Steve,
SBOM's are created to serve a purpose, for example some SBOM's are used for license management, some are used for dependency tracking and the one I'm most familiar with is an SBOM used by a software consumer in a software risk assessment. In the risk assessment case it's imperative that the SBOM describe the contents of a software package used for installation and execution in a consumers digital ecosystem. Data in this SBOM, i.e. component names and versions, is more compatible with vulnerability databases when searching for CVE's filed against component software, i.e. Log4j is a good example. I can't speak to SBOM's used for other purposes. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Steve Kilbane Sent: Thursday, December 1, 2022 6:20 AM To: [email protected] Subject: [spdx] SPDX creation phase Hi all, One of the suggestions in today's call for the OpenChain Telco SIG, where we're discussing proposals for an SBOM standard for the Telecommunications industry, was: > SBOMs conforming to the Telco SBOM Specification need to contain the information when the SBOM was created in the "Created" SPDX field and at what phase of the software build it was created ("pre-build", "build-time" or "post-build") in the CreatorComment SPDX field. (See https://github.com/OpenChain-Project/Telco-WG/pull/15) I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when it's already a solved problem. Apologies if this isn't the right group. steve -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1602): https://lists.spdx.org/g/spdx/message/1602 Mute This Topic: https://lists.spdx.org/mt/95379372/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
