SlideShare une entreprise Scribd logo

OpenChain Webinar #50 - An Overview of SPDX 3.0

Télécharger en tant que PPTX, PDF
Shane Coughlan
Shane Coughlan

SPDX 3.0 aims to increase modularity and interoperability by defining core, software, licensing, security, build, AI, and dataset profiles. The core model contains common elements, while profiles add additional elements and properties specific to their domain. Future work includes profiles for hardware and supporting automation for safety standards compliance. The build profile aims to capture build information for reproducibility, auditing, and safety. The AI profile proposes additional properties for AI components, datasets, and applications. SPDX 3.1 may include a safety profile to link safety artifacts and enable detection of retesting needs due to file updates.

Logiciels
1  sur  42
An Overview of SPDX 3.0 OpenChain Webinar #50
Anti-Trust Policy Notice ● Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. ● Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
SBOM & SPDX Update 3
Common Understanding of “SBOM” “An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. These components, including libraries and modules, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.” Source: NTIA’s SBOM FAQ
NTIA SBOM Guidance Source:https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf.
NTIA Software Bill Of Materials (SBOM) Guidance - Minimum Elements Source: https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf SPDX 2.2 + (ISO/IEC 5962:2021) supports all required minimum elements (as well the optional that are mentioned in report) Checker available at: https://github.com/spdx/ntia -conformance-checker
Derived from : NTIA’s Survey of Existing SBOM Formats and Standards When should an SBOM be created or consumed?
SBOM Type Definition Design SBOM of intended design of included components (some of which may not exist) for a new software artifact. Source SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact. Build SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs. Deployed SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment. Runtime BOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an “Instrumented” or “Dynamic” SBOM. Analyzed SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a “3rd party” SBOM. Source: CISA SBOM Types work in progress - to appear on CISA SBOM site soon.
Derived from : NTIA’s Survey of Existing SBOM Formats and Standards Generate SBOMs where the data is Source Runtime Design Deployed Build
Package Information SPDX v2.3 Document must contain: SPDX Document Creation Information Package Information Other Licensing Information Other Licensing Information Detected Other Licensing Information File Information Other Licensing Information Annotations Information Other Licensing Information Relationships between SPDX Elements Information Other Licensing Information Snippet Information Charter: To create a set of data exchange standards that enable companies and organizations to share human-readable and machine- processable software package metadata to facilitate software supply chain processes. Software Package Data Exchange (SPDX®) specification is a standard for communicating the component and metadata information associated with software SPDX v2.3 Document may contain:
ISO/IEC 5962:2021 11 Source: https://www.iso.org/standard/81870.html accessed on 2021/11/19 ● Able to represent SBOMs from binary images and track back to the source files and snippets. ● Specification is freely available from ITTF site ● Future updates are live tracked at: https://spdx.github.io/spdx-spec and work on satisfying safety requirements is being included ● More information at spdx.dev
12 source: https://spdx.github.io/spdx-spec/v2.3/
Formal Model Enables Validation & Interchange Between Specific File Formats .xls (spreadsheet) .rdf (RDF) .spdx (tag:value) .xml (2.2 →) .json (2.2 →) .yaml (2.2→)
SPDX Relationships Clarify Dependency Types 1 4 DESCRIBES DEPENDENCY_OF PREREQUISITE_FOR GENERATES VARIANT_OF DESCRIBED_BY RUNTIME_DEPENDENCY_OF HAS_PREREQUISITE TEST_OF FILE_ADDED CONTAINS BUILD_DEPENDENCY_OF ANCESTOR_OF TEST_TOOL_OF FILE_DELETED CONTAINED_BY DEV_DEPENDENCY_OF DESCENDENT_OF TEST_CASE_OF FILE_MODIFIED DYNAMIC_LINK OPTIONAL_DEPENDENCY_OF DOCUMENTATION_OF EXAMPLE_OF PATCH_FOR STATIC_LINK PROVIDED_DEPENDENCY_OF BUILD_TOOL_OF METAFILE_OF PATCH_APPLIE D AMENDS TEST_DEPENDENCY_OF EXPANDED_FROM_ARCHIVE PACKAGE_OF OTHER COPY_OF OPTIONAL_COMPONENT_OF DISTRIBUTION_ARTIFACT DATA_FILE_OF DEPENDS_ON DEPENDENCY_MANIFEST_OF GENERATED_FROM DEV_TOOL_OF For more details see: https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/
SPDX Progress in 2022 ● License List ● Specification ● Tooling ● SBOM Ecosystem Engagement
SPDX License List Milestones ● Feb 6, 2022 - v3.16: 6 new licenses/exceptions, 1 deprecated license ● May 8, 2022 - v3.17: 5 new licenses/exceptions, clarifications & docs rework ● July 29, 2022 - Fedora adopts SPDX License identifiers ● Aug 11, 2022- v3.18: 10 new licenses/exceptions, decision template ● Nov 30, 2022 - v3.19: focus on doc & process (5 new licenses/exceptions) ● Feb 17, 2023 - v3.20: ○ 40 new license/exceptions (22 tagged "used in major distro") ○ Streamlined legal team review process for licenses used in major distros like Fedora and Debian ○ Additional XML markup for matching purposes (mostly from Fedora legacy licenses) ○ Improvements to documentation, adding SPDX License List History
SPDX Specification Milestones ● Apr 11, 2022 - Build Profile Working Group formed: target 3.0 ● May 4, 2022 - AI BOM Working Group formed: target on 3.0 ○ Evolved to focus on 2 profiles - AI Applications/models & Datasets ● June 29, 2022 - OWASP/CycloneDX interoperability discussion ○ Facilitation by CISA: Focused on NTIA minimum features roundtriping ● Aug 5, 2022 - FuSa Working Group Formed: target 3.1 ● Aug 11, 2022 - V2.3 released - 26 contributors ○ added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM formats. Incorporate new usage & AI fields as well as enhanced enumerations. ● Dec 8, 2022 - Open Compliance Summit - SPDX Mini-Summit ○ Review of the 3.0 Profiles & discussion on overlaps between build & usage ● Feb 6, 2023 - FOSDEM - SBOM Devroom
SPDX Generation Tooling ● tools-java ○ Aug 12, 2022 - v1.1.0 update to support 2.3 ○ Sept 2022 → Feb 2023 5 releases for performance improvements & fixes ● tools-python ○ OpenSSF Funded cleanup & restructuring ○ Dec 8, 2022 - v0.7.0 - update to support 2.3 & clean up bug backlog ○ Prototyping of 3.0 in progress ● tools-golang ○ Jan 12, 2023 - v0.4.0 - update to support 2.3 ● spdx-online-tools (validator & translator) ○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3 ○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool
SPDX Consumption Tooling ● spdx-online-tools (validator & translator) ○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3 ○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool ● SPDX-to-OSV (vulnerability lookup) ○ Produce an Open Source Vulnerability JSON file based on information in an SPDX document ○ Jan 10, 2022 - v0.1.1 - pick up tooing updates ● ntia-conformance-checker (minimum SBOM fields present) ○ Check that an SBOM meets the minimum field requirements ○ Started as GSOC project, and maintainer from Chainguard has adopted ○ Feb 8, 2022 - v0.2.1 - fix NOASSERTION supplier case Also worth looking at: https://github.com/nyph-infosec/daggerboard
SBOMs Everywhere in 2022… 20 - OpenSSF - Work Stream 9 → SBOM Everywhere SIG - SPDX Python Library rework funded. - Started work on consolidating definitions of types of SBOMs → CISA working group to get broader adoption - Started documentation of use cases - NTIA efforts have transferred to US DHS CISA - 4 working groups on SBOMs - Sharing, Adoption, Cloud, Tooling - International coordination with CERTs (like Japan’s CERT) and other international government agencies
SPDX 3
Package Information SPDX v2.3 Document must contain: SPDX Document Creation Information Package Information Other Licensing Information Other Licensing Information Detected Other Licensing Information File Information Other Licensing Information Annotations Information Other Licensing Information Relationships between SPDX Elements Information Other Licensing Information Snippet Information SPDX v2.3 Document may contain:
SPDX 3.0 Model Source:https://github.com/spdx/spdx-3-model/blob/main/model.png
SPDX 3.0 Increases Modularity Core Model Licensing Usage Security Build AI Dataset SPDX 3.0 (Core Model + Software Profile + Licensing Profile ) == SPDX 2.3 Software Profile
SPDX 3.0 Specification Infrastructure Specification is being transformed into markdown describing - Classes, Properties, Enumerations - Metadata (type & cardinality) and description for each element. - Will be able to automatically generate schema from this version (for JSON, YAML, RDF, XML, tag-value, etc.) and reduce errors. Profiles can add their own Classes and Properties and may also restrict other profiles (e.g. values, cardinalities, …) See: https://github.com/spdx/spdx-3-model
SPDX 3.0 Core Model
SPDX 3.0 Software Profile
Licensing Profile Update ● Based on licensing-related fields in pre-existing SPDX spec, with updates: ○ More consistency across artifact types (package, file, snippet) ○ Aligning with SPDX 3.0 data model ○ Documenting the object model for license expressions ○ Custom exceptions ● Current status: ○ Revised for new SPDX 3.0 model formatting ○ Draft has been submitted to model for discussion at https://github.com/spdx/spdx-3- model/tree/licensing-profile For more information, contact: Steve Winslow or Alexios Zavras
Security Profile Update ● Similar to 2.3, we plan to support in 3.0 linking to various security information including CSAF/CDX/VeX and VDR ● Using profiles one can only communicate base software and security info ○ Security Profile will inherit from Core Profile ○ Plan to define Security Profile relationships to Software Profile, Build Profile, AI Profile, Dataset Profile, etc. ● In addition to linking, we are considering embedding minimal elements to enable SPDX to convey security info in a simplified manner ○ Tracking CISA VEX discussions to determine minimal elements ● Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3-model/tree/security-profile For more information contact: Thomas Steenbergen or Jeff Schutt
Build Profile Overview Use Cases: ▪ Security ▪ Reproducibility ▪ Auditing quality/pedigree of build ▪ Safety • The source code at the time of release • The configuration used to build the software • The specific versions of the tools used to build the software Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3- model/tree/build-profile Contact: Brandon Lumm
AI BOM ⇒ SPDX AI profile + SPDX Dataset profile AI software Dataset Model Software code Trained model Software code Traditional Software AI Software Has additional elements that nuances that need to be captured to ensure its traceability AI BOM Enhances SPDX to describe AI software including and AI Software’s components, licenses, copyrights, and security references. Software components AI components AIBOM Extends Dataset profile AI Package Profile
#ossummit Proposed AI Profile Properties Data Model AI/ML Application Required Fields: - Creator - Supplier - PackageVersionInfo - PackageDownloadLocation - PackageDescription - LicenseConcluded - LicenseDeclared - PackageDescription - ReleaseDate - Relationship Optional Fields: - Originator - Checksum - ValidUntilDate - BuildDate - PackageComments - SensitivePersonalInformation - EnergyConsumption - StandardsCompliance - InformationAboutTraining - Hyperparameters - SafetyRiskAssessment - DataPreprocessingSteps - ModelExplainabilityMechanisms - MetricsDecisionThresholds - Metrics - Autonomy - Domain - Limitations - Type Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3-model/tree/ai-profile
#ossummit Proposed Dataset Profile Properties Data Model AI/ML Application Required Fields: - Name - Originator - DownloadLocation - LicenseConcluded - LicenseDeclared - PackageDescription - BuiltDate - ReleaseDate - DatasetType Optional Fields: - Supplier - VersionInfo - Checksum - ValidUntil - IntendedUse - DatasetCollectionProcess - DatasetUpdateMechanism - DatasetSize - DatasetNoise - KnownBias - Errata - SensorsUsed - StandardCompliance - SensitivePersonalInformation - ConfidentialityLevel - AnonymizationMethodUsed
Usage Profile: to convey intentions as “Usage” for Delivery Product
SPDX Lite Profile - WIP - Strict subset of fields from Core, Software & Licensing - Goals: - Build on profile concept introduced in 2.X - Satisfy NTIA Minimum SBOM Elements requires adding simple relationships - Support manual import into more complex systems Contact: OpenChain Japan Working Group
What’s next after After 3.0?
Future Direction: Hardware ● There are use cases where it is expected to know “system” that software is running on ● Vulnerabilities come from interaction between hardware and software (e.g., heartbleed) ● Potential participants: ○ RISC-V & ARM core adopters, ○ Chips Alliance Members ○ Board Manufacturers ● For more information, contact: Kate Stewart
Future Direction: Safety Standards Automation ● Safety Standards expect to know ○ The source code at the time of production release ○ The documentation associated with the code ○ The configuration used to build the production software ○ The specific versions of the tools used to build the software ● Safety Standards Configuration Management (CM) Requirements are greatly simplified by following an effective SBOM process. ○ An SBOM supports capturing the details of what is in a specific release and supports determining what went wrong if a failure occurs. ○ The goal is to be able to rebuild exactly what the executable or binary was at the time of release. ● To learn more, see: ○ https://www.linux.com/featured/sboms-supporting-safety-critical-software/
Safety Profile Introduction (3.1 target) ● Also known as Functional Safety (or FuSa). ● Purpose is to link together all the safety artifacts (including code and relevant tests) with the aim of being able to automatically detect what a file update may need to force retesting. ● Goal is to support continuous certification of safety artifacts after security updates are applied. ● Overview can be found at: https://fosdem.org/2023/schedule/event/sbom_fusa/ For more information, contact: Nicole Pappler or Kate Stewart
Want to Help? ● If you have a use-case you want to make sure can be supported in the future SPDX specification, ○ join the SPDX tech team mailing list (https://lists.spdx.org/g/Spdx-tech) , ○ open an issue in https://github.com/spdx/spdx-spec and ○ join in on the discussion! ● Try it, and let us know if you see issues. 40
Thank you! Questions?
How to Get Involved - PRs & Issues https://github.com/spdx ▪ Specification • https://github.com/spdx/spdx-spec ← ISO submission format • https://github.com/spdx/spdx-3-model ← 3.0 development • https://github.com/spdx/spdx-examples ▪ Tooling • https://github.com/spdx/tools-python • https://github.com/spdx/tools-golang • https://github.com/spdx/tools-java ▪ License List • https://github.com/spdx/license-list-XML

Recommandé

SBOM, Is It 42?
SBOM, Is It 42?SBOM, Is It 42?
SBOM, Is It 42?Bill Bensing
 
오픈스택 기반 클라우드 서비스 구축 방안 및 사례
오픈스택 기반 클라우드 서비스 구축 방안 및 사례오픈스택 기반 클라우드 서비스 구축 방안 및 사례
오픈스택 기반 클라우드 서비스 구축 방안 및 사례SONG INSEOB
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Chris Aniszczyk
 
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief ComparisonCloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparisonbizalgo
 
Introduction to Nexus Repository Manager.pdf
Introduction to Nexus Repository Manager.pdfIntroduction to Nexus Repository Manager.pdf
Introduction to Nexus Repository Manager.pdfKnoldus Inc.
 
Fast forensics(公開用)
Fast forensics(公開用)Fast forensics(公開用)
Fast forensics(公開用)f kasasagi
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paasrajdeep
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 

Recommandé

SBOM, Is It 42?
SBOM, Is It 42?SBOM, Is It 42?
SBOM, Is It 42?Bill Bensing
 
오픈스택 기반 클라우드 서비스 구축 방안 및 사례
오픈스택 기반 클라우드 서비스 구축 방안 및 사례오픈스택 기반 클라우드 서비스 구축 방안 및 사례
오픈스택 기반 클라우드 서비스 구축 방안 및 사례SONG INSEOB
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Chris Aniszczyk
 
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief ComparisonCloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparisonbizalgo
 
Introduction to Nexus Repository Manager.pdf
Introduction to Nexus Repository Manager.pdfIntroduction to Nexus Repository Manager.pdf
Introduction to Nexus Repository Manager.pdfKnoldus Inc.
 
Fast forensics(公開用)
Fast forensics(公開用)Fast forensics(公開用)
Fast forensics(公開用)f kasasagi
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paasrajdeep
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Modern systems architectures: Uber, Lyft, Cabify
Modern systems architectures: Uber, Lyft, CabifyModern systems architectures: Uber, Lyft, Cabify
Modern systems architectures: Uber, Lyft, CabifyAndré Faria Gomes
 
Nx: Angular CLI Power-ups for your modern Development
Nx: Angular CLI Power-ups for your modern DevelopmentNx: Angular CLI Power-ups for your modern Development
Nx: Angular CLI Power-ups for your modern DevelopmentSeven Peaks Speaks
 
Makers Making Sustainability
Makers Making SustainabilityMakers Making Sustainability
Makers Making SustainabilityCindy Kohtala
 
Manual quagga
Manual quaggaManual quagga
Manual quaggaUnileste Minas Gerais
 
Introduction to High-Performance Computing (HPC) Containers and Singularity*
Introduction to High-Performance Computing (HPC) Containers and Singularity*Introduction to High-Performance Computing (HPC) Containers and Singularity*
Introduction to High-Performance Computing (HPC) Containers and Singularity*Intel® Software
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsHawkman Academy
 
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Vietnam Open Infrastructure User Group
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructureSynergetics Learning and Cloud Consulting
 
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!株式会社クライム
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureEtsuji Nakai
 
Building virtualised CloudStack test environments
Building virtualised CloudStack test environmentsBuilding virtualised CloudStack test environments
Building virtualised CloudStack test environmentsShapeBlue
 
Resume
ResumeResume
Resumenaveen kumar
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
OVN DBs HA with scale test
OVN DBs HA with scale testOVN DBs HA with scale test
OVN DBs HA with scale testAliasgar Ginwala
 
Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)lestrrat
 
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항rockplace
 
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법Young D
 
電子署名(PKI)ハンズオン資料 V1.00
電子署名(PKI)ハンズオン資料 V1.00電子署名(PKI)ハンズオン資料 V1.00
電子署名(PKI)ハンズオン資料 V1.00Naoto Miyachi
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportDevOps.com
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17Shane Coughlan
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
 

Contenu connexe

Tendances

Modern systems architectures: Uber, Lyft, Cabify
Modern systems architectures: Uber, Lyft, CabifyModern systems architectures: Uber, Lyft, Cabify
Modern systems architectures: Uber, Lyft, CabifyAndré Faria Gomes
 
Nx: Angular CLI Power-ups for your modern Development
Nx: Angular CLI Power-ups for your modern DevelopmentNx: Angular CLI Power-ups for your modern Development
Nx: Angular CLI Power-ups for your modern DevelopmentSeven Peaks Speaks
 
Makers Making Sustainability
Makers Making SustainabilityMakers Making Sustainability
Makers Making SustainabilityCindy Kohtala
 
Introduction to High-Performance Computing (HPC) Containers and Singularity*
Introduction to High-Performance Computing (HPC) Containers and Singularity*Introduction to High-Performance Computing (HPC) Containers and Singularity*
Introduction to High-Performance Computing (HPC) Containers and Singularity*Intel® Software
 
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Vietnam Open Infrastructure User Group
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!株式会社クライム
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureEtsuji Nakai
 
Building virtualised CloudStack test environments
Building virtualised CloudStack test environmentsBuilding virtualised CloudStack test environments
Building virtualised CloudStack test environmentsShapeBlue
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
OVN DBs HA with scale test
OVN DBs HA with scale testOVN DBs HA with scale test
OVN DBs HA with scale testAliasgar Ginwala
 
Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)lestrrat
 
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항rockplace
 
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법Young D
 
電子署名(PKI)ハンズオン資料 V1.00
電子署名(PKI)ハンズオン資料 V1.00電子署名(PKI)ハンズオン資料 V1.00
電子署名(PKI)ハンズオン資料 V1.00Naoto Miyachi
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportDevOps.com
 

Tendances (20)

Modern systems architectures: Uber, Lyft, Cabify
Modern systems architectures: Uber, Lyft, CabifyModern systems architectures: Uber, Lyft, Cabify
Modern systems architectures: Uber, Lyft, Cabify
 
Nx: Angular CLI Power-ups for your modern Development
Nx: Angular CLI Power-ups for your modern DevelopmentNx: Angular CLI Power-ups for your modern Development
Nx: Angular CLI Power-ups for your modern Development
 
Makers Making Sustainability
Makers Making SustainabilityMakers Making Sustainability
Makers Making Sustainability
 
Manual quagga
Manual quaggaManual quagga
Manual quagga
 
Introduction to High-Performance Computing (HPC) Containers and Singularity*
Introduction to High-Performance Computing (HPC) Containers and Singularity*Introduction to High-Performance Computing (HPC) Containers and Singularity*
Introduction to High-Performance Computing (HPC) Containers and Singularity*
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!
Nutanix AHV環境もVeeamでがっちりバックアップ! 進化を遂げた新機能をご紹介!
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
 
Building virtualised CloudStack test environments
Building virtualised CloudStack test environmentsBuilding virtualised CloudStack test environments
Building virtualised CloudStack test environments
 
Resume
ResumeResume
Resume
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
 
OVN DBs HA with scale test
OVN DBs HA with scale testOVN DBs HA with scale test
OVN DBs HA with scale test
 
Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)
 
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
 
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법
HAProxy TCP 모드에서 내부 서버로 Source IP 전달 방법
 
電子署名(PKI)ハンズオン資料 V1.00
電子署名(PKI)ハンズオン資料 V1.00電子署名(PKI)ハンズオン資料 V1.00
電子署名(PKI)ハンズオン資料 V1.00
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 

Similaire à OpenChain Webinar #50 - An Overview of SPDX 3.0

OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17Shane Coughlan
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
 
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)Shane Coughlan
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07Shane Coughlan
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Thierry Gayet
 
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdfSFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdfSouth Tyrol Free Software Conference
 
OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16Shane Coughlan
 
The path to an hybrid open source paradigm
The path to an hybrid open source paradigmThe path to an hybrid open source paradigm
The path to an hybrid open source paradigmJonathan Challener
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018Krishna-Kumar
 
OpenChain Monthly Meeting - North America / Asia - 2023-03-21
OpenChain Monthly Meeting - North America / Asia - 2023-03-21OpenChain Monthly Meeting - North America / Asia - 2023-03-21
OpenChain Monthly Meeting - North America / Asia - 2023-03-21Shane Coughlan
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
IRJET- Blockchain based Secure Data Storage
IRJET- Blockchain based Secure Data StorageIRJET- Blockchain based Secure Data Storage
IRJET- Blockchain based Secure Data StorageIRJET Journal
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023Shane Coughlan
 

Similaire à OpenChain Webinar #50 - An Overview of SPDX 3.0 (20)

OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
 
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
 
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDXSFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)
 
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdfSFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
 
OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16
 
The path to an hybrid open source paradigm
The path to an hybrid open source paradigmThe path to an hybrid open source paradigm
The path to an hybrid open source paradigm
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018
 
OpenChain Monthly Meeting - North America / Asia - 2023-03-21
OpenChain Monthly Meeting - North America / Asia - 2023-03-21OpenChain Monthly Meeting - North America / Asia - 2023-03-21
OpenChain Monthly Meeting - North America / Asia - 2023-03-21
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
 
Documentation
DocumentationDocumentation
Documentation
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
IRJET- Blockchain based Secure Data Storage
IRJET- Blockchain based Secure Data StorageIRJET- Blockchain based Secure Data Storage
IRJET- Blockchain based Secure Data Storage
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
 

Plus de Shane Coughlan

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09Shane Coughlan
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxShane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...Shane Coughlan
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesShane Coughlan
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30Shane Coughlan
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeShane Coughlan
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxShane Coughlan
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11Shane Coughlan
 

Plus de Shane Coughlan (20)

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 

Dernier

%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 

Dernier (20)

%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 

OpenChain Webinar #50 - An Overview of SPDX 3.0

  • 1. An Overview of SPDX 3.0 OpenChain Webinar #50
  • 2. Anti-Trust Policy Notice ● Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. ● Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
  • 3. SBOM & SPDX Update 3
  • 4. Common Understanding of “SBOM” “An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. These components, including libraries and modules, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.” Source: NTIA’s SBOM FAQ
  • 6. NTIA Software Bill Of Materials (SBOM) Guidance - Minimum Elements Source: https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf SPDX 2.2 + (ISO/IEC 5962:2021) supports all required minimum elements (as well the optional that are mentioned in report) Checker available at: https://github.com/spdx/ntia -conformance-checker
  • 7. Derived from : NTIA’s Survey of Existing SBOM Formats and Standards When should an SBOM be created or consumed?
  • 8. SBOM Type Definition Design SBOM of intended design of included components (some of which may not exist) for a new software artifact. Source SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact. Build SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs. Deployed SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment. Runtime BOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an “Instrumented” or “Dynamic” SBOM. Analyzed SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a “3rd party” SBOM. Source: CISA SBOM Types work in progress - to appear on CISA SBOM site soon.
  • 9. Derived from : NTIA’s Survey of Existing SBOM Formats and Standards Generate SBOMs where the data is Source Runtime Design Deployed Build
  • 10. Package Information SPDX v2.3 Document must contain: SPDX Document Creation Information Package Information Other Licensing Information Other Licensing Information Detected Other Licensing Information File Information Other Licensing Information Annotations Information Other Licensing Information Relationships between SPDX Elements Information Other Licensing Information Snippet Information Charter: To create a set of data exchange standards that enable companies and organizations to share human-readable and machine- processable software package metadata to facilitate software supply chain processes. Software Package Data Exchange (SPDX®) specification is a standard for communicating the component and metadata information associated with software SPDX v2.3 Document may contain:
  • 11. ISO/IEC 5962:2021 11 Source: https://www.iso.org/standard/81870.html accessed on 2021/11/19 ● Able to represent SBOMs from binary images and track back to the source files and snippets. ● Specification is freely available from ITTF site ● Future updates are live tracked at: https://spdx.github.io/spdx-spec and work on satisfying safety requirements is being included ● More information at spdx.dev
  • 13. Formal Model Enables Validation & Interchange Between Specific File Formats .xls (spreadsheet) .rdf (RDF) .spdx (tag:value) .xml (2.2 →) .json (2.2 →) .yaml (2.2→)
  • 14. SPDX Relationships Clarify Dependency Types 1 4 DESCRIBES DEPENDENCY_OF PREREQUISITE_FOR GENERATES VARIANT_OF DESCRIBED_BY RUNTIME_DEPENDENCY_OF HAS_PREREQUISITE TEST_OF FILE_ADDED CONTAINS BUILD_DEPENDENCY_OF ANCESTOR_OF TEST_TOOL_OF FILE_DELETED CONTAINED_BY DEV_DEPENDENCY_OF DESCENDENT_OF TEST_CASE_OF FILE_MODIFIED DYNAMIC_LINK OPTIONAL_DEPENDENCY_OF DOCUMENTATION_OF EXAMPLE_OF PATCH_FOR STATIC_LINK PROVIDED_DEPENDENCY_OF BUILD_TOOL_OF METAFILE_OF PATCH_APPLIE D AMENDS TEST_DEPENDENCY_OF EXPANDED_FROM_ARCHIVE PACKAGE_OF OTHER COPY_OF OPTIONAL_COMPONENT_OF DISTRIBUTION_ARTIFACT DATA_FILE_OF DEPENDS_ON DEPENDENCY_MANIFEST_OF GENERATED_FROM DEV_TOOL_OF For more details see: https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/
  • 15. SPDX Progress in 2022 ● License List ● Specification ● Tooling ● SBOM Ecosystem Engagement
  • 16. SPDX License List Milestones ● Feb 6, 2022 - v3.16: 6 new licenses/exceptions, 1 deprecated license ● May 8, 2022 - v3.17: 5 new licenses/exceptions, clarifications & docs rework ● July 29, 2022 - Fedora adopts SPDX License identifiers ● Aug 11, 2022- v3.18: 10 new licenses/exceptions, decision template ● Nov 30, 2022 - v3.19: focus on doc & process (5 new licenses/exceptions) ● Feb 17, 2023 - v3.20: ○ 40 new license/exceptions (22 tagged "used in major distro") ○ Streamlined legal team review process for licenses used in major distros like Fedora and Debian ○ Additional XML markup for matching purposes (mostly from Fedora legacy licenses) ○ Improvements to documentation, adding SPDX License List History
  • 17. SPDX Specification Milestones ● Apr 11, 2022 - Build Profile Working Group formed: target 3.0 ● May 4, 2022 - AI BOM Working Group formed: target on 3.0 ○ Evolved to focus on 2 profiles - AI Applications/models & Datasets ● June 29, 2022 - OWASP/CycloneDX interoperability discussion ○ Facilitation by CISA: Focused on NTIA minimum features roundtriping ● Aug 5, 2022 - FuSa Working Group Formed: target 3.1 ● Aug 11, 2022 - V2.3 released - 26 contributors ○ added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM formats. Incorporate new usage & AI fields as well as enhanced enumerations. ● Dec 8, 2022 - Open Compliance Summit - SPDX Mini-Summit ○ Review of the 3.0 Profiles & discussion on overlaps between build & usage ● Feb 6, 2023 - FOSDEM - SBOM Devroom
  • 18. SPDX Generation Tooling ● tools-java ○ Aug 12, 2022 - v1.1.0 update to support 2.3 ○ Sept 2022 → Feb 2023 5 releases for performance improvements & fixes ● tools-python ○ OpenSSF Funded cleanup & restructuring ○ Dec 8, 2022 - v0.7.0 - update to support 2.3 & clean up bug backlog ○ Prototyping of 3.0 in progress ● tools-golang ○ Jan 12, 2023 - v0.4.0 - update to support 2.3 ● spdx-online-tools (validator & translator) ○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3 ○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool
  • 19. SPDX Consumption Tooling ● spdx-online-tools (validator & translator) ○ Aug 12, 2022 - v1.0.7 add support SPDX 2.3 ○ Nov 15, 2022 - v1.0.9 add in NTIA Conformance Checker Tool ● SPDX-to-OSV (vulnerability lookup) ○ Produce an Open Source Vulnerability JSON file based on information in an SPDX document ○ Jan 10, 2022 - v0.1.1 - pick up tooing updates ● ntia-conformance-checker (minimum SBOM fields present) ○ Check that an SBOM meets the minimum field requirements ○ Started as GSOC project, and maintainer from Chainguard has adopted ○ Feb 8, 2022 - v0.2.1 - fix NOASSERTION supplier case Also worth looking at: https://github.com/nyph-infosec/daggerboard
  • 20. SBOMs Everywhere in 2022… 20 - OpenSSF - Work Stream 9 → SBOM Everywhere SIG - SPDX Python Library rework funded. - Started work on consolidating definitions of types of SBOMs → CISA working group to get broader adoption - Started documentation of use cases - NTIA efforts have transferred to US DHS CISA - 4 working groups on SBOMs - Sharing, Adoption, Cloud, Tooling - International coordination with CERTs (like Japan’s CERT) and other international government agencies
  • 22. Package Information SPDX v2.3 Document must contain: SPDX Document Creation Information Package Information Other Licensing Information Other Licensing Information Detected Other Licensing Information File Information Other Licensing Information Annotations Information Other Licensing Information Relationships between SPDX Elements Information Other Licensing Information Snippet Information SPDX v2.3 Document may contain:
  • 24. SPDX 3.0 Increases Modularity Core Model Licensing Usage Security Build AI Dataset SPDX 3.0 (Core Model + Software Profile + Licensing Profile ) == SPDX 2.3 Software Profile
  • 25. SPDX 3.0 Specification Infrastructure Specification is being transformed into markdown describing - Classes, Properties, Enumerations - Metadata (type & cardinality) and description for each element. - Will be able to automatically generate schema from this version (for JSON, YAML, RDF, XML, tag-value, etc.) and reduce errors. Profiles can add their own Classes and Properties and may also restrict other profiles (e.g. values, cardinalities, …) See: https://github.com/spdx/spdx-3-model
  • 26. SPDX 3.0 Core Model
  • 27. SPDX 3.0 Software Profile
  • 28. Licensing Profile Update ● Based on licensing-related fields in pre-existing SPDX spec, with updates: ○ More consistency across artifact types (package, file, snippet) ○ Aligning with SPDX 3.0 data model ○ Documenting the object model for license expressions ○ Custom exceptions ● Current status: ○ Revised for new SPDX 3.0 model formatting ○ Draft has been submitted to model for discussion at https://github.com/spdx/spdx-3- model/tree/licensing-profile For more information, contact: Steve Winslow or Alexios Zavras
  • 29. Security Profile Update ● Similar to 2.3, we plan to support in 3.0 linking to various security information including CSAF/CDX/VeX and VDR ● Using profiles one can only communicate base software and security info ○ Security Profile will inherit from Core Profile ○ Plan to define Security Profile relationships to Software Profile, Build Profile, AI Profile, Dataset Profile, etc. ● In addition to linking, we are considering embedding minimal elements to enable SPDX to convey security info in a simplified manner ○ Tracking CISA VEX discussions to determine minimal elements ● Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3-model/tree/security-profile For more information contact: Thomas Steenbergen or Jeff Schutt
  • 30. Build Profile Overview Use Cases: ▪ Security ▪ Reproducibility ▪ Auditing quality/pedigree of build ▪ Safety • The source code at the time of release • The configuration used to build the software • The specific versions of the tools used to build the software Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3- model/tree/build-profile Contact: Brandon Lumm
  • 31. AI BOM ⇒ SPDX AI profile + SPDX Dataset profile AI software Dataset Model Software code Trained model Software code Traditional Software AI Software Has additional elements that nuances that need to be captured to ensure its traceability AI BOM Enhances SPDX to describe AI software including and AI Software’s components, licenses, copyrights, and security references. Software components AI components AIBOM Extends Dataset profile AI Package Profile
  • 32. #ossummit Proposed AI Profile Properties Data Model AI/ML Application Required Fields: - Creator - Supplier - PackageVersionInfo - PackageDownloadLocation - PackageDescription - LicenseConcluded - LicenseDeclared - PackageDescription - ReleaseDate - Relationship Optional Fields: - Originator - Checksum - ValidUntilDate - BuildDate - PackageComments - SensitivePersonalInformation - EnergyConsumption - StandardsCompliance - InformationAboutTraining - Hyperparameters - SafetyRiskAssessment - DataPreprocessingSteps - ModelExplainabilityMechanisms - MetricsDecisionThresholds - Metrics - Autonomy - Domain - Limitations - Type Initial draft has been submitted to model for discussion at : https://github.com/spdx/spdx-3-model/tree/ai-profile
  • 33. #ossummit Proposed Dataset Profile Properties Data Model AI/ML Application Required Fields: - Name - Originator - DownloadLocation - LicenseConcluded - LicenseDeclared - PackageDescription - BuiltDate - ReleaseDate - DatasetType Optional Fields: - Supplier - VersionInfo - Checksum - ValidUntil - IntendedUse - DatasetCollectionProcess - DatasetUpdateMechanism - DatasetSize - DatasetNoise - KnownBias - Errata - SensorsUsed - StandardCompliance - SensitivePersonalInformation - ConfidentialityLevel - AnonymizationMethodUsed
  • 34. Usage Profile: to convey intentions as “Usage” for Delivery Product
  • 35. SPDX Lite Profile - WIP - Strict subset of fields from Core, Software & Licensing - Goals: - Build on profile concept introduced in 2.X - Satisfy NTIA Minimum SBOM Elements requires adding simple relationships - Support manual import into more complex systems Contact: OpenChain Japan Working Group
  • 36. What’s next after After 3.0?
  • 37. Future Direction: Hardware ● There are use cases where it is expected to know “system” that software is running on ● Vulnerabilities come from interaction between hardware and software (e.g., heartbleed) ● Potential participants: ○ RISC-V & ARM core adopters, ○ Chips Alliance Members ○ Board Manufacturers ● For more information, contact: Kate Stewart
  • 38. Future Direction: Safety Standards Automation ● Safety Standards expect to know ○ The source code at the time of production release ○ The documentation associated with the code ○ The configuration used to build the production software ○ The specific versions of the tools used to build the software ● Safety Standards Configuration Management (CM) Requirements are greatly simplified by following an effective SBOM process. ○ An SBOM supports capturing the details of what is in a specific release and supports determining what went wrong if a failure occurs. ○ The goal is to be able to rebuild exactly what the executable or binary was at the time of release. ● To learn more, see: ○ https://www.linux.com/featured/sboms-supporting-safety-critical-software/
  • 39. Safety Profile Introduction (3.1 target) ● Also known as Functional Safety (or FuSa). ● Purpose is to link together all the safety artifacts (including code and relevant tests) with the aim of being able to automatically detect what a file update may need to force retesting. ● Goal is to support continuous certification of safety artifacts after security updates are applied. ● Overview can be found at: https://fosdem.org/2023/schedule/event/sbom_fusa/ For more information, contact: Nicole Pappler or Kate Stewart
  • 40. Want to Help? ● If you have a use-case you want to make sure can be supported in the future SPDX specification, ○ join the SPDX tech team mailing list (https://lists.spdx.org/g/Spdx-tech) , ○ open an issue in https://github.com/spdx/spdx-spec and ○ join in on the discussion! ● Try it, and let us know if you see issues. 40
  • 42. How to Get Involved - PRs & Issues https://github.com/spdx ▪ Specification • https://github.com/spdx/spdx-spec ← ISO submission format • https://github.com/spdx/spdx-3-model ← 3.0 development • https://github.com/spdx/spdx-examples ▪ Tooling • https://github.com/spdx/tools-python • https://github.com/spdx/tools-golang • https://github.com/spdx/tools-java ▪ License List • https://github.com/spdx/license-list-XML