Using SBOM Everywhere to amplify guidance through other public workstreams

[joshbressers]

During the meeting on 2024-03-12 a topic came up about how we could work together with other groups, especially government groups, to amplify what we are all doing. The notes from the meeting are below

---

Amplifying SBOM Everywhere Guidance through CISA SBOM Workstreams

• We should try to do this, yes
• How can we do this?
• The types document is an example of this cross-collaboration
• OpenSSF could incubate things that feeds into other groups?
• There is guidance from various governments already
  • We should look at what these say and identify overlap
• Allan will share links to the various government SBOM guidance
  • We should look for commonality and differences in these documents
  • Dutch SBOM https://www.ncsc.nl/documenten/publicaties/2023/juli/5/sbom-startersgids
  • Germany https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=4
  • Japan https://www.meti.go.jp/english/press/2023/0728_001.html
• Mapping all the SBOM fields could also be a valuable task

---

This SIG has some unique opportunities other SBOM focused groups do not as we are a truly neutral venue. We should take advantage of this status to further some SBOM related efforts that will help the entire industry.

A few examples that came up during the discussion

1. There are currently some SBOM guidance documents from the Netherlands, Germany, and Japan that Allan was kind enough to link to. There is going to be differences and overlap in this guidance. We could parse such documents to identify what they have in common and where they differ. This would be a very valuable reference document.
2. We could maintain a map of the NTIA minim elements to the actual SPDX and CycloneDX fields. If such a mapping that covers both exists elsewhere we should link to it. If separate mappings exist we can combine those into one reference document.

There are certainly other things we could work on. Please add ideas or comments to this issue to track such efforts. We can split out specific work into issues as needed.

[Mariuxdeangelo]

This is an awesome idea. It seems like I missed the most interesting meeting in a year. I would love to take a closer look at these Documents from Allan.

I can already add some information to the second point. SPDX and CycloneDx have already published guidance on mapping the NTIA requirements to their schemas.

• SPDX (See Annex K.2)
• CycloneDx

The thing is, the mapping to the Schemas is done differently in CycloneDx and SPDX. CycloneDx is more strict with its mapping than SPDX. I gave this issue a closer look in my Master Thesis in chapter 7.3.1 see here. Maybe we could fix this, also with help from Allan, who recently mentioned updating the NTIA min elements to make them more straightforward.

[stevespringett]

If mapping is on the radar, I would suggest using https://scvs.owasp.org/bom-maturity-model/ as the taxonomy and map each spec to it. There’s an example profile that conveys NTIA minimum elements to the taxonomy. But in doing so, it is highly important to read each spec before mapping. Every conversion tool I’ve seen gets it wrong.

[anthonyharrison]

There are already differences between the various national guidelines. If I am creating a SBOM, I would not want to create a different SBOM to meet the different national guidelines; I would want to create a single SBOM which met ALL of the guidelines (a superset).

However, as we have already seen, even meeting the NTIA guidelines are difficult mainly due to interpretation of what the fields need to contain (in particular supplier). It would be really useful to ensure that the guidelines are harmonised to make it easier for software producers to conform with and also to provide guidance for the consumers of SBOMs to interpret the data within a SBOM.

And for SBOM consumers, I would want to easily assert the quality of the SBOM as the SBOM is likely to form part of a key decision making process within an organisation. Does the SBOM confirm with national guideline X might be a useful starting point before harmonizing of guidance is established.

Bear in mind that we need to be focusing on CONTENT and not FORMAT and the work which @stevespringett references would be a good vehicle to adopt.

[brianf]

+1