Hello all, Continuing the conversation here...
Gary, I wouldn't say that an SBOM is an XML transformation of a POM. CycloneDX, for example, can contain information not in a POM, such as license information, service relationships, and vulnerabilities [1]. The component identifiers used are also different in that they describe the component uniquely across the entire software space (different languages, packaging schemes, etc.) and not just in the Maven ecosystem. However, for the purposes of Apache Commons, I expect that there will be a good amount of overlap between the information in the POM and that in the SBOM. Mark, can you provide an more details on how we should interact with OpenSSF? Do we simply show up in the Zoom meeting or is there some sort of protocol we need to follow? Are you picturing us following their lead on SBOM recommendations? Regards, Matt J [1] https://cyclonedx.org/specification/overview/ On Thu, Jul 21, 2022 at 12:51 PM David Nalley <da...@gnsa.us> wrote: > > I hesitate to weigh in because I am not going to be doing any of the work, > but I think it's useful to consider what you're trying to accomplish with > SBOM. I used to spend a lot of time in the SBOM space. > > If it's license compliance, SPDX makes a lot of sense. It was built from > the ground up to be a license compliance data exchange format. > Folks are aggressively working on SPDX 3.0 and adding some uses cases > around security and to address some of the gaps that SBOM advocates have > called out. > > CycloneDX was built from the ground up as a SBOM and security tool. What's > really telling for me is that there are already a lot of tools for sharing, > querying, and managing BoMs in the CycloneDX format. Just generating the > BoM may be all that we do, but for it to be useful to our users they need > tools that can ingest, and do something with the BoM. That's improving by > the day with SPDX, but great tooling exists already for CycloneDX. > > --David > > > > On Mon, Jul 18, 2022 at 8:18 AM Steve Springett > <steve.spring...@owasp.org.invalid> wrote: > > > There may be value in supporting both formats. Most security vendors > > support the CycloneDX standard since its from OWASP and was purpose-built > > for security use cases. Some security vendors support SPDX as well. OpenSSF > > has publicly stated that they will only support SPDX due to both OpenSSF > > and SPDX being Linux Foundation projects. Unfortunately, this view is > > contrary to the adoption we’re seeing in the global security community. > > > > Sonatype, the stewards of Maven Central, have been a big supporter of > > CycloneDX since 2019 and have recommitted to favoring it going forward. > > > > https://www.sonatype.com/press-releases/sonatype-embraces-cyclonedx-standard-for-integrating-software-bills-of-materials-sboms > > > > Regardless, the end goal is to have authoritative SBOMs published to Maven > > Central similar to what DropWizard is doing. > > > > https://repo1.maven.org/maven2/io/dropwizard/dropwizard-core/2.1.1/ > > > > Non-authorative SBOMs may be on the roadmap for Maven Central. > > > > > > —Steve > > > > > > On 2022/07/17 16:11:28 Matt Juntunen wrote: > > > Hello, > > > > > > The Apache Commons project recently received a PR [1] for our parent > > > POM that includes the generation of software bill of materials (SBOM) > > > artifacts during the build. During the following discussion [2] on our > > > dev mailing list, it was suggested that this mailing list would be the > > > appropriate place to discuss this topic. In short, we are trying to > > > answer the following questions: > > > > > > 1. Should our projects include SBOM artifacts? > > > 2. If so, what format should we use (e.g., SPDX [3] or CycloneDX [4])? > > > > > > I am of the opinion that the ASF in general (and Apache Commons in > > > particular) should provide these artifacts when appropriate as they 1) > > > are useful when performing vulnerability and software supply chain > > > analysis and 2) promote good cybersecurity practices in the community. > > > > > > What guidance does the ASF provide on this issue? What, if any, > > > standards have been adopted? > > > > > > Regards, > > > Matt J > > > > > > [1] https://github.com/apache/commons-parent/pull/122 > > > [2] https://lists.apache.org/thread/kvdz39t5wndojbtqqn84smm51rt89fnx > > > [3] https://spdx.dev/ > > > [4] https://cyclonedx.org/ > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > security-discuss-unsubscr...@community.apache.org > > > For additional commands, e-mail: > > security-discuss-h...@community.apache.org > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > > For additional commands, e-mail: > > security-discuss-h...@community.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
