Skip to content

Commit

Permalink
Merge pull request #192 from SBOMit/main
Browse files Browse the repository at this point in the history
SBOMit Sandbox Project Application
  • Loading branch information
hythloda authored Oct 5, 2023
2 parents f11de8b + 5e5e215 commit c158f54
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 0 deletions.
14 changes: 14 additions & 0 deletions .github/actions/spelling/expect.txt
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,10 @@ CLA
CNCF
Coinbase
COPYLEFT
colek
Corail
CPython
CRob
crob
CSAF
curating
Expand All @@ -42,6 +44,7 @@ CVD
CVEs
CVRF
Cybeats
Datadog
Dcmiddle
dco
Debian
Expand All @@ -56,6 +59,7 @@ Fernick
Ferraioli
Foxboron
frenemy
FRSCA
fyi
gittuf
Gendreau
Expand All @@ -68,13 +72,15 @@ headcount
HUAWEI
Hyperledger
hyperlinks
idunbarh
impactfully
jburson
JFrog
jorydotcom
joshbressers
JPM
JPMC
justincappos
Kaczorowski
Kairo
kairoaraujo
Expand All @@ -85,6 +91,7 @@ Kimmich
Knative
Konstantinos
Kratzer
Kuppusamy
kusari
Lakkakula
lehors
Expand All @@ -101,6 +108,7 @@ lumjjb
maintainership
malware
mds
mnm
Montazery
Mozilla
mvrachev
Expand Down Expand Up @@ -143,11 +151,13 @@ Rezilion
RFPs
rhaning
rnjudge
Roadmap
roadmap
RPi
Rubygems
Rutkowski
Sandecki
SBO
SBOMs
Schaik
scim
Expand All @@ -159,6 +169,7 @@ semesterly
Shopify
Shortlist
sif
Sigstore
sigstore
Sirish
SKF
Expand All @@ -179,7 +190,10 @@ tac
TCs
timeframes
timezones
Trishank
trishankatdatadog
TSC
TUF
tuf
typosquatting
Unicode
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/spelling.yml
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ jobs:
uses: check-spelling/check-spelling@main
with:
checkout: true
quit_without_error: 1
spell_check_this: check-spelling/spell-check-this@prerelease
only_check_changed_files: 1
task: ${{ needs.spelling.outputs.followup }}
Expand All @@ -147,6 +148,7 @@ jobs:
uses: check-spelling/check-spelling@main
with:
checkout: true
quit_without_error: 1
spell_check_this: check-spelling/spell-check-this@prerelease
only_check_changed_files: 1
task: ${{ needs.spelling.outputs.followup }}
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ Diagrams with an overview of the OpenSSF, including its projects and SIGs, are a
| Package Analysis | https://github.com/ossf/package-analysis | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD |
| Package Feeds | https://github.com/ossf/package-feeds | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD |
| Repository Service for TUF | https://github.com/vmware/repository-service-tuf | [Meeting Notes](https://docs.google.com/document/d/13a_AtFpPK9WO4PlAN6ciD-G1jiBU3gEDtRD1OUinUFY/edit) | Securing Software Repositories WG | Sandbox |
| SBOMit | https://github.com/sbomit | [Meeting Notes](https://docs.google.com/document/d/1-nHXMqvWNzgOxAq08O8Wu2BTHz0U60yBoAklrJAMaRc/edit?usp=sharing) | Security Tooling WG | Sandbox |
| Scorecard | https://github.com/ossf/scorecard | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing) | Best Practices WG | TBD |
| Security Insights Spec | https://github.com/ossf/security-insights-spec | [Meeting Notes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit?usp=sharing) | Identifying Security Threats WG | TBD |
| Security Metrics | https://github.com/ossf/Project-Security-Metrics | [Meeting Notes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit#heading=h.apj7ueyomk4r) | Identifying Security Threats WG | TBD |
Expand Down
60 changes: 60 additions & 0 deletions process/project-lifecycle-documents/SBOMit_sandbox_stage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
## Application for creating a new project at Sandbox stage

### List of project maintainers

* Justin Cappos, NYU, justincappos
* Ian Dunbar-Hall, Lockheed Martin, idunbarh
* Cole Kennedy, TestifySec, colek42
* Marina Moore, NYU, mnm678
* Trishank Kuppusamy, Datadog, trishankatdatadog

### Mission of the project

SBOMit's goal is to provide SBOMs to end users with minimal effort that provide cryptographic validation of the steps performed in the software
supply chain. This differs from other SBOM efforts in that the data in the SBOM is validated cryptographically using [in-toto](in-toto.io)
link metadata and layouts, which provides a strong threat model while providing a robust set of guarantees about the SBOM's accuracy.

Specific goals include:

* Maintain compatibility with existing SBOM formats (could generate existing SBOMs), and ideally operable with SPDX, CycloneDX, and similar efforts
* Define use cases and outcomes (end user ux) including machine readable
* Emphasize usability / on-boarding for users. Acknowledged as critical by many stakeholders.
* Cryptographic verification that exactly the steps in the verifiable SBOM were performed
* Threat model of an attacker that can compromise any part of the software supply chain (e.g., Section 2.2 of https://www.usenix.org/system/files/sec19-torres-arias.pdf )
* Define which pieces of the Verifiable SBOM are cryptographically verifiable
* Be applicable anywhere (not just cloud native)!
* Utilize in-toto delivered bundle for distribution of a single file
* Optionally enabling the capture of reasonable information about the runtime environment of the supply chain steps including pre-build, post-build, and all other portions
* Optionally enabling the capture of the output of scanning tools, etc. that may make inferences. Note that these may be based upon incomplete and / or incorrect information, but surfacing this information may be useful.
* Provide a clear specification that other groups can implement for Verifiable SBOMs
* Provide exemplars of the tooling needed to generate and process Verifiable SBOMs
* Enable users of Verifiable SBOMs to be able to understand clearly what steps were performed, possibly via plug-ins through things like Testify, SLSA, FRSCA, etc.
* Multi-language tooling

Non-Goals:
* Picking a winning SBOM format (SPDX, CycloneDX, etc.)
* Recursing into components like the packages inside of a container image when the build process does not otherwise do so.
* Knowing that an individual action is actually a good security practice
* Assertions about the quality of the implementation of the tool / security processes describing how the SBOM or artifact came to exist




### IP policy and licensing due diligence

When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

* See [#191](https://github.com/ossf/tac/issues/191) for LF IP Review
* Our reference implementations will use the Apache 2.0 license
* Our specification uses [Community Specification License 1.0](https://github.com/SBOMit/specification/blob/main/LICENSE.md)
* Our website uses [Creative Commons Attribution 4.0 International](https://github.com/SBOMit/website/blob/main/LICENSE.md)

### Project References

| Reference | URL |
|--------------------|------|
| Repo | https://github.com/SBOMit |
| Website | https://sbomit.dev/ |
| Contributing guide | TODO |
| Roadmap | TODO |
| Demos | N/A |

0 comments on commit c158f54

Please sign in to comment.