I don’t know. L Philip Odence GM Black Duck Audits Synopsys ________________________________ From: [email protected] <[email protected]> on behalf of Dick Brooks <[email protected]> Sent: Tuesday, January 9, 2024 4:50:21 PM To: [email protected] <[email protected]> Subject: Re: [spdx] Thursday SPDX General Meeting Reminder
Phil, Do you know if the presenter plans to show example SBOM and VEX artifacts that Dell is currently producing and distributing to customers today? Thanks, Dick Brooks ZjQcmQRYFpfptBannerStart This Message Is From an External Sender Do not click links or open attachments unless you recognize the sender and know the content is safe. ZjQcmQRYFpfptBannerEnd Phil, Do you know if the presenter plans to show example SBOM and VEX artifacts that Dell is currently producing and distributing to customers today? Thanks, Dick Brooks [cid:[email protected]] [cid:[email protected]] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report!<https://urldefense.com/v3/__https://reliableenergyanalytics.com/products__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiERRWkVajQ$> ™ http://www.reliableenergyanalytics.com<https://urldefense.com/v3/__http://www.reliableenergyanalytics.com/__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiEQQDJoPmg$> Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Phil Odence via lists.spdx.org Sent: Tuesday, January 9, 2024 4:13 PM To: SPDX-general <[email protected]> Subject: [spdx] Thursday SPDX General Meeting Reminder A reminder that the General Meeting was pushed to this Thursday, Jan 11, at the normal 11am EST time. Note: I have not gotten the Dec minutes up on GH yet but included at the bottom of this email. Announcement: The Feb meeting, normally scheduled for Feb 1, will be pushed to Feb 8th. As Rose it out, we will likely not be able to cancel the Feb1 instance but will send out an invitation for Feb 8. Please save the date. This Thursday’s special presentation: * Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) * In this presentation, Aditi Sharma of Dell will delve into crucial touchpoints concerning Software Bill of Materials (SBOM), emphasizing foundational elements essential for the success of SBOM. Additionally, she will discuss the relevance of Vulnerability Exploitability Exchange and meeting customer needs. * Aditi * Aditi is a Product security leader and Principal Technical Program Manager based in Austin, Texas, with a distinguished career spanning over 16 years. With a background in the automotive and telecom industries, she has garnered extensive experience in navigating complex technological landscapes. In her current role as Senior Advisor at Dell Technologies, Aditi specializes in Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX). She has played a critical role in meeting critical infrastructure requirements, ensuring compliance with the White House Executive Order (14028) . Aditi excels in defining project scope, conducting threat modeling, and implementing best practices to fortify organizational security. * Aditi holds a Bachelor of Engineering in Electrical and Electronics and is a Certified Scrum Product Owner. Her credentials include a GSLC certification from SANS and a Data Analytics & Visualization certification from UT, Austin. Her technical expertise spans CRM and project management tools, programming languages, data analysis, and web development. * Aditi enjoys travelling with her husband and 7 year old son. In her free time, she loves dancing and spending time with family and friends. Meeting Agenda: Administrative Agenda Attendance Minutes Approval Special Presentation - Aditi Technical Team Report – Kate/Gary/Others * Overview * Specification and Profiles * Core & Software * Security * Licensing * Build * Lite * AI * Dataset * Functional Safety * Canonicalization/Serialization * Software as a Service * Hardware * Tooling + Implementers Legal Team Report – Jilayne/Steve Outreach/Website Team Report – Alexios/Bob General Announcements Meeting Time: First Thursday of every month, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=ZE9sYJcHMoEO3g5qrPPuiKU0gFK7mMjd9Km_ClCNBbU&e=> Conf call dial-in: Join the meeting: https://meet.jit.si/SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw224M4IF9lZQ--a36gO3Lwh__;JSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BGCiD_0k$> To join by phone instead, tap this: +1.512.647.1431,,1310118349#<tel:+15126471431,1310118349> Looking for a different dial-in number? See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2Fstatic*2FdialInInfo.html*3Froom*3DSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw0CFb1socSljscXVhl5wU_R__;JSUlJSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BhDXVXvs$> If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting*23config.startSilent*3Dtrue&sa=D&ust=1619537013292000&usg=AOvVaw0KXqpP-XHq4V1GzN9CrPgS__;JSUlJSUl!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41B0qALsVU$> Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes<https://urldefense.com/v3/__https:/spdx.swinslow.net/p/spdx-general-minutes__;!!A4F2R9G_pg!bkFgK9GI5IbYCG_91ZtQilKgVfK3GKVMNzWVmfR-vYiSdgqVJFuyjsogC7bylG6qLZWcg-pZsfwx1j22AYkUN1F-yUtbJ9gGY3R4AFJ0$> # SPDX General Meeting Minutes- December 7th, 2023 ## Administrative * Lead by Rose Judge * Minutes from last meeting to approve: https://github.com/spdx/meetings/pull/570<https://urldefense.com/v3/__https://github.com/spdx/meetings/pull/570__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiEREizslVg$> ## Attendees (23) * Aditi Sharma * Alex Stewart * Alexios Zavras * Alfred L Strauch * Brad Goldring * Dick Brooks * Jacob Wilson * Jim Vitrano * Joe Bussell * Joshua Watt * Karen Bennet * Karsten Klein * Mark Atwood (Amazon.com) * Maximilian Huber * Madhuri Padmanabhan * Michael Herzog * Mike McDonel * Nicole Pappler * Phil Odence * Rita Farrell Schalnat * Rose Judge * Shalini Batra * Steven Carbno ## Presentation: Enhancing Security, Transparency and Traceability in AI and Dataset Systems with SBOM * Presenter: Karen Bennet * https://docs.google.com/presentation/d/1n4ntGrRDoEDtk5kxjWSn0jbT8Fq9q4pXsu-a-oAOQYQ/edit#slide=id.g29fd1974863_0_0<https://urldefense.com/v3/__https://docs.google.com/presentation/d/1n4ntGrRDoEDtk5kxjWSn0jbT8Fq9q4pXsu-a-oAOQYQ/edit*slide=id.g29fd1974863_0_0__;Iw!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiESUS6pE1w$> * Working on the AI and Dataset profiles in SPDX * Lots of AI Regulations coming down the pipeline * There aren't many rules around AI right now * Over 300 standards on AI - too much to put together * ISO/IEC 23894 - A new standard for risk management of AI * IEE, ISO, EU Act, NIST standards all requiring an SBOM document be put in place * EU Act Audit of LLMs available at the time * Many issues exist even when comparing to one standard across most of the existing state-of-the-art AI models * None available that would pass the EU Act * Code is a combination of the model, software and data. Models need to be trained on a set of data * An AI system SBOM will contain info about models (complex systems) and training data * Why not use fact sheets or model cards? Neither is the full set that needs to be put in place based on where we need to get to. There's a divide in what companies are supporting fact sheets or model cards * Little documentation * Two profiles for SPDX: AI and Dataset * AI Profile - combination of fields that describe the AI and the model and the software associated with it * 15 fields added (can be found in the model repo: https://github.com/spdx/spdx-3-model/tree/main/model/AI<https://urldefense.com/v3/__https://github.com/spdx/spdx-3-model/tree/main/model/AI__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiETOA8aJQA$>) * Dataset profile - Information about a dataset used to test/train a model * 13 fields added (can be found in the model repo: https://github.com/spdx/spdx-3-model/tree/main/model/Dataset<https://urldefense.com/v3/__https://github.com/spdx/spdx-3-model/tree/main/model/Dataset__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiES_X2iUgA$>) * OpenDataology - over 37k data files that SBOMs have been created for * Databases for AI specific vulnerabilities that have started to materialize - AVID, OWASP 0.5, AIAAIC * AI security threats * Data poisoning attacks, adversarial attacks, model stealing, privacy conerns, overfitting and generalization issues * Similar to software but more intense * Working with Open Source Models and Datasets trying to get them to use SBOMs (Kaggle, GitHub, Hugging Face, Open Data Registry, Pile - to name a few) * Pile - over 200 documents that are all incuded in it being used in the training data for LLM models; no longer a 1:1 mapping of data and training. the pile in some of these datasets have copyright infringement. * Over 70% of datasets have no license data - licensing on data needs a lot of work * Always looking for more feedback - join our meetings today: https://github.com/spdx/meetings#ai-and-data-profiles-group-meetings<https://urldefense.com/v3/__https://github.com/spdx/meetings*ai-and-data-profiles-group-meetings__;Iw!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiETQ81vkxg$> ## Tech Team Report - Kate/Gary/WIlliam * Core & Software Profiles - Gary/Kate/William * Resolved several issues related to relationships * Generating website documentation [https://spdx3.licquia.org<https://urldefense.com/v3/__https://spdx3.licquia.org/__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiERvOMCOKw$>] * Working through remaining issues targetting to get -rc2 tag added * Forming a new team to work on "operations" related information as part of SPDX 3.1 - Those interested in topics like export control, etc. are welcome to join by subscribing to the mailing list at: https://lists.spdx.org/g/spdx-operations<https://urldefense.com/v3/__https://lists.spdx.org/g/spdx-operations__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiESu9mkggw$>. Formation discussions are ongoing, and more details will be announced in January * Help requestss: * Look at draft website documentation, and submit in PRs to fill in any TODOs spotted. * If you work on a tool - FOSDEM SBOM Devroom CFP is open - please submit talks about tooling, etc. by December 8. * Security Profile - Jeff/Rose * Paused meetings until the new year * Topic for next meeting: brainstorm on upcoming topics for security profile in future releases * Licensing Profile - Steve * Focused on how to align this profile with the information in the SPDX license list * Build Profile - Brandon/Nisha * No update * Lite Profile - Ito/Ninjouji/Asaba/Kobota * Lite profile has been submitted for review * AI Profile - Karen/Gopi * Licensing properties have been updated to relationships * Demonstration for looking automating use case generation, next target is BloomBot via working with Indiana University PhD student * Meetings paused until the new year * Dataset Profile - Karen/Gopi * Licensing properties have been updated to relationships in spec. * Survey from Dasa Providence working group of 1,800 Open Data licenses audited - 70% are missing (e Data Provenance Collection.) * Functional Safety - Nicole/Kate * Demonstration of BASIL requirement traceability tool open sourced by Red Hat into ELISA, that provides requirement to code to test traceability and is able to export/import SPDX. * Canonicalization / Serialization - Max/Gary * All issues for RC2 have been resolved * Experimenting with tooling to validate the serialization formats * After RC2, we will discuss additional "lighter" serialiazations * Software as a Service – Gary * Initial use case focus has been agreed upon * Next steps is to flesh out the use case steps and define the model changes * Hardware - Kate * Working on Virtual hardware extensions, beyond initial CISA work * Implementers - Rose * Bringing awareness to SPDX Tooling in the OpenSSF ecosystem ## Legal Team Update - Jilayne/Steve * Trying to gett caught up on issues by the end of the year - will send an email with updated list to legal mailing list soon but help is always appreciated * Will have update on data license change proposal soon ## Outreach Team Update - Alexios/Bob * FOSDEM submissions deadline tomorrow * Working on tool inclusion criteria ## General Announcements * New "Operations" working group is kicking off soon. This working group is focused on the additional information that an organization may wish to associate with a package, for effective management of these artifacts within business operations. Operation information may be associated for proprietary as well as open source packages, and need not be released outside of an organization. This information is intended to aid management to internal policies for such topics as export control, etc. * Subscribe to the mailing list if interested - [email protected]<mailto:[email protected]> and visit https://lists.spdx.org/g/spdx-operations<https://urldefense.com/v3/__https://lists.spdx.org/g/spdx-operations__;!!A4F2R9G_pg!cXcoP_1IGaA5XoMN2nIZW8XFabZ3tOhirav_IQnpGpFOXZ9gxXYpHOI2rR2AoiAzyf2W_HErv8TAAXPAw3h-5W3GiESu9mkggw$> to learn more * The January SPDX General call will happen on January 11th (instead of the regular first Thursday January 4th) to acccommodate the new year holiday. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1824): https://lists.spdx.org/g/spdx/message/1824 Mute This Topic: https://lists.spdx.org/mt/103628736/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
