SlideShare a Scribd company logo

SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX

South Tyrol Free Software Conference
South Tyrol Free Software Conference

Software Bill of Materials (SBOMs) are rapidly becoming increasingly important in the software supply chain. Software Package Data Exchange (SPDX) is a freely available ISO standard that defines the way of communicating information about software components. It includes, but is not limited to, metadata such as name and version, but also licensing and security information. In this talk, we will present the latest updates from the ever-changing landscape of SBOMs and SPDX, focusing in real-world use cases. Familiarity with the concepts will not be assumed, as they will be briefly explained.

Technology
1 of 17
Download to read offline
SBOM and SPDXv3 Update November 2023 Alexios Zavras
Generate SBOMS when the data is known Source SBOM Build SBOM Deployed SBOM Runtime SBOM Design SBOM
Managing set of relevant items with SBOMs Design SBOM Functional Safety Management (Plans) and Safety Concept Source SBOM Requirements, Design, Safety Analysis, Source Code, Test Cases Build SBOM Build Framework, Build configuration and environment data, Test Framework, Executable, Test Reports Deploy SBOM Deployed configuration and environment data, Hardware architecture specific information and data, deployment tests and reports Runtime SBOM Runtime relevant data (configuration data), training data, error logging data
The road to SPDX 3.0 2010 2011 2012 2013 2015 2021 2022 2023 Standardized Single Package Information: Machine and human readable formats Compliance Use Cases: Additional Project and License Information Package Relationships: 30+ additional use cases supported for complex packaging and distribution scenarios Security use cases: External references for vulnerabilities and product identification ISO Standard Profiles: Support several new areas of use cases without increasing the complexity (e.g. Build, Defects, AI, Data) Format Interoperability
Why SPDX 3.0? ● Interest in SPDX for additional scenarios and use cases ○ Supporting security and safety critical application compliance requirements ○ AI/ML and datasets increasing need for transparency ○ Software Build provenance ● Simplify ○ Profiles ○ Remove confusing names ○ Reorganize and enable general SBOM use cases with minimum overhead ● Flexibility ○ Designed for online access ○ Can communicate a single element ○ Support optional inclusion properties for specific profiles ○ Enhanced relationship structure
SPDX 3.0 Specification Infrastructure ● Specification is being transformed into markdown describing ○ Classes, Properties, Enumerations ○ Metadata (type and cardinality) and description for each element ○ Automatically generate schema from this version (for JSON, RDF, XML, etc.) as well as web and print editions ● Profiles can add their own Classes and Properties and may also restrict other profiles (e.g. values, cardinalities, etc) ● See https://github.com/spdx/spdx-3-model
External Document Reference Changes SPDX 2.3 SPDX 3.0 SPDX Document ExternalDocumentRef SPDX Document SPDX Document Element Element Element Element SPDX Document ElementCollection Namespace Map Element Element Element
SPDX Profiles
Introducing SPDX Profiles Profile Conformance Is the SPDX creator asserting the data is there for my use case? Profile Name Space Where’s the spec I’m interested in? Profile Workgroup How can I contribute?
Core Profile Overview ● Defines foundational concepts which are the basis for all SPDX 3.0 profiles
Software Profile Overview ● Defines concepts related to software artifacts ● Introduces and supports CISA SBOM Types ○ Design/Source/Build/Deployed/Runtime/Analyzed https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf
Licensing Profile Overview ● Split into two separate profiles with different ways to represent license expressions: ○ SimpleLicensing: via SPDX License Expression syntax strings ○ ExpandedLicensing: via object model corresponding to each license component ● License model ○ includes those previously defined in SPDX 2.3, as well as SPDX License List fields ○ represents Licenses, License Exceptions, and the data model for license combinations (AND, OR, WITH, +) ○ now with License Additions (custom text for right side of WITH expressions) ● Relationships for Licensing-related metadata ○ conceptually similar to SPDX 2.3 ○ now structured as SPDX Relationships rather than properties ○ enables one SPDX data creator to define the software artifacts, and others to later specify their conclusions as to licenses by reference to the same artifacts
Captures security-related metadata specific to a piece of software Security Profile Overview ● Security profile v3.0 properties and relationships support vulnerability management. ○ discovery & disclosure: Communicate the vulnerabilities found by person (auditor/researcher), tool, or organization in a particular piece of software, e.g. CVE ○ severity: Communicate severity and rank vulnerabilities in a specific piece of software using industry standardized methods, e.g. CVSS ○ risk: Communicate how a vulnerability affects a specific piece of software, e.g., EPSS, VEX ○ remediation: Communicate how a vulnerability may be addressed or has already been addressed for a particular piece of software ● Security assurances for software integrity and other secure SDL activities are also supported in SPDX 3.0
AI & Data Profile Overview A profile that adds on top of the Core and Software profiles to describe AI-specific elements that will enable transparency and traceability of both components and processes. A profile that adds on top of the Core and Software profiles to describe the datasets that are used to train or test an AI software. Similar to AI profile, it captures both components and processes – also provenance and lineage.
More to come… Profiles Beyond SPDX 3.0 ● Software as a Service ○ Profile team has been active for about 3 months ○ Tracking the CISA workgroup ● Safety ○ We’re realizing that we already have in 3.0 most of what we need ● Hardware ○ Safety Standards expect to know “system” that software is running on ○ Potential participants include RISC-V & ARM core adopters, Chips Alliance Members and Board Manufacturers
Participate! ● Teams ● Technical ● Legal ● Outreach ● Profile groups ● Mailing lists ● Meetings ● GitHub
Thank you! Questions?

Recommended

OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0Shane Coughlan
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Project Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDuProject Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDudavieec5f
 
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docxProject Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docxdenneymargareta
 
Open Cybersecurity Alliance Briefing at RSAC 2020
Open Cybersecurity Alliance Briefing at RSAC 2020Open Cybersecurity Alliance Briefing at RSAC 2020
Open Cybersecurity Alliance Briefing at RSAC 2020Carol Geyer
 
System analysis and design
System analysis and designSystem analysis and design
System analysis and designRobinsonObura
 
Sector Cloudcom Tutorial
Sector Cloudcom TutorialSector Cloudcom Tutorial
Sector Cloudcom Tutoriallilyco
 

Recommended

OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0Shane Coughlan
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Project Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDuProject Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDudavieec5f
 
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docxProject Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docxdenneymargareta
 
Open Cybersecurity Alliance Briefing at RSAC 2020
Open Cybersecurity Alliance Briefing at RSAC 2020Open Cybersecurity Alliance Briefing at RSAC 2020
Open Cybersecurity Alliance Briefing at RSAC 2020Carol Geyer
 
System analysis and design
System analysis and designSystem analysis and design
System analysis and designRobinsonObura
 
Sector Cloudcom Tutorial
Sector Cloudcom TutorialSector Cloudcom Tutorial
Sector Cloudcom Tutoriallilyco
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Thierry Gayet
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Ethos Technologies
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Toolsn|u - The Open Security Community
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docxProject Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docxwkyra78
 
Project department of defense (do d) ready purposethis cours
Project department of defense (do d) ready purposethis coursProject department of defense (do d) ready purposethis cours
Project department of defense (do d) ready purposethis coursSAHIL781034
 
Software requirement specification
Software requirement specificationSoftware requirement specification
Software requirement specificationshiprashakya2
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloudKrzysztof Kąkol
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsAsaf Nakash
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdfWildhaniIhyaraRahman1
 
SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...
SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...
SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...South Tyrol Free Software Conference
 
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...South Tyrol Free Software Conference
 
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data HubSFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data HubSouth Tyrol Free Software Conference
 
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...South Tyrol Free Software Conference
 
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...South Tyrol Free Software Conference
 
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...South Tyrol Free Software Conference
 
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelinesSFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelinesSouth Tyrol Free Software Conference
 
SFSCON23 - Christian Busse - Free Software and Open Science
SFSCON23 - Christian Busse - Free Software and Open ScienceSFSCON23 - Christian Busse - Free Software and Open Science
SFSCON23 - Christian Busse - Free Software and Open ScienceSouth Tyrol Free Software Conference
 
SFSCON23 - Charles H. Schulz - Why open digital infrastructure matters
SFSCON23 - Charles H. Schulz - Why open digital infrastructure mattersSFSCON23 - Charles H. Schulz - Why open digital infrastructure matters
SFSCON23 - Charles H. Schulz - Why open digital infrastructure mattersSouth Tyrol Free Software Conference
 
SFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portal
SFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portalSFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portal
SFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portalSouth Tyrol Free Software Conference
 
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...South Tyrol Free Software Conference
 

More Related Content

Similar to SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX

Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Thierry Gayet
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Ethos Technologies
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docxProject Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docxwkyra78
 
Project department of defense (do d) ready purposethis cours
Project department of defense (do d) ready purposethis coursProject department of defense (do d) ready purposethis cours
Project department of defense (do d) ready purposethis coursSAHIL781034
 
Software requirement specification
Software requirement specificationSoftware requirement specification
Software requirement specificationshiprashakya2
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloudKrzysztof Kąkol
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsAsaf Nakash
 

Similar to SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX (11)

Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)Generating SBOMS FROM FOSS (Detecting OSS licences)
Generating SBOMS FROM FOSS (Detecting OSS licences)
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docxProject Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
 
Project department of defense (do d) ready purposethis cours
Project department of defense (do d) ready purposethis coursProject department of defense (do d) ready purposethis cours
Project department of defense (do d) ready purposethis cours
 
Software requirement specification
Software requirement specificationSoftware requirement specification
Software requirement specification
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloud
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloads
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdf
 

More from South Tyrol Free Software Conference

SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...
SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...
SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...South Tyrol Free Software Conference
 
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...South Tyrol Free Software Conference
 
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data HubSFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data HubSouth Tyrol Free Software Conference
 
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...South Tyrol Free Software Conference
 
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...South Tyrol Free Software Conference
 
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...South Tyrol Free Software Conference
 
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelinesSFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelinesSouth Tyrol Free Software Conference
 
SFSCON23 - Charles H. Schulz - Why open digital infrastructure matters
SFSCON23 - Charles H. Schulz - Why open digital infrastructure mattersSFSCON23 - Charles H. Schulz - Why open digital infrastructure matters
SFSCON23 - Charles H. Schulz - Why open digital infrastructure mattersSouth Tyrol Free Software Conference
 
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...South Tyrol Free Software Conference
 
SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...
SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...
SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...South Tyrol Free Software Conference
 
SFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free software
SFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free softwareSFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free software
SFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free softwareSouth Tyrol Free Software Conference
 
SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...
SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...
SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...South Tyrol Free Software Conference
 
SFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changer
SFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changerSFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changer
SFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changerSouth Tyrol Free Software Conference
 
SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...
SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...
SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...South Tyrol Free Software Conference
 
SFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation Internet
SFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation InternetSFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation Internet
SFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation InternetSouth Tyrol Free Software Conference
 
SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...
SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...
SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...South Tyrol Free Software Conference
 

More from South Tyrol Free Software Conference (20)

SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...
SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...
SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...
 
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...
SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...
 
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data HubSFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub
SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub
 
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...
SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...
 
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...
SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...
 
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...
SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...
 
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelinesSFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines
SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines
 
SFSCON23 - Christian Busse - Free Software and Open Science
SFSCON23 - Christian Busse - Free Software and Open ScienceSFSCON23 - Christian Busse - Free Software and Open Science
SFSCON23 - Christian Busse - Free Software and Open Science
 
SFSCON23 - Charles H. Schulz - Why open digital infrastructure matters
SFSCON23 - Charles H. Schulz - Why open digital infrastructure mattersSFSCON23 - Charles H. Schulz - Why open digital infrastructure matters
SFSCON23 - Charles H. Schulz - Why open digital infrastructure matters
 
SFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portal
SFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portalSFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portal
SFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portal
 
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...
SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...
 
SFSCON23 - Stefan Mutschlechner - Smart Werke Meran
SFSCON23 - Stefan Mutschlechner - Smart Werke MeranSFSCON23 - Stefan Mutschlechner - Smart Werke Meran
SFSCON23 - Stefan Mutschlechner - Smart Werke Meran
 
SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...
SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...
SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...
 
SFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free software
SFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free softwareSFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free software
SFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free software
 
SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...
SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...
SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...
 
SFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changer
SFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changerSFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changer
SFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changer
 
SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...
SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...
SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...
 
SFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation Internet
SFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation InternetSFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation Internet
SFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation Internet
 
SFSCON23 - Edoardo Scepi - The Brand-New Version of IGis Maps
SFSCON23 - Edoardo Scepi - The Brand-New Version of IGis MapsSFSCON23 - Edoardo Scepi - The Brand-New Version of IGis Maps
SFSCON23 - Edoardo Scepi - The Brand-New Version of IGis Maps
 
SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...
SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...
SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX

  • 1. SBOM and SPDXv3 Update November 2023 Alexios Zavras
  • 2. Generate SBOMS when the data is known Source SBOM Build SBOM Deployed SBOM Runtime SBOM Design SBOM
  • 3. Managing set of relevant items with SBOMs Design SBOM Functional Safety Management (Plans) and Safety Concept Source SBOM Requirements, Design, Safety Analysis, Source Code, Test Cases Build SBOM Build Framework, Build configuration and environment data, Test Framework, Executable, Test Reports Deploy SBOM Deployed configuration and environment data, Hardware architecture specific information and data, deployment tests and reports Runtime SBOM Runtime relevant data (configuration data), training data, error logging data
  • 4. The road to SPDX 3.0 2010 2011 2012 2013 2015 2021 2022 2023 Standardized Single Package Information: Machine and human readable formats Compliance Use Cases: Additional Project and License Information Package Relationships: 30+ additional use cases supported for complex packaging and distribution scenarios Security use cases: External references for vulnerabilities and product identification ISO Standard Profiles: Support several new areas of use cases without increasing the complexity (e.g. Build, Defects, AI, Data) Format Interoperability
  • 5. Why SPDX 3.0? ● Interest in SPDX for additional scenarios and use cases ○ Supporting security and safety critical application compliance requirements ○ AI/ML and datasets increasing need for transparency ○ Software Build provenance ● Simplify ○ Profiles ○ Remove confusing names ○ Reorganize and enable general SBOM use cases with minimum overhead ● Flexibility ○ Designed for online access ○ Can communicate a single element ○ Support optional inclusion properties for specific profiles ○ Enhanced relationship structure
  • 6. SPDX 3.0 Specification Infrastructure ● Specification is being transformed into markdown describing ○ Classes, Properties, Enumerations ○ Metadata (type and cardinality) and description for each element ○ Automatically generate schema from this version (for JSON, RDF, XML, etc.) as well as web and print editions ● Profiles can add their own Classes and Properties and may also restrict other profiles (e.g. values, cardinalities, etc) ● See https://github.com/spdx/spdx-3-model
  • 7. External Document Reference Changes SPDX 2.3 SPDX 3.0 SPDX Document ExternalDocumentRef SPDX Document SPDX Document Element Element Element Element SPDX Document ElementCollection Namespace Map Element Element Element
  • 9. Introducing SPDX Profiles Profile Conformance Is the SPDX creator asserting the data is there for my use case? Profile Name Space Where’s the spec I’m interested in? Profile Workgroup How can I contribute?
  • 10. Core Profile Overview ● Defines foundational concepts which are the basis for all SPDX 3.0 profiles
  • 11. Software Profile Overview ● Defines concepts related to software artifacts ● Introduces and supports CISA SBOM Types ○ Design/Source/Build/Deployed/Runtime/Analyzed https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf
  • 12. Licensing Profile Overview ● Split into two separate profiles with different ways to represent license expressions: ○ SimpleLicensing: via SPDX License Expression syntax strings ○ ExpandedLicensing: via object model corresponding to each license component ● License model ○ includes those previously defined in SPDX 2.3, as well as SPDX License List fields ○ represents Licenses, License Exceptions, and the data model for license combinations (AND, OR, WITH, +) ○ now with License Additions (custom text for right side of WITH expressions) ● Relationships for Licensing-related metadata ○ conceptually similar to SPDX 2.3 ○ now structured as SPDX Relationships rather than properties ○ enables one SPDX data creator to define the software artifacts, and others to later specify their conclusions as to licenses by reference to the same artifacts
  • 13. Captures security-related metadata specific to a piece of software Security Profile Overview ● Security profile v3.0 properties and relationships support vulnerability management. ○ discovery & disclosure: Communicate the vulnerabilities found by person (auditor/researcher), tool, or organization in a particular piece of software, e.g. CVE ○ severity: Communicate severity and rank vulnerabilities in a specific piece of software using industry standardized methods, e.g. CVSS ○ risk: Communicate how a vulnerability affects a specific piece of software, e.g., EPSS, VEX ○ remediation: Communicate how a vulnerability may be addressed or has already been addressed for a particular piece of software ● Security assurances for software integrity and other secure SDL activities are also supported in SPDX 3.0
  • 14. AI & Data Profile Overview A profile that adds on top of the Core and Software profiles to describe AI-specific elements that will enable transparency and traceability of both components and processes. A profile that adds on top of the Core and Software profiles to describe the datasets that are used to train or test an AI software. Similar to AI profile, it captures both components and processes – also provenance and lineage.
  • 15. More to come… Profiles Beyond SPDX 3.0 ● Software as a Service ○ Profile team has been active for about 3 months ○ Tracking the CISA workgroup ● Safety ○ We’re realizing that we already have in 3.0 most of what we need ● Hardware ○ Safety Standards expect to know “system” that software is running on ○ Potential participants include RISC-V & ARM core adopters, Chips Alliance Members and Board Manufacturers
  • 16. Participate! ● Teams ● Technical ● Legal ● Outreach ● Profile groups ● Mailing lists ● Meetings ● GitHub