The document discusses the implementation of the SPDX Lite profile for Software Bill of Materials (SBOM) and its role in addressing software exchange challenges between companies and customers. It outlines key focus areas such as software license compliance, vulnerability management, and the necessity for accurate software documentation throughout the supply chain. It emphasizes the importance of collaborative efforts and compliance with various standards, encouraging participation in the OpenChain SBOM study group.

1. #ossummit
@
SBOM Implementation Reality
From Crawl to Walk, the SPDX Lite Profile for the First Step
Norio Kobota, Sony Group Corporation
Takashi Ninjouji, Toshiba Corporation
@nori0428 @takashininjouji 16 September 2024

2. Who We Are
Norio Kobota Takashi Ninjouji
• Senior Open Source Strategist,
Sony Group Corporation
• OpenChain Project, SBOM-SG Lead.
• SPDX Project
• Chief Specialist,
Toshiba Corporation
• OpenChain Project
• SPDX Project

3. Focus Areas of SPDX Lite
Solving the Challenges of Software Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
3

4. Focus Areas of SPDX Lite
Solving the Challenges of SBOM Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
4

5. What Happens when software suppliers don’t understand?
5

6. SBOM Supply Chain Reality
Knowledgeable team analyzes the details and manages configuration
PUSH
PULL
Team X
・・・
Team Z
w/ knowledge
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
Analyze details w/ Source Code
Insufficient Information
DISTRIBUTE
6

7. Focus Areas of SPDX Lite
Solving the Challenges of SBOM Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
7

8. Who should know all the details of software?
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
Customers
Commercial Product
(Software, EmbeddedDev etc…
It is OUR responsibility to verify and correct the
software details if there is a problem, not customers.
DISTRIBUTE
8

9. SBOM enables us to exchange information with anyone in a common format
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
Common Language and Format
for
the contract 9

10. ISO/IEC 5230 OpenChain Specification
Requirements
1. Program foundation 1.1 Policy
1.2 Competence
1.3 Awareness
1.4 Program scope
1.5 License obligations
2. Relevant tasks defined and supported 2.1 Access
2.2 Effectively resourced
3. Open Source content review and approval 3.1 Bill of Materials
3.2 License compliance
4. Compliance artifact creation and delivery 4.1 Compliance artifacts
5. Understanding open source community
engagements
5.1 Contributions
6. Adherence to the specification
requirements
6.1 Conformance
6.2 Duration
• Open Source License Compliance
• SBOM Management: Identify, Review & Approval to Software Components
ISO

11. ISO/IEC 18974 OpenChain Security Assurance Specification
• Open Source Security Assurance (Vulnerability Management)
• Monitor and Manage Vulnerabilities across SDLC, with SBOM Management
Requirements
1. Program foundation 1.1 Policy
1.2 Competence
1.3 Awareness
1.4 Program Scope
1.5 Standard Practice Implementation
2. Relevant tasks defined and supported 2.1 Access
2.2 Effectively resourced
3. Open Source content review and approval 3.1 Software Bill of Materials (SBOM)
3.2 Security Assurance
4. Adherence to the guideline requirements 4.1 Completeness
4.2 Duration

12. SBOM-VEX
SBOM
• Software Composition
• Provenance
• License Compliance
Document Metadata
VEX Statement 1
VEX Statement 2
VEX Statement 3
VEX Document
Document Metadata
Component
Relationship
External Data
SBOM Document
VEX
• Vulnerability Management
• Exploit
• Incident Response
Document Metadata
VEX Statement 1
VEX Statement 2
VEX Statement 3
VEX Document
Statement Metadata
Status
Vulnerability Details
Product Details
VEX Statement

13. SPDX Lite addressing License Compliance
https://spdx.github.io/spdx-spec/v2.3/package-information/
https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/
13
Document
Metadata
Component
(Package
Centric)

14. SPDX Lite (Lite profile) in SPDX v3.0
❑ SPDX Lite Design Principle
Because of its origins, SPDX Lite essentially considers the minimum information required to comply with
Open Source License compliance.
✔ Properties that are mandatory by the SPDX specification are also mandatory and are no different, but
adding recommendations on what to write. [MANDATORY]
✔ Specify additional properties that must be provided for license compliance. [MANDATORY]
✔ Specify recommended properties for reducing the burden on the recipient. [RECOMMENDED]
✔ Everything else is optional. [OPTIONAL]
14

15. Overview of SPDX Data structure for Lite profile
15
Sbom [Mandatory]
SPDXDocument [Mandatory]
CreationInfo [Mandatory]
Bom [Optional]
NOTE: Can contain other information such as
VEX in Security profile.
Ref: p.21
Package [Mandatory] LicenseExpression [Mandatory]
Relationship [Mandatory]
Declared, Concluded License
CreationInfo [Mandatory]

16. Difficult to understand only with the specifications.
https://github.com/NorioKobota/spdx-examples/tree/lite-profile/lite/example1
We are creating and evaluating samples that are as
simple as possible and fit our use cases.
16

17. Verify if the Lite profile works well with VEX - Security profile
https://github.com/no-ta/spdx-examples/tree/merge-lite-example-
1/lite/example1-with-VEX/spdx-3.0
Reviewed with SPDX community.
Great thanks to Josh!
https://github.com/spdx/spdx-examples/pull/91
17

18. Laws, Regulations, Standards, Guidelines
NTIA Minimum
Elements for
SBOM
BSI
TR-03183-2
Credit
(PCI-DSS,
PCI-SSF)
OpenChain
Telco SBOM
Guide
CRA
E.O. 14028
Automotive
(ISO/ISA
21434)
ISO/IEC 5230 ISO/IEC 18974
METI
Guide v2.0*
Process Management
SBOM Data Format
SPDX
(ISO/IEC 5962,
3.0.1)
CycloneDX 1.6
(ECMA-424)
Official Document
Medical Device
(IMDRF)
Industry Standard, Guide
Medical Device
(FDA)
CISA Framing
Third Edition*

19. SBOM Elements Comparison
[WIP] SBOM element comparison
https://docs.google.com/spreadsheets/d/1SuGv1L3H_-
Iq6dmH7DnjDgAa90LCRnoHB3DTfuWh0Jg/edit?gid=1936044844
#gid=1936044844

20. SBOM Elements
CISA Baseline Attributes NTIA Minimum Elements
SBOM Author Name Author of SBOM Data
SBOM Timestamp Timestamp
SBOM Type
Component Supplier Name Supplier Name
Component Name Component Name
Component Version String Version of the Component
Component Unique Identifier Unique Identifiers
Component Cryptographic
Hash
Component Hash
Component License License Information
Component Copyright Holder Copyright Information
SBOM Primary Component Dependency Relationship
Component Relationships Dependency Relationship
External Data
Document Metadata
Component
Relationship
External Data
SBOM Document

21. Baseline Attributes Comparison
[WIP] SBOM element comparison
https://docs.google.com/spreadsheets/d/1SuGv1L3H_-
Iq6dmH7DnjDgAa90LCRnoHB3DTfuWh0Jg/edit?gid=1936044844
#gid=1936044844

22. BSI TR-03182-2 (v1.1)
Guideline preparing for CRA

23. IMDRF/FDA
Guidances addressed Medical Device Manufacturers

24. PCI-DSS/PCI-SSF
Requirements from Payment Card Industry Data Security Standard

25. Enhance SBOM & VEX Practices Across the Supply Chain
Can we explore Practical HOW-TOs?
“Delivery item SBOM” argued in: BSI. ”Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products - Part 2: Software Bill
of Materials (SBOM) Version 1.1”
CISA. “When to Issue VEX Information”. https://www.cisa.gov/resources-tools/resources/when-issue-vex-information
CISA. “Types of Software Bill of Materials (SBOM)”. https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom
Maturity Model
Minimum Expected (Crawl)
Recommended Practice (Walk)
Aspirational Goal (Run)
Distributor
Author Consumer
SBOM
VEX
Operation
Elements SBOM & VEX
SDLC
SBOM

26. 26
Join OpenChain SBOM study group!
https://github.com/OpenChain-Project/SBOM-sg
The next meeting is scheduled
after Open Source Summit
Europe.
We would appreciate your
participation!
https://www.google.com/calendar/eve
nt?eid=MWFna2lnOWdkNjU4ZXQwN
m1ydDh1OHMzY2QgY18wOHNlYjY
wOTVvZmp0ZnI1ZmpiNXRhYmdsNE
Bn&ctz=UTC
Reference: Open Chain Telco SBOM Guide Version 1.0