Adolfo,
You make some good points. The SBOM’s we produce today are less than perfect and leave room for improvement. The real question is: Are they good enough to provide value to software consumers today in monitoring for risks in new vulnerabilities. I believe the answer is yes.. Regarding the issues you cited in the supplied SPDX: * This SBOM uses the default relationship approach that’s supported today in SPDX. When no relationship is explicit then assume “CONTAINS” relationship as the default. * The version issue is actually a typo entered during the risk assessment process when the SBOM was being produced. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Adolfo Sent: Thursday, December 8, 2022 3:55 PM To: [email protected] Subject: Re: [spdx-tech] [SCITT] Another party claiming that SBOM is bad Dick, I applaud you for raising awareness about this. But we also need to recognize that while SBOM tooling is getting better, we still need to improve a lot. Take the SBOM you sent as an example, it seems to have a number of problems, it doesn't have any relationships, versions don't seem to match (PackageName: apache-log4j-2.15.0-bin.zip vs PackageVersion: 2.19.0), the URL is wrong.. etc. We haven't yet gotten generation 100% right, and we have a ton of work to do on the consumption side. We need to fight the sentiment of the letter, but we need to do so by taking criticism and responding to the problems with faster, better improvements. Adolfo García Veytia Chainguard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4886): https://lists.spdx.org/g/Spdx-tech/message/4886 Mute This Topic: https://lists.spdx.org/mt/95469298/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
