You may also want to look at the SLSA framework. https://slsa.dev/levels
--- Mike Dolan The Linux Foundation Office: +1.330.460.3250 Cell: +1.440.552.5322 [email protected] --- On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via lists.spdx.org <[email protected]> wrote: > Yessssss… > > > > It’ll take a while to get through it all, but this will be very helpful > for us. Many thanks, Steve and Tooling Group Team! > > > > --V > > > > -- > > VM (Vicky) Brasseur > > Director, Senior Strategy Advisor > > Open Source Program Office > > Wipro Limited > > Time Zone: Pacific/West Coast US > > > > > > *From: *<[email protected]> on behalf of "Steve Kilbane via > lists.spdx.org" <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Thursday, November 18, 2021 at 01:28 > *To: *"[email protected]" <[email protected]> > *Subject: *Re: [spdx] Taxonomy of software supply chain ecosystem? > > > > CAUTION:This email is received from an external domain. Open the > hyperlink(s) & attachment(s) with caution. > . > > > Hi Vicky, > > > > There's been some great work in the OSS Compliance Tooling Group which > addresses this – if you're asking what I think you're asking. See: > > > > > https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOpen-Source-Compliance%2FSharing-creates-value%2Ftree%2Fmaster%2FTooling-Landscape&data=04%7C01%7Cvm.brasseur%40wipro.com%7Ca282c435c7514d6f1f2b08d9aa74fcca%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637728244836480525%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Y%2FDpDM8%2BJ%2F7X%2FPitOQ2mA7%2BHCpYLUhkZGFWUCzniZ0o%3D&reserved=0> > > > > (it is, however, restricted to FOSS tools, given the charter of the group, > but the taxonomy in CapabilityMap is generally applicable.) > > > > steve > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Kate > Stewart > *Sent:* 17 November 2021 22:35 > *To:* SPDX-general <[email protected]> > *Subject:* Re: [spdx] Taxonomy of software supply chain ecosystem? > > > > *[External]* > > > > There's been some industry wide agreement on the taxonomy to use to > classify tools here: > https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.ntia.gov%2Ffiles%2Fntia%2Fpublications%2Fntia_sbom_tooling_taxonomy-2021mar30.pdf__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQENME1cJk%24&data=04%7C01%7Cvm.brasseur%40wipro.com%7Ca282c435c7514d6f1f2b08d9aa74fcca%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637728244836480525%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=83%2FfJOONC0fkOi6y7yUPGvb3hgkdGt6UIT8Awa%2B3tSs%3D&reserved=0> > I think the path of least pain is to align with it, unless there are some > tools that just don't fit in the taxonomy. > > > > We've been collecting the tools we're aware of that work with SPDX, and > grouped within the taxonomy here: http://tiny.cc/SPDX > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Ftiny.cc%2FSPDX__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQEBR0FkVF%24&data=04%7C01%7Cvm.brasseur%40wipro.com%7Ca282c435c7514d6f1f2b08d9aa74fcca%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637728244836490515%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=IN4s7ximVbz%2BNLPZ%2FKFTeLNsrRdrS6CSHxW1SAXVXTQ%3D&reserved=0> > > > > Which is an open for comments, so if you spot a tool that works with SPDX > and you don't see it in the taxonomy, please fill in the template and add > a comment. Jack's done a great job in moving what we've got in that > document to our website. > > > > Long term solution here is to move this collection to SPDX's github and > generate automatically via a landscape onto the web pages, but that's a WIP > that Sebastian's helping us make real. > > > > That help? > > > > Kate > > > > On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Flists.spdx.org__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQEIcCvDY4%24&data=04%7C01%7Cvm.brasseur%40wipro.com%7Ca282c435c7514d6f1f2b08d9aa74fcca%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637728244836490515%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=u27u%2BdcRJEh8sN7EfqkQtinvgwd%2BITHmUq%2B2iUsolrg%3D&reserved=0> > <[email protected]> wrote: > > A taxonomy of this SSC ecosystem. I would like to have one, plz&thx. > > > > For instance, looking at this (very much work in progress, just noodling > about as I think about things) picture, those items in each of those long > lists aren’t equivalent. They fall into different categories of > functionality and come into play at different stages. > > > > Those categories/stages are the taxonomy I’m hoping someone else has > already created and published under a FOSS license so we can all play along > at home. 😊 > > > > My web searches aren’t turning anything up on this one. Do any of you know > whether this exists already? > > > > --V > > > > -- > > VM (Vicky) Brasseur > > Director, Senior Strategy Advisor > > Open Source Program Office > > Wipro Limited > > Time Zone: Pacific/West Coast US > > > > 'The information contained in this electronic message and any attachments > to this message are intended for the exclusive use of the addressee(s) and > may contain proprietary, confidential or privileged information. If you are > not the intended recipient, you should not disseminate, distribute or copy > this e-mail. Please notify the sender immediately and destroy all copies of > this message and any attachments. WARNING: Computer viruses can be > transmitted via email. The recipient should check this email and any > attachments for the presence of viruses. The company accepts no liability > for any damage caused by any virus transmitted by this email. > www.wipro.com > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Fwww.wipro.com__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQEBOmn2XU%24&data=04%7C01%7Cvm.brasseur%40wipro.com%7Ca282c435c7514d6f1f2b08d9aa74fcca%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637728244836500510%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=HyhtKOnesL9h42M5eSprNbAeG0h2Gt0Ue4l%2Bne8bhGc%3D&reserved=0>' > > > 'The information contained in this electronic message and any attachments > to this message are intended for the exclusive use of the addressee(s) and > may contain proprietary, confidential or privileged information. If you are > not the intended recipient, you should not disseminate, distribute or copy > this e-mail. Please notify the sender immediately and destroy all copies of > this message and any attachments. WARNING: Computer viruses can be > transmitted via email. The recipient should check this email and any > attachments for the presence of viruses. The company accepts no liability > for any damage caused by any virus transmitted by this email. > www.wipro.com' > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1477): https://lists.spdx.org/g/spdx/message/1477 Mute This Topic: https://lists.spdx.org/mt/87130279/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
