We are very interested in provenance for our internal inter-build package exchanges. Provenance for us bottoms out in a link to the repo, the commit hash, and the build id. I favor ADO and Git, so build ID and commit hash are valuable. For other continuous integration pipelines there are analogues. The trick is to enable provenance attestation independent of the type of build engine and repo type.
From: [email protected] <[email protected]> On Behalf Of Brandon Lum via lists.spdx.org Sent: Thursday, March 17, 2022 7:41 AM To: [email protected] Subject: [EXTERNAL] [spdx-tech] Adding Build SBOM relationships for S3C resiliency You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> Hi All, I've been exploring ideas in the build provenance realm, and I think there are some ideas there that could be useful to incorporate into SPDX. I wanted to get a sense if folks are interested, and would love to work on something for this! Some of the ideas from build provenance (I'm going to frame it around the security use case since that's what I'm most familiar with). These are mostly orthogonal concepts to those of the SLSA framework<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fslsa.dev%2F&data=04%7C01%7Cjoe.bussell%40microsoft.com%7C221e43e7896d4d41e68e08da08244238%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831249974363475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=gSeGNVSe7TpdxDW8bdLcQnPlOIc2a8Ur%2BMzCVW%2FVIcc%3D&reserved=0>: 1. What is the toolchain used to build this binary/artifact (in the event where a compromised compiler, build container, etc. is detected) 2. What/who is the builder that was used to build this binary/artifact (in the event where a build system gets compromised - e.g. CI/CD like github actions, travis, circle CI is compromised), with the ability to respond to breach. 3. (Already part of SPDX relationship between elements<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspdx.github.io%2Fspdx-spec%2Frelationships-between-SPDX-elements%2F&data=04%7C01%7Cjoe.bussell%40microsoft.com%7C221e43e7896d4d41e68e08da08244238%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831249974363475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qzxjN0%2F30JV6Gf5sJ635FLGBZ0sNAgc1%2FhACjUBxqRo%3D&reserved=0>) What are the materials that were used to build this binary/artifact 4. (Already covered by proposed canonicalisation committee) Integrity validation/provenance of claims of binary/artifact I think there could potentially be a place to define some of these in SPDX, maybe through adding more relationships to https://spdx.github.io/spdx-spec/relationships-between-SPDX-elements/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspdx.github.io%2Fspdx-spec%2Frelationships-between-SPDX-elements%2F&data=04%7C01%7Cjoe.bussell%40microsoft.com%7C221e43e7896d4d41e68e08da08244238%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831249974363475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qzxjN0%2F30JV6Gf5sJ635FLGBZ0sNAgc1%2FhACjUBxqRo%3D&reserved=0>, or otherwise. Would like to hear thoughts/interest from folks! On a side note: I am also interested in getting more into the tooling side of Build SBOMs (and distribution/resolution of). Would love to chat with anyone that's working on it - I'm hoping to define some projects around this! Cheers Brandon -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4420): https://lists.spdx.org/g/Spdx-tech/message/4420 Mute This Topic: https://lists.spdx.org/mt/89846631/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
