Hi Vicky We also have a nice website https://oss-compliance-tooling.org/ Perhaps this is better suited for getting an overview
Ciao Oliver From: [email protected] <[email protected]> On Behalf Of Michael Dolan via lists.spdx.org Sent: Donnerstag, 18. November 2021 16:07 To: [email protected] Subject: Re: [spdx] Taxonomy of software supply chain ecosystem? You may also want to look at the SLSA framework. https://slsa.dev/levels<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fslsa.dev%2Flevels&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448949967888%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=IKk7F17F%2FURh%2FwBurehnWB3sWRRhfEwQVOaYm37NnkU%3D&reserved=0> --- Mike Dolan The Linux Foundation Office: +1.330.460.3250 Cell: +1.440.552.5322 [email protected]<mailto:[email protected]> --- On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via lists.spdx.org<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.spdx.org%2F&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448949972865%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=kUymRKE31U8FoN7DRXQNRLty26D33bVQUvfAVLPWP4s%3D&reserved=0> <[email protected]<mailto:[email protected]>> wrote: Yessssss… It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team! --V -- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US From: <[email protected]<mailto:[email protected]>> on behalf of "Steve Kilbane via lists.spdx.org<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.spdx.org%2F&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448949977846%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=C6ABQlYPMEzt7ozNh3w%2F3IwgfYZ87%2FFz0vOWBdGMLxI%3D&reserved=0>" <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, November 18, 2021 at 01:28 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [spdx] Taxonomy of software supply chain ecosystem? CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution. . Hi Vicky, There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See: https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOpen-Source-Compliance%2FSharing-creates-value%2Ftree%2Fmaster%2FTooling-Landscape&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448949982825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=S0COD4UwqJlxf%2FXrlZ8h26ES21qEwEbCJNp43s8XCxU%3D&reserved=0> (it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.) steve From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Kate Stewart Sent: 17 November 2021 22:35 To: SPDX-general <[email protected]<mailto:[email protected]>> Subject: Re: [spdx] Taxonomy of software supply chain ecosystem? [External] There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.ntia.gov%2Ffiles%2Fntia%2Fpublications%2Fntia_sbom_tooling_taxonomy-2021mar30.pdf__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQENME1cJk%24&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448949987807%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=NaivmKVZZWFCiLBrbIgXl3JX1jmG46WdpA%2BEOaCWDuA%3D&reserved=0> I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy. We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Ftiny.cc%2FSPDX__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQEBR0FkVF%24&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448949997767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=o5zMKqbKlHwBadzkRy6ZXVs220vwZflXUA7ZR87rPjk%3D&reserved=0> Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website. Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. That help? Kate On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Flists.spdx.org__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQEIcCvDY4%24&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448950002736%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=yoDgItSVoI8G%2F9WpY3mUP6daPLifxg0eeeCNavj%2B7%2B8%3D&reserved=0> <[email protected]<mailto:[email protected]>> wrote: A taxonomy of this SSC ecosystem. I would like to have one, plz&thx. For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages. Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊 My web searches aren’t turning anything up on this one. Do any of you know whether this exists already? --V -- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US 'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Fwww.wipro.com__%3B!!A3Ni8CS0y2Y!rA39qytYdOZoirpJkzP8R5PBOUadhVZsJYRrQgDnlY7oJ9CDcxLDDNnxn1AQEBOmn2XU%24&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448950007714%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Nm7R2JVJebDp%2BTHfPu2nlXcXlm4vWXV1FnW%2B3z%2FAz%2FE%3D&reserved=0>' 'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wipro.com%2F&data=04%7C01%7Coliver.fendt%40siemens.com%7C7053885c7f114d14afba08d9aaa5186a%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637728448950012690%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=XTSKuvO9EV5hOSq7b8DuMCi7CfsGMMKC%2FFlTfU%2B36II%3D&reserved=0>' -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1478): https://lists.spdx.org/g/spdx/message/1478 Mute This Topic: https://lists.spdx.org/mt/87130279/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
