Thank you Gary, Dick for your inputs. We did further work on this repository to validate the build SBOM and below are findings.
If you have any inputs to explain the differences, please do advise. Thanks again. 1. There are in total 119 dependencies obtained from the Maven Dependency List/Tree on running the mvn dependency:list command. 2. The SBOM file that was generated using the command mvn spdx:createSPDX resulted in total 117 dependencies. Out of these four dependencies couldn’t be obtained directly from either the Maven central repository or the dependency list. 3. Also, two dependencies from the dependency list do not match with the SBOM file – spring-jcl, spring-test. 4. The dependencies- “JSON Small and Fast Parser”, “AssertJ fluent assertion”, “Spring Data Core”, “Java Annotation Indexer” were present in SBOM but not directly present in the dependency list or Maven central Repo. 5. There are some other dependencies that are common in both Dependency List and SBOM but the direct link to those dependencies from the POM dependencies are not present. Below is the list of those dependencies- byte-buddy-agent, objenesis, android-json, spring-jdbc, javassist, dom4j, txw2, istack-commons-runtime, spring-data-commons, spring-orm, spring-tx, attoparser, thymeleaf-extras-java8time, jakarta.el Regards, Vishal. From: Dick Brooks <[email protected]> Sent: Saturday, August 10, 2024 2:29 AM To: 'Gary O'Neall' <[email protected]>; Vishal Goyal <[email protected]>; 'Nisha Kumar' <[email protected]>; [email protected] Subject: RE: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I concur, Gary “From what I’ve observed, build SBOM’s are becoming increasingly popular and are being incorporated into some of the build tools themselves (e.g. NPM).” Build SBOM’s are the primary input to software product risk assessment activities: See CISA’s Software Acquisition Guide CONTROL.GOV.09 Does the supplier provide a machine-readable SBOM meeting minimum requirements defined by National Telecommunications Information Administration (NTIA) or successor guidance as published by CISA that covers all software components of the product being delivered to the customer organization? https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf Thanks, Dick Brooks [cid:[email protected]] [cid:[email protected]] [cid:[email protected]] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> ™ Risk always exists, but trust must be earned and awarded.™ https://businesscyberguardian.com/ Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Gary O'Neall Sent: Friday, August 9, 2024 4:14 PM To: [email protected]<mailto:[email protected]>; 'Nisha Kumar' <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx From what I’ve observed, build SBOM’s are becoming increasingly popular and are being incorporated into some of the build tools themselves (e.g. NPM). For some time, source code scans was the only option since they were being built by 3rd parties after the code was originally built as the tools were not as available for generating SBOMs at build time. Regards, Gary From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Vishal Goyal via lists.spdx.org Sent: Friday, August 9, 2024 9:19 AM To: Nisha Kumar <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Thanks Nisha for the response. I have been digging deeper and have realized the same. A follow-up question – do we see many customers generate and maintain a build SBOM or the source code scan SBOM is the most commonly used one ? CISA talks about 6 SBOM types and to me build SBOM and run time SBOMs look very relevant. But I have not seen these 2 being used too often. Regards, Vishal. From: Nisha Kumar <[email protected]<mailto:[email protected]>> Sent: Friday, August 9, 2024 7:40 PM To: Vishal Goyal <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Vishal, Most probably the difference comes from transitive dependencies pulled in during the build. Your pom.xml doesn't include those. nisha On 8/5/24 09:08, Vishal Goyal via lists.spdx.org wrote: All, I am looking for some help and guidance from experts on how to validate build SBOMs and check for any false positives. I have used this maven plugin to generate SPDX format build SBOM for an open source Java project (https://github.com/wmichalska/CreditManager) github.com/spdx/spdx-maven-plugin<https://github.com/spdx/spdx-maven-plugin> The build SBOM has around 120 lines. For the same codebase, i generated SBOM by doing source code scan - this has 10 lines. Can someone please advise how to validate the build SBOM ? Thanks, Vishal. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5699): https://lists.spdx.org/g/Spdx-tech/message/5699 Mute This Topic: https://lists.spdx.org/mt/107734884/21656 Mute #spdx:https://lists.spdx.org/g/Spdx-tech/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
