able to represent SBOMs from binary
images and track back to the source files
and snippets.
● Specification is freely available from ITTF
site
● Future updates are live tracked at:
https://spdx.github.io/spdx-spec and work
on satisfying safety requirements is being
included
● More information at spdx.dev
12
source: https://spdx.github.io/spdx-spec/v2.3/
Formal Model Enables Validation &
Interchange Between Specific File Formats
.xls
(spreadsheet)
.rdf
(RDF)
.spdx
(tag:value)
.xml
(2.2 →)
.json
(2.2 →)
.yaml
(2.2→)
SPDX Relationships Clarify Dependency Types
1
4
DESCRIBES DEPENDENCY_OF PREREQUISITE_FOR GENERATES VARIANT_OF
DESCRIBED_BY RUNTIME_DEPENDENCY_OF HAS_PREREQUISITE TEST_OF FILE_ADDED
CONTAINS BUILD_DEPENDENCY_OF ANCESTOR_OF TEST_TOOL_OF FILE_DELETED
CONTAINED_BY DEV_DEPENDENCY_OF DESCENDENT_OF TEST_CASE_OF FILE_MODIFIED
DYNAMIC_LINK OPTIONAL_DEPENDENCY_OF DOCUMENTATION_OF EXAMPLE_OF PATCH_FOR
STATIC_LINK PROVIDED_DEPENDENCY_OF BUILD_TOOL_OF METAFILE_OF PATCH_APPLIE
D
AMENDS TEST_DEPENDENCY_OF EXPANDED_FROM_ARCHIVE PACKAGE_OF OTHER
COPY_OF OPTIONAL_COMPONENT_OF DISTRIBUTION_ARTIFACT DATA_FILE_OF
DEPENDS_ON DEPENDENCY_MANIFEST_OF GENERATED_FROM DEV_TOOL_OF
For more details see: https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/
SPDX Progress in 2022
● License List
● Specification
● Tooling
● SBOM Ecosystem Engagement
SPDX License List Milestones
● Feb 6, 2022 - v3.16: 6 new licenses/exceptions, 1 deprecated license
● May 8, 2022 - v3.17: 5 new licenses/exceptions, clarifications & docs rework
● July 29, 2022 - Fedora adopts SPDX License identifiers
● Aug 11, 2022- v3.18: 10 new licenses/exceptions, decision template
● Nov 30, 2022 - v3.19: focus on doc & process (5 new licenses/exceptions)
● Feb 17, 2023 - v3.20:
○ 40 new license/exceptions (22 tagged "used in major distro")
○ Streamlined legal team review process for licenses used in major distros like Fedora and Debian
○ Additional XML markup for matching purposes (mostly from Fedora legacy licenses)
○ Improvements to documentation, adding SPDX License List History
SPDX Specification Milestones
● Apr 11, 2022 - Build Profile Working Group formed: target 3.0
● May 4, 2022 - AI BOM Working Group formed: target on 3.0
○ Evolved to focus on 2 profiles - AI Applications/models & Datasets
● June 29, 2022 - OWASP/CycloneDX interoperability discussion
○ Facilitation by CISA: Focused on NTIA minimum features roundtriping
● Aug 5, 2022 - FuSa Working Group Formed: target 3.1
● Aug 11, 2022 - V2.3 released - 26 contributors
○ added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM
formats. Incorporate new usage & AI fields as well as enhanced enumerations.
● Dec 8, 2022 - Open Compliance Summit - SPDX Mini-Summit
○ Review of the 3.0 Profiles & discussion on overlaps between build & usage
● Feb 6, 2023 - FOSDEM - SBOM Devroom
SPDX Generation Tooling
● tools-java
○ Aug 12, 2022 - v1.1.0 update to support 2.3
○ Sept 2022 → Feb 2023 5 releases for performance improvements & fixes
● tools-python
○ OpenSSF Funded cleanup & restructuring
○ Dec 8, 2022 - v0.7.0 - update to support 2.3 & clean up bug backlog
○ Prototyping of 3.0 in progress
● tools-golang
○ Jan 12, 2023 - v0.4.0 - update to support 2.3
● spdx-online-tools (validator & translator)
○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3
○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool
SPDX Consumption Tooling
● spdx-online-tools (validator & translator)
○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3
○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool
● SPDX-to-OSV (vulnerability lookup)
○ Produce an Open Source Vulnerability JSON file based on information in an SPDX document
○ Jan 10, 2022 - v0.1.1 - pick up tooing updates
● ntia-conformance-checker (minimum SBOM fields present)
○ Check that an SBOM meets the minimum field requirements
○ Started as GSOC project, and maintainer from Chainguard has adopted
○ Feb 8, 2022 - v0.2.1 - fix NOASSERTION supplier case
Also worth looking at: https://github.com/nyph-infosec/daggerboard
SBOMs Everywhere in 2022…
20
- OpenSSF - Work Stream 9 → SBOM Everywhere SIG
- SPDX Python Library rework funded.
- Started work on consolidating definitions of types of SBOMs → CISA
working group to get broader adoption
- Started documentation of use cases
- NTIA efforts have transferred to US DHS CISA
- 4 working groups on SBOMs
- Sharing, Adoption, Cloud, Tooling
- International coordination with CERTs (like Japan’s CERT)
and other international government agencies
SPDX 3
Package Information
SPDX v2.3 Document must contain:
SPDX Document
Creation Information
Package Information
Other Licensing Information
Other Licensing
Information Detected
Other Licensing Information
File Information
Other Licensing Information
Annotations Information
Other Licensing Information
Relationships between SPDX
Elements Information
Other Licensing Information
Snippet Information
SPDX v2.3 Document may contain:
SPDX 3.0 Model
Source:https://github.com/spdx/spdx-3-model/blob/main/model.png
SPDX 3.0 Increases Modularity
Core Model
Licensing Usage Security Build AI Dataset
SPDX 3.0 (Core Model + Software Profile + Licensing Profile ) == SPDX 2.3
Software Profile
SPDX 3.0 Specification Infrastructure
Specification is being transformed into markdown describing
- Classes, Properties, Enumerations
- Metadata (type & cardinality) and description for each element.
- Will be able to automatically generate schema from this version (for JSON,
YAML, RDF, XML, tag-value, etc.) and reduce errors.
Profiles can add their own Classes and Properties and may also restrict other
profiles (e.g. values, cardinalities, …)
See: https://github.com/spdx/spdx-3-model
SPDX 3.0 Core Model
SPDX 3.0 Software Profile
Licensing Profile Update
● Based on licensing-related fields in pre-existing SPDX spec, with updates:
○ More consistency across artifact types (package, file, snippet)
○ Aligning with SPDX 3.0 data model
○ Documenting the object model for license expressions
○ Custom exceptions
● Current status:
○ Revised for new SPDX 3.0 model formatting
○ Draft has been submitted to model for discussion at https://github.com/spdx/spdx-3-
model/tree/licensing-profile
For more information, contact: Steve Winslow or Alexios Zavras
Security Profile Update
● Similar to 2.3, we plan to support in 3.0 linking to various security information including
CSAF/CDX/VeX and VDR
● Using profiles one can only communicate base software and security info
○ Security Profile will inherit from Core Profile
○ Plan to define Security Profile relationships to Software Profile, Build Profile, AI
Profile, Dataset Profile, etc.
● In addition to linking, we are considering embedding minimal elements to enable SPDX
to convey security info in a simplified manner
○ Tracking CISA VEX discussions to determine minimal elements
● Initial draft has been submitted to model for discussion at :
https://github.com/spdx/spdx-3-model/tree/security-profile
For more information contact: Thomas Steenbergen or Jeff Schutt
Build Profile Overview
Use Cases:
▪ Security
▪ Reproducibility
▪ Auditing quality/pedigree of build
▪ Safety
• The source code at the time of release
• The configuration used to build the software
• The specific versions of the tools used to build the software
Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3-
model/tree/build-profile
Contact: Brandon Lumm
AI BOM ⇒ SPDX AI profile + SPDX Dataset profile
AI software
Dataset
Model
Software
code
Trained model
Software
code
Traditional
Software
AI Software
Has additional elements that nuances
that need to be captured to ensure its
traceability
AI BOM
Enhances SPDX to describe
AI software including and AI
Software’s components,
licenses, copyrights, and
security references.
Software
components
AI components
AIBOM
Extends
Dataset profile
AI Package
Profile
#ossummit
Proposed AI Profile Properties
Data
Model
AI/ML
Application
Required Fields:
- Creator
- Supplier
- PackageVersionInfo
- PackageDownloadLocation
- PackageDescription
- LicenseConcluded
- LicenseDeclared
- PackageDescription
- ReleaseDate
- Relationship
Optional Fields:
- Originator
- Checksum
- ValidUntilDate
- BuildDate
- PackageComments
- SensitivePersonalInformation
- EnergyConsumption
- StandardsCompliance
- InformationAboutTraining
- Hyperparameters
- SafetyRiskAssessment
- DataPreprocessingSteps
- ModelExplainabilityMechanisms
- MetricsDecisionThresholds
- Metrics
- Autonomy
- Domain
- Limitations
- Type
Initial draft has been submitted to model for discussion at :
https://github.com/spdx/spdx-3-model/tree/ai-profile
#ossummit
Proposed Dataset Profile Properties
Data
Model
AI/ML
Application
Required Fields:
- Name
- Originator
- DownloadLocation
- LicenseConcluded
- LicenseDeclared
- PackageDescription
- BuiltDate
- ReleaseDate
- DatasetType
Optional Fields:
- Supplier
- VersionInfo
- Checksum
- ValidUntil
- IntendedUse
- DatasetCollectionProcess
- DatasetUpdateMechanism
- DatasetSize
- DatasetNoise
- KnownBias
- Errata
- SensorsUsed
- StandardCompliance
- SensitivePersonalInformation
- ConfidentialityLevel
- AnonymizationMethodUsed
Usage Profile: to convey intentions
as “Usage” for Delivery Product
SPDX Lite Profile - WIP
- Strict subset of fields from Core, Software & Licensing
- Goals:
- Build on profile concept introduced in 2.X
- Satisfy NTIA Minimum SBOM Elements requires adding simple relationships
- Support manual import into more complex systems
Contact: OpenChain Japan Working Group
What’s next after After 3.0?
Future Direction:
Hardware
● There are use cases where it is expected
to know “system” that software is running on
● Vulnerabilities come from interaction
between hardware and software (e.g., heartbleed)
● Potential participants:
○ RISC-V & ARM core adopters,
○ Chips Alliance Members
○ Board Manufacturers
● For more information, contact: Kate Stewart
Future Direction:
Safety Standards Automation
● Safety Standards expect to know
○ The source code at the time of production release
○ The documentation associated with the code
○ The configuration used to build the production software
○ The specific versions of the tools used to build the software
● Safety Standards Configuration Management (CM) Requirements are greatly simplified by following an
effective SBOM process.
○ An SBOM supports capturing the details of what is in a specific release and supports
determining what went wrong if a failure occurs.
○ The goal is to be able to rebuild exactly what the executable or binary was at the time of release.
● To learn more, see:
○ https://www.linux.com/featured/sboms-supporting-safety-critical-software/
Safety Profile Introduction (3.1 target)
● Also known as Functional Safety (or FuSa).
● Purpose is to link together all the safety artifacts (including code and relevant tests)
with the aim of being able to automatically detect what a file update may need to force
retesting.
● Goal is to support continuous certification of safety artifacts after security updates are
applied.
● Overview can be found at: https://fosdem.org/2023/schedule/event/sbom_fusa/
For more information, contact: Nicole Pappler or Kate Stewart
Want to Help?
● If you have a use-case you want to make sure can be supported in the future
SPDX specification,
○ join the SPDX tech team mailing list (https://lists.spdx.org/g/Spdx-tech) ,
○ open an issue in https://github.com/spdx/spdx-spec and
○ join in on the discussion!
● Try it, and let us know if you see issues.
40
Thank you! Questions?
How to Get Involved - PRs & Issues
https://github.com/spdx
▪ Specification
• https://github.com/spdx/spdx-spec ← ISO submission format
• https://github.com/spdx/spdx-3-model ← 3.0 development
• https://github.com/spdx/spdx-examples
▪ Tooling
• https://github.com/spdx/tools-python
• https://github.com/spdx/tools-golang
• https://github.com/spdx/tools-java
▪ License List
• https://github.com/spdx/license-list-XML

Contenu connexe

Tendances

Dataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFi
DataWorks Summit
 
Salty OPS – Saltstack Introduction
Salty OPS – Saltstack IntroductionSalty OPS – Saltstack Introduction
Salty OPS – Saltstack Introduction
Walter Liu
 

Tendances (20)

Terraform vs Pulumi
Terraform vs PulumiTerraform vs Pulumi
Terraform vs Pulumi
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
 
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup AppliancesDeep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
 
Ceph data services in a multi- and hybrid cloud world
Ceph data services in a multi- and hybrid cloud worldCeph data services in a multi- and hybrid cloud world
Ceph data services in a multi- and hybrid cloud world
 
nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제
 
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
Hashicorp-Certified-Terraform-Associate-v3-edited.pptxHashicorp-Certified-Terraform-Associate-v3-edited.pptx
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
A Gentle Introduction To Docker And All Things Containers
A Gentle Introduction To Docker And All Things ContainersA Gentle Introduction To Docker And All Things Containers
A Gentle Introduction To Docker And All Things Containers
 
Keeping Up with the ELK Stack: Elasticsearch, Kibana, Beats, and Logstash
Keeping Up with the ELK Stack: Elasticsearch, Kibana, Beats, and LogstashKeeping Up with the ELK Stack: Elasticsearch, Kibana, Beats, and Logstash
Keeping Up with the ELK Stack: Elasticsearch, Kibana, Beats, and Logstash
 
OpenStack Cinder
OpenStack CinderOpenStack Cinder
OpenStack Cinder
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynote
 
Dataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFi
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful tools
 
락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료
 
Apache Hadoop 3
Apache Hadoop 3Apache Hadoop 3
Apache Hadoop 3
 
Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using Prometheus
 
Monitoring with prometheus
Monitoring with prometheusMonitoring with prometheus
Monitoring with prometheus
 
Salty OPS – Saltstack Introduction
Salty OPS – Saltstack IntroductionSalty OPS – Saltstack Introduction
Salty OPS – Saltstack Introduction
 
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 

Similaire à OpenChain Webinar #50 - An Overview of SPDX 3.0

Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
Sahithi Naraparaju
 

Similaire à OpenChain Webinar #50 - An Overview of SPDX 3.0 (20)

OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
 
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
 
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDXSFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)
 
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdfSFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
 
OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16
 
The path to an hybrid open source paradigm
The path to an hybrid open source paradigmThe path to an hybrid open source paradigm
The path to an hybrid open source paradigm
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018
 
OpenChain Monthly Meeting - North America / Asia - 2023-03-21
OpenChain Monthly Meeting - North America / Asia - 2023-03-21OpenChain Monthly Meeting - North America / Asia - 2023-03-21
OpenChain Monthly Meeting - North America / Asia - 2023-03-21
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
 
Documentation
DocumentationDocumentation
Documentation
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
IRJET- Blockchain based Secure Data Storage
IRJET-  	  Blockchain based Secure Data StorageIRJET-  	  Blockchain based Secure Data Storage
IRJET- Blockchain based Secure Data Storage
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
 

Plus de Shane Coughlan

Plus de Shane Coughlan (20)

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 

Dernier

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 

Dernier (20)

AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
AI Hackathon.pptx
AI                        Hackathon.pptxAI                        Hackathon.pptx
AI Hackathon.pptx
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 

OpenChain Webinar #50 - An Overview of SPDX 3.0

  • 1. An Overview of SPDX 3.0 OpenChain Webinar #50
  • 2. Anti-Trust Policy Notice ● Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. ● Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
  • 3. SBOM & SPDX Update 3
  • 4. Common Understanding of “SBOM” “An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. These components, including libraries and modules, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.” Source: NTIA’s SBOM FAQ
  • 6. NTIA Software Bill Of Materials (SBOM) Guidance - Minimum Elements Source: https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf SPDX 2.2 + (ISO/IEC 5962:2021) supports all required minimum elements (as well the optional that are mentioned in report) Checker available at: https://github.com/spdx/ntia -conformance-checker
  • 7. Derived from : NTIA’s Survey of Existing SBOM Formats and Standards When should an SBOM be created or consumed?
  • 8. SBOM Type Definition Design SBOM of intended design of included components (some of which may not exist) for a new software artifact. Source SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact. Build SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs. Deployed SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment. Runtime BOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an “Instrumented” or “Dynamic” SBOM. Analyzed SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a “3rd party” SBOM. Source: CISA SBOM Types work in progress - to appear on CISA SBOM site soon.
  • 9. Derived from : NTIA’s Survey of Existing SBOM Formats and Standards Generate SBOMs where the data is Source Runtime Design Deployed Build
  • 10. Package Information SPDX v2.3 Document must contain: SPDX Document Creation Information Package Information Other Licensing Information Other Licensing Information Detected Other Licensing Information File Information Other Licensing Information Annotations Information Other Licensing Information Relationships between SPDX Elements Information Other Licensing Information Snippet Information Charter: To create a set of data exchange standards that enable companies and organizations to share human-readable and machine- processable software package metadata to facilitate software supply chain processes. Software Package Data Exchange (SPDX®) specification is a standard for communicating the component and metadata information associated with software SPDX v2.3 Document may contain:
  • 11. ISO/IEC 5962:2021 11 Source: https://www.iso.org/standard/81870.html accessed on 2021/11/19 ● Able to represent SBOMs from binary images and track back to the source files and snippets. ● Specification is freely available from ITTF site ● Future updates are live tracked at: https://spdx.github.io/spdx-spec and work on satisfying safety requirements is being included ● More information at spdx.dev
  • 13. Formal Model Enables Validation & Interchange Between Specific File Formats .xls (spreadsheet) .rdf (RDF) .spdx (tag:value) .xml (2.2 →) .json (2.2 →) .yaml (2.2→)
  • 14. SPDX Relationships Clarify Dependency Types 1 4 DESCRIBES DEPENDENCY_OF PREREQUISITE_FOR GENERATES VARIANT_OF DESCRIBED_BY RUNTIME_DEPENDENCY_OF HAS_PREREQUISITE TEST_OF FILE_ADDED CONTAINS BUILD_DEPENDENCY_OF ANCESTOR_OF TEST_TOOL_OF FILE_DELETED CONTAINED_BY DEV_DEPENDENCY_OF DESCENDENT_OF TEST_CASE_OF FILE_MODIFIED DYNAMIC_LINK OPTIONAL_DEPENDENCY_OF DOCUMENTATION_OF EXAMPLE_OF PATCH_FOR STATIC_LINK PROVIDED_DEPENDENCY_OF BUILD_TOOL_OF METAFILE_OF PATCH_APPLIE D AMENDS TEST_DEPENDENCY_OF EXPANDED_FROM_ARCHIVE PACKAGE_OF OTHER COPY_OF OPTIONAL_COMPONENT_OF DISTRIBUTION_ARTIFACT DATA_FILE_OF DEPENDS_ON DEPENDENCY_MANIFEST_OF GENERATED_FROM DEV_TOOL_OF For more details see: https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/
  • 15. SPDX Progress in 2022 ● License List ● Specification ● Tooling ● SBOM Ecosystem Engagement
  • 16. SPDX License List Milestones ● Feb 6, 2022 - v3.16: 6 new licenses/exceptions, 1 deprecated license ● May 8, 2022 - v3.17: 5 new licenses/exceptions, clarifications & docs rework ● July 29, 2022 - Fedora adopts SPDX License identifiers ● Aug 11, 2022- v3.18: 10 new licenses/exceptions, decision template ● Nov 30, 2022 - v3.19: focus on doc & process (5 new licenses/exceptions) ● Feb 17, 2023 - v3.20: ○ 40 new license/exceptions (22 tagged "used in major distro") ○ Streamlined legal team review process for licenses used in major distros like Fedora and Debian ○ Additional XML markup for matching purposes (mostly from Fedora legacy licenses) ○ Improvements to documentation, adding SPDX License List History
  • 17. SPDX Specification Milestones ● Apr 11, 2022 - Build Profile Working Group formed: target 3.0 ● May 4, 2022 - AI BOM Working Group formed: target on 3.0 ○ Evolved to focus on 2 profiles - AI Applications/models & Datasets ● June 29, 2022 - OWASP/CycloneDX interoperability discussion ○ Facilitation by CISA: Focused on NTIA minimum features roundtriping ● Aug 5, 2022 - FuSa Working Group Formed: target 3.1 ● Aug 11, 2022 - V2.3 released - 26 contributors ○ added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM formats. Incorporate new usage & AI fields as well as enhanced enumerations. ● Dec 8, 2022 - Open Compliance Summit - SPDX Mini-Summit ○ Review of the 3.0 Profiles & discussion on overlaps between build & usage ● Feb 6, 2023 - FOSDEM - SBOM Devroom
  • 18. SPDX Generation Tooling ● tools-java ○ Aug 12, 2022 - v1.1.0 update to support 2.3 ○ Sept 2022 → Feb 2023 5 releases for performance improvements & fixes ● tools-python ○ OpenSSF Funded cleanup & restructuring ○ Dec 8, 2022 - v0.7.0 - update to support 2.3 & clean up bug backlog ○ Prototyping of 3.0 in progress ● tools-golang ○ Jan 12, 2023 - v0.4.0 - update to support 2.3 ● spdx-online-tools (validator & translator) ○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3 ○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool
  • 19. SPDX Consumption Tooling ● spdx-online-tools (validator & translator) ○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3 ○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool ● SPDX-to-OSV (vulnerability lookup) ○ Produce an Open Source Vulnerability JSON file based on information in an SPDX document ○ Jan 10, 2022 - v0.1.1 - pick up tooing updates ● ntia-conformance-checker (minimum SBOM fields present) ○ Check that an SBOM meets the minimum field requirements ○ Started as GSOC project, and maintainer from Chainguard has adopted ○ Feb 8, 2022 - v0.2.1 - fix NOASSERTION supplier case Also worth looking at: https://github.com/nyph-infosec/daggerboard
  • 20. SBOMs Everywhere in 2022… 20 - OpenSSF - Work Stream 9 → SBOM Everywhere SIG - SPDX Python Library rework funded. - Started work on consolidating definitions of types of SBOMs → CISA working group to get broader adoption - Started documentation of use cases - NTIA efforts have transferred to US DHS CISA - 4 working groups on SBOMs - Sharing, Adoption, Cloud, Tooling - International coordination with CERTs (like Japan’s CERT) and other international government agencies
  • 22. Package Information SPDX v2.3 Document must contain: SPDX Document Creation Information Package Information Other Licensing Information Other Licensing Information Detected Other Licensing Information File Information Other Licensing Information Annotations Information Other Licensing Information Relationships between SPDX Elements Information Other Licensing Information Snippet Information SPDX v2.3 Document may contain:
  • 24. SPDX 3.0 Increases Modularity Core Model Licensing Usage Security Build AI Dataset SPDX 3.0 (Core Model + Software Profile + Licensing Profile ) == SPDX 2.3 Software Profile
  • 25. SPDX 3.0 Specification Infrastructure Specification is being transformed into markdown describing - Classes, Properties, Enumerations - Metadata (type & cardinality) and description for each element. - Will be able to automatically generate schema from this version (for JSON, YAML, RDF, XML, tag-value, etc.) and reduce errors. Profiles can add their own Classes and Properties and may also restrict other profiles (e.g. values, cardinalities, …) See: https://github.com/spdx/spdx-3-model
  • 26. SPDX 3.0 Core Model
  • 27. SPDX 3.0 Software Profile
  • 28. Licensing Profile Update ● Based on licensing-related fields in pre-existing SPDX spec, with updates: ○ More consistency across artifact types (package, file, snippet) ○ Aligning with SPDX 3.0 data model ○ Documenting the object model for license expressions ○ Custom exceptions ● Current status: ○ Revised for new SPDX 3.0 model formatting ○ Draft has been submitted to model for discussion at https://github.com/spdx/spdx-3- model/tree/licensing-profile For more information, contact: Steve Winslow or Alexios Zavras
  • 29. Security Profile Update ● Similar to 2.3, we plan to support in 3.0 linking to various security information including CSAF/CDX/VeX and VDR ● Using profiles one can only communicate base software and security info ○ Security Profile will inherit from Core Profile ○ Plan to define Security Profile relationships to Software Profile, Build Profile, AI Profile, Dataset Profile, etc. ● In addition to linking, we are considering embedding minimal elements to enable SPDX to convey security info in a simplified manner ○ Tracking CISA VEX discussions to determine minimal elements ● Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3-model/tree/security-profile For more information contact: Thomas Steenbergen or Jeff Schutt
  • 30. Build Profile Overview Use Cases: ▪ Security ▪ Reproducibility ▪ Auditing quality/pedigree of build ▪ Safety • The source code at the time of release • The configuration used to build the software • The specific versions of the tools used to build the software Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3- model/tree/build-profile Contact: Brandon Lumm
  • 31. AI BOM ⇒ SPDX AI profile + SPDX Dataset profile AI software Dataset Model Software code Trained model Software code Traditional Software AI Software Has additional elements that nuances that need to be captured to ensure its traceability AI BOM Enhances SPDX to describe AI software including and AI Software’s components, licenses, copyrights, and security references. Software components AI components AIBOM Extends Dataset profile AI Package Profile
  • 32. #ossummit Proposed AI Profile Properties Data Model AI/ML Application Required Fields: - Creator - Supplier - PackageVersionInfo - PackageDownloadLocation - PackageDescription - LicenseConcluded - LicenseDeclared - PackageDescription - ReleaseDate - Relationship Optional Fields: - Originator - Checksum - ValidUntilDate - BuildDate - PackageComments - SensitivePersonalInformation - EnergyConsumption - StandardsCompliance - InformationAboutTraining - Hyperparameters - SafetyRiskAssessment - DataPreprocessingSteps - ModelExplainabilityMechanisms - MetricsDecisionThresholds - Metrics - Autonomy - Domain - Limitations - Type Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3-model/tree/ai-profile
  • 33. #ossummit Proposed Dataset Profile Properties Data Model AI/ML Application Required Fields: - Name - Originator - DownloadLocation - LicenseConcluded - LicenseDeclared - PackageDescription - BuiltDate - ReleaseDate - DatasetType Optional Fields: - Supplier - VersionInfo - Checksum - ValidUntil - IntendedUse - DatasetCollectionProcess - DatasetUpdateMechanism - DatasetSize - DatasetNoise - KnownBias - Errata - SensorsUsed - StandardCompliance - SensitivePersonalInformation - ConfidentialityLevel - AnonymizationMethodUsed
  • 34. Usage Profile: to convey intentions as “Usage” for Delivery Product
  • 35. SPDX Lite Profile - WIP - Strict subset of fields from Core, Software & Licensing - Goals: - Build on profile concept introduced in 2.X - Satisfy NTIA Minimum SBOM Elements requires adding simple relationships - Support manual import into more complex systems Contact: OpenChain Japan Working Group
  • 36. What’s next after After 3.0?
  • 37. Future Direction: Hardware ● There are use cases where it is expected to know “system” that software is running on ● Vulnerabilities come from interaction between hardware and software (e.g., heartbleed) ● Potential participants: ○ RISC-V & ARM core adopters, ○ Chips Alliance Members ○ Board Manufacturers ● For more information, contact: Kate Stewart
  • 38. Future Direction: Safety Standards Automation ● Safety Standards expect to know ○ The source code at the time of production release ○ The documentation associated with the code ○ The configuration used to build the production software ○ The specific versions of the tools used to build the software ● Safety Standards Configuration Management (CM) Requirements are greatly simplified by following an effective SBOM process. ○ An SBOM supports capturing the details of what is in a specific release and supports determining what went wrong if a failure occurs. ○ The goal is to be able to rebuild exactly what the executable or binary was at the time of release. ● To learn more, see: ○ https://www.linux.com/featured/sboms-supporting-safety-critical-software/
  • 39. Safety Profile Introduction (3.1 target) ● Also known as Functional Safety (or FuSa). ● Purpose is to link together all the safety artifacts (including code and relevant tests) with the aim of being able to automatically detect what a file update may need to force retesting. ● Goal is to support continuous certification of safety artifacts after security updates are applied. ● Overview can be found at: https://fosdem.org/2023/schedule/event/sbom_fusa/ For more information, contact: Nicole Pappler or Kate Stewart
  • 40. Want to Help? ● If you have a use-case you want to make sure can be supported in the future SPDX specification, ○ join the SPDX tech team mailing list (https://lists.spdx.org/g/Spdx-tech) , ○ open an issue in https://github.com/spdx/spdx-spec and ○ join in on the discussion! ● Try it, and let us know if you see issues. 40
  • 42. How to Get Involved - PRs & Issues https://github.com/spdx ▪ Specification • https://github.com/spdx/spdx-spec ← ISO submission format • https://github.com/spdx/spdx-3-model ← 3.0 development • https://github.com/spdx/spdx-examples ▪ Tooling • https://github.com/spdx/tools-python • https://github.com/spdx/tools-golang • https://github.com/spdx/tools-java ▪ License List • https://github.com/spdx/license-list-XML