Shane Coughlan, profile picture
Uploaded byShane Coughlan
207 views

SBOM Document Quality Guide - OpenChain SBOM Study Group

SBOM Document Quality Guide - OpenChain SBOM Study Group

Embed presentation

Download to read offline
SBOM Document Quality Guide OpenChain SBOM Study Group
Why a New Guide? https://www.msit.go.kr/ bbs/view.do?sCode=user& mId=113&mPid=238&bbsSeq No=94&nttSeqNo=3184474 https://www.cert- in.org.in/PDF/Technica lGuidelines-on- SBOM,QBOM&CBOM,AIBOM_a nd_HBOM_ver2.0.pdf Many regulations, standards, and guidelines exist, each imposing slightly different requirements. SBOM Implementation Reality: https://sched.co/1jKD8 Lack of standardized detailed information causes inconsistencies and high production costs/effort in SBOM creation
Guide on Google Docs: https://docs.google.com/document/d/1iuXX8j10N70dfce1-CZFWhW6S2jEqc-- flcCgXMMdjg/edit?usp=sharing Meeting minutes etc. for SBOM Study Group: https://github.com/OpenChain-Project/SBOM-sg/ Meeting schedule: https://openchainproject.org/participate
Chapter 1 - Scope & SBOM Document Quality PUSH PULL Team X ・・・ Team A product Open Source Communities Other Companies RECEIVE A Company End User Customers Other Companies DISTRIBUTE SBOM Document SBOM Document SBOM Management
Key SBOM Requirements
Chapter 5.1 – Ensuring Accurate & Consistent “Value” Information
Chapter 5.7 - Clarifying the Scope of Descriptions and Defining Accountability
Chapter 5.8 - Unified Expression of Inter-Component Relationships Owada-san “Set Vendor” knows d-lib.so will be linked, but they can't determine a unique ID (the actual d-lib version etc. as well) for the SBOM element because it isn't part of their distribution. https://docs.google.com/presentation/d/1T0mifMjTbiOoxPMv- 04rHV42mcRw9SSQocAq1USgEZg/edit?slide=id.g36f74397063_0_5#slide=id.g36f74397063_0_5
https://github.com/OpenChain-Project/OpenChain- JWG/blob/master/subgroups/sbom-sg/outcomes/QualityGuide/SBOM- Document-Quality-Guide.ja.md#58- %E9%83%A8%E5%93%81%E9%96%93%E9%96%A2%E4%BF%82%E6%80%A7%E3%81%A E%E7%B5%B1%E4%B8%80%E7%9A%84%E8%A1%A8%E7%8F%BE Chapter 5.8 – cont.
SBOM Attributes Comparison (Overview) [WIP] SBOM element comparison https://docs.google.com/ spreadsheets/d/1SuGv1 L3H_- Iq6dmH7DnjDgAa90LC RnoHB3DTfuWh0Jg/edi t?gid=1936044844#gid= 1936044844 https://sched.co/1jKD8 Ninjyouji-san
SBOM JSON, JSON-LD examples and Schema https://github.com/OpenChain-Project/SBOM-sg-SEPIA
CISA Minimum Elements for a Software Bill of Materials - Updated https://www.cisa.gov/resources-tools/resources/2025-minimum- elements-software-bill-materials-sbom
Name and Version
7 Recommendations to Improve SBOM Quality https://www.sei.cmu.edu/blog/7-recommendations-to-improve- sbom-quality/
Join OpenChain SBOM study group! The regular meeting will be held on 4th Wednesday of every month. We would appreciate your participation! https://lists.openchainproject.org/ g/sbom https://github.com/OpenChain-Project/SBOM-sg
Questions?
SBOM Document Quality Guide - OpenChain SBOM Study Group
SBOM Document Quality Guide - OpenChain SBOM Study Group
SBOM Document Quality Guide - OpenChain SBOM Study Group
SBOM Document Quality Guide - OpenChain SBOM Study Group

More Related Content

PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
byShane Coughlan
 
PDF
OpenChain Telco SBOM Guide Overview - 2024-09-25
byShane Coughlan
 
PPTX
OpenChain presentation at LF Legal Summit 2025
byShane Coughlan
 
PDF
Software Bill of Materials (SBOM): what you as a developer need to know by Kr...
byDevClub_lv
 
PDF
How SBOMs Protect Google's Massive Software Supply Chain
byAnchore
 
PPTX
OpenChain Korea Work Group Meeting - 2025-06-16
byShane Coughlan
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
byShane Coughlan
 
PPTX
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
byShane Coughlan
 
OpenChain Telco SBOM Guide Overview - 2024-09-25
byShane Coughlan
 
OpenChain presentation at LF Legal Summit 2025
byShane Coughlan
 
Software Bill of Materials (SBOM): what you as a developer need to know by Kr...
byDevClub_lv
 
How SBOMs Protect Google's Massive Software Supply Chain
byAnchore
 
OpenChain Korea Work Group Meeting - 2025-06-16
byShane Coughlan
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
byShane Coughlan
 
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 

More from Shane Coughlan

PPTX
OpenChain at Okinawa Event on the 4th of December 2025
byShane Coughlan
 
PPTX
The OpenChain China Mini-Summit at COSCON 2025
byShane Coughlan
 
PPTX
A Panel on Containers and Compliance Hosted by Chris Wood, OpenChain Specifi...
byShane Coughlan
 
PDF
EU Regulation and the FOSS Ecosystem - Ciarán OʼRiordan
byShane Coughlan
 
PDF
OpenChain Global Update @ Open Source Tech Day 2025
byShane Coughlan
 
PDF
Introduction to the European Union Cyber Resilience Act (CRA)
byShane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
PPTX
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
byShane Coughlan
 
PDF
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
byShane Coughlan
 
PPTX
OpenChain Tooling Work Group - 2025-07-02
byShane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
byShane Coughlan
 
PDF
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
byShane Coughlan
 
PPTX
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
byShane Coughlan
 
PPTX
OpenChain @ InnerSource Summit 2024 - 2024-11-20
byShane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting #24 - 2024-11-26
byShane Coughlan
 
PDF
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
byShane Coughlan
 
PDF
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
byShane Coughlan
 
PPTX
OpenChain China Work Group Presentation @ OSCAR 2024
byShane Coughlan
 
PPTX
OpenChain Japan Community Day - 2024-10-17
byShane Coughlan
 
OpenChain at Okinawa Event on the 4th of December 2025
byShane Coughlan
 
The OpenChain China Mini-Summit at COSCON 2025
byShane Coughlan
 
A Panel on Containers and Compliance Hosted by Chris Wood, OpenChain Specifi...
byShane Coughlan
 
EU Regulation and the FOSS Ecosystem - Ciarán OʼRiordan
byShane Coughlan
 
OpenChain Global Update @ Open Source Tech Day 2025
byShane Coughlan
 
Introduction to the European Union Cyber Resilience Act (CRA)
byShane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
byShane Coughlan
 
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
byShane Coughlan
 
OpenChain Tooling Work Group - 2025-07-02
byShane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
byShane Coughlan
 
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
byShane Coughlan
 
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
byShane Coughlan
 
OpenChain @ InnerSource Summit 2024 - 2024-11-20
byShane Coughlan
 
OpenChain Korea Work Group Meeting #24 - 2024-11-26
byShane Coughlan
 
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
byShane Coughlan
 
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
byShane Coughlan
 
OpenChain China Work Group Presentation @ OSCAR 2024
byShane Coughlan
 
OpenChain Japan Community Day - 2024-10-17
byShane Coughlan
 

Recently uploaded

PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
PDF
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 

SBOM Document Quality Guide - OpenChain SBOM Study Group

  • 1.
    SBOM Document QualityGuide OpenChain SBOM Study Group
  • 2.
    Why a NewGuide? https://www.msit.go.kr/ bbs/view.do?sCode=user& mId=113&mPid=238&bbsSeq No=94&nttSeqNo=3184474 https://www.cert- in.org.in/PDF/Technica lGuidelines-on- SBOM,QBOM&CBOM,AIBOM_a nd_HBOM_ver2.0.pdf Many regulations, standards, and guidelines exist, each imposing slightly different requirements. SBOM Implementation Reality: https://sched.co/1jKD8 Lack of standardized detailed information causes inconsistencies and high production costs/effort in SBOM creation
  • 3.
    Guide on GoogleDocs: https://docs.google.com/document/d/1iuXX8j10N70dfce1-CZFWhW6S2jEqc-- flcCgXMMdjg/edit?usp=sharing Meeting minutes etc. for SBOM Study Group: https://github.com/OpenChain-Project/SBOM-sg/ Meeting schedule: https://openchainproject.org/participate
  • 4.
    Chapter 1 -Scope & SBOM Document Quality PUSH PULL Team X ・・・ Team A product Open Source Communities Other Companies RECEIVE A Company End User Customers Other Companies DISTRIBUTE SBOM Document SBOM Document SBOM Management
  • 5.
  • 6.
    Chapter 5.1 –Ensuring Accurate & Consistent “Value” Information
  • 7.
    Chapter 5.7 -Clarifying the Scope of Descriptions and Defining Accountability
  • 8.
    Chapter 5.8 -Unified Expression of Inter-Component Relationships Owada-san “Set Vendor” knows d-lib.so will be linked, but they can't determine a unique ID (the actual d-lib version etc. as well) for the SBOM element because it isn't part of their distribution. https://docs.google.com/presentation/d/1T0mifMjTbiOoxPMv- 04rHV42mcRw9SSQocAq1USgEZg/edit?slide=id.g36f74397063_0_5#slide=id.g36f74397063_0_5
  • 9.
  • 10.
    SBOM Attributes Comparison(Overview) [WIP] SBOM element comparison https://docs.google.com/ spreadsheets/d/1SuGv1 L3H_- Iq6dmH7DnjDgAa90LC RnoHB3DTfuWh0Jg/edi t?gid=1936044844#gid= 1936044844 https://sched.co/1jKD8 Ninjyouji-san
  • 11.
    SBOM JSON, JSON-LDexamples and Schema https://github.com/OpenChain-Project/SBOM-sg-SEPIA
  • 12.
    CISA Minimum Elementsfor a Software Bill of Materials - Updated https://www.cisa.gov/resources-tools/resources/2025-minimum- elements-software-bill-materials-sbom
  • 13.
  • 14.
    7 Recommendations toImprove SBOM Quality https://www.sei.cmu.edu/blog/7-recommendations-to-improve- sbom-quality/
  • 15.
    Join OpenChain SBOMstudy group! The regular meeting will be held on 4th Wednesday of every month. We would appreciate your participation! https://lists.openchainproject.org/ g/sbom https://github.com/OpenChain-Project/SBOM-sg
  • 16.