Provenance and pedigree are critical aspects that we need to support as either a profile or a element of core.
Very interested if working through that.
Bob
Robert (Bob) Martin Sr. Software and Supply Chain Assurance Principal Eng. Cross Cutting Solutions and Innovation Dept Cyber Solutions Innovation Center MITRE Labs MITRE Corporation 781-271-3001o 781-424-4095c
We are very interested in provenance for our internal inter-build package exchanges. Provenance for us bottoms out in a link to the repo, the commit hash, and the build id. I favor ADO and Git, so build ID and commit hash are valuable. For other continuous integration pipelines there are analogues. The trick is to enable provenance attestation independent of the type of build engine and repo type.
From: [email protected] <[email protected]> On Behalf Of Brandon Lum via lists.spdx.org
Sent: Thursday, March 17, 2022 7:41 AM
To: [email protected]
Subject: [EXTERNAL] [spdx-tech] Adding Build SBOM relationships for S3C resiliency
You don't often get email from [email protected]. Learn why this is important
Hi All,
I've been exploring ideas in the build provenance realm, and I think there are some ideas there that could be useful to incorporate into SPDX. I wanted to get a sense if folks are interested, and would love to work on something for this!
Some of the ideas from build provenance (I'm going to frame it around the security use case since that's what I'm most familiar with). These are mostly orthogonal concepts to those of the SLSA framework:
1. What is the toolchain used to build this binary/artifact (in the event where a compromised compiler, build container, etc. is detected)
2. What/who is the builder that was used to build this binary/artifact (in the event where a build system gets compromised - e.g. CI/CD like github actions, travis, circle CI is compromised), with the ability to respond to breach.
3. (Already part of SPDX relationship between elements) What are the materials that were used to build this binary/artifact
4. (Already covered by proposed canonicalisation committee) Integrity validation/provenance of claims of binary/artifact
I think there could potentially be a place to define some of these in SPDX, maybe through adding more relationships to https://spdx.github.io/spdx-spec/relationships-between-SPDX-elements/, or otherwise.
Would like to hear thoughts/interest from folks!
On a side note: I am also interested in getting more into the tooling side of Build SBOMs (and distribution/resolution of). Would love to chat with anyone that's working on it - I'm hoping to define some projects around this!
Cheers
Brandon
_._,_._,_
Links:You receive all messages sent to this group.
View/Reply Online (#4423) | Reply To Sender | Reply To Group | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [[email protected]]
_._,_._,_
