From 031150c0c972b0b38063c053e21a442f7027e3ea Mon Sep 17 00:00:00 2001 From: Ian Dunbar-Hall Date: Wed, 4 Oct 2023 09:12:38 -0700 Subject: [PATCH 1/4] SBOMit Application Added to TAC project Signed-off-by: Ian Dunbar-Hall --- README.md | 1 + .../SBOMit_sandbox_stage.md | 60 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 process/project-lifecycle-documents/SBOMit_sandbox_stage.md diff --git a/README.md b/README.md index b43e744d..f90cbf12 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,7 @@ Diagrams with an overview of the OpenSSF, including its projects and SIGs, are a | Package Analysis | https://github.com/ossf/package-analysis | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD | | Package Feeds | https://github.com/ossf/package-feeds | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD | | Repository Service for TUF | https://github.com/vmware/repository-service-tuf | [Meeting Notes](https://docs.google.com/document/d/13a_AtFpPK9WO4PlAN6ciD-G1jiBU3gEDtRD1OUinUFY/edit) | Securing Software Repositories WG | Sandbox | +| SBOMit | https://github.com/sbomit | [Meeting Notes](https://docs.google.com/document/d/1-nHXMqvWNzgOxAq08O8Wu2BTHz0U60yBoAklrJAMaRc/edit?usp=sharing) | Security Tooling WG | Sandbox | | Scorecard | https://github.com/ossf/scorecard | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing) | Best Practices WG | TBD | | Security Insights Spec | https://github.com/ossf/security-insights-spec | [Meeting Notes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit?usp=sharing) | Identifying Security Threats WG | TBD | | Security Metrics | https://github.com/ossf/Project-Security-Metrics | [Meeting Notes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit#heading=h.apj7ueyomk4r) | Identifying Security Threats WG | TBD | diff --git a/process/project-lifecycle-documents/SBOMit_sandbox_stage.md b/process/project-lifecycle-documents/SBOMit_sandbox_stage.md new file mode 100644 index 00000000..3da056b7 --- /dev/null +++ b/process/project-lifecycle-documents/SBOMit_sandbox_stage.md @@ -0,0 +1,60 @@ +## Application for creating a new project at Sandbox stage + +### List of project maintainers + + * Justin Cappos, NYU, justincappos + * Ian Dunbar-Hall, Lockheed Martin, idunbarh + * Cole Kennedy, TestifySec, colek42 + * Marina Moore, NYU, mnm678 + * Trishank Kuppusamy, Datadog, trishankatdatadog + +### Mission of the project + +SBOMit's goal is to provide SBOMs to end users with minimal effort that provide cryptographic validation of the steps performed in the software +supply chain. This differs from other SBOM efforts in that the data in the SBOM is validated cryptographically using [in-toto](in-toto.io) +link metadata and layouts, which provides a strong threat model while providing a robust set of guarantees about the SBOM's accuracy. + +Specific goals include: + + * Maintain compatibility with existing SBOM formats (could generate existing SBOMs), and ideally operable with SPDX, CycloneDX, and similar efforts + * Define use cases and outcomes (end user ux) including machine readable + * Emphasize usability / on-boarding for users. Acknowledged as critical by many stakeholders. + * Cryptographic verification that exactly the steps in the verifiable SBOM were performed + * Threat model of an attacker that can compromise any part of the software supply chain (e.g., Section 2.2 of https://www.usenix.org/system/files/sec19-torres-arias.pdf ) + * Define which pieces of the Verifiable SBOM are cryptographically verifiable + * Be applicable anywhere (not just cloud native)! + * Utilize in-toto delivered bundle for distribution of a single file + * Optionally enabling the capture of reasonable information about the runtime environment of the supply chain steps including pre-build, post-build, and all other portions + * Optionally enabling the capture of the output of scanning tools, etc. that may make inferences. Note that these may be based upon incomplete and / or incorrect information, but surfacing this information may be useful. + * Provide a clear specification that other groups can implement for Verifiable SBOMs + * Provide exemplars of the tooling needed to generate and process Verifiable SBOMs + * Enable users of Verifiable SBOMs to be able to understand clearly what steps were performed, possibly via plug-ins through things like Testify, SLSA, FRSCA, etc. + * Multi-language tooling + +Non-Goals: + * Picking a winning SBOM format (SPDX, CycloneDX, etc.) + * Recursing into components like the packages inside of a container image when the build process does not otherwise do so. + * Knowing that an individual action is actually a good security practice + * Assertions about the quality of the implementation of the tool / security processes describing how the SBOM or artifact came to exist + + + + +### IP policy and licensing due dilligence + +When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). + + * See [#191](https://github.com/ossf/tac/issues/191) for LF IP Review + * Our reference implementations will use the Apache 2.0 license + * Our specification uses [Community Specification License 1.0](https://github.com/SBOMit/specification/blob/main/LICENSE.md) + * Our website uses [Creative Commons Attribution 4.0 International](https://github.com/SBOMit/website/blob/main/LICENSE.md) + +### Project References + +| Reference | URL | +|--------------------|------| +| Repo | https://github.com/SBOMit | +| Website | https://sbomit.dev/ | +| Contributing guide | TODO | +| Roadmap | TODO | +| Demos | N/A | From 869d3bd15bd952f60b9a6b2852d201f4d563543e Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Mon, 18 Sep 2023 00:30:27 -0400 Subject: [PATCH 2/4] Update process/project-lifecycle-documents/SBOMit_sandbox_stage.md Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com> Signed-off-by: Justin Cappos --- process/project-lifecycle-documents/SBOMit_sandbox_stage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/project-lifecycle-documents/SBOMit_sandbox_stage.md b/process/project-lifecycle-documents/SBOMit_sandbox_stage.md index 3da056b7..c365ee64 100644 --- a/process/project-lifecycle-documents/SBOMit_sandbox_stage.md +++ b/process/project-lifecycle-documents/SBOMit_sandbox_stage.md @@ -40,7 +40,7 @@ Non-Goals: -### IP policy and licensing due dilligence +### IP policy and licensing due diligence When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). From aa5f07083f5133e6faf45475ca058e5d851b9414 Mon Sep 17 00:00:00 2001 From: Ian Dunbar-Hall Date: Wed, 4 Oct 2023 09:15:45 -0700 Subject: [PATCH 3/4] Include SBOMit application words to wordlist Signed-off-by: Ian Dunbar-Hall --- .github/actions/spelling/expect.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 2efa6d4a..de9db88f 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -32,6 +32,7 @@ CLA CNCF Coinbase COPYLEFT +colek Corail CPython crob @@ -42,6 +43,7 @@ CVD CVEs CVRF Cybeats +Datadog Dcmiddle dco Debian @@ -56,6 +58,7 @@ Fernick Ferraioli Foxboron frenemy +FRSCA fyi gittuf Gendreau @@ -68,6 +71,7 @@ headcount HUAWEI Hyperledger hyperlinks +idunbarh impactfully jburson JFrog @@ -75,6 +79,7 @@ jorydotcom joshbressers JPM JPMC +justincappos Kaczorowski Kairo kairoaraujo @@ -85,6 +90,7 @@ Kimmich Knative Konstantinos Kratzer +Kuppusamy kusari Lakkakula lehors @@ -101,6 +107,7 @@ lumjjb maintainership malware mds +mnm Montazery Mozilla mvrachev @@ -148,6 +155,7 @@ RPi Rubygems Rutkowski Sandecki +SBO SBOMs Schaik scim @@ -179,6 +187,8 @@ tac TCs timeframes timezones +Trishank +trishankatdatadog TSC tuf typosquatting From 5e5e215503c08248b884449d279d2f5df76d3f9d Mon Sep 17 00:00:00 2001 From: Ian Dunbar-Hall <100151740+idunbarh@users.noreply.github.com> Date: Thu, 5 Oct 2023 14:35:10 -0700 Subject: [PATCH 4/4] fix: fixing spelling workflow issues discussed by @jsoref @ https://github.com/ossf/tac/pull/192\#issuecomment-1749657593 (#6) Signed-off-by: Ian Dunbar-Hall --- .github/actions/spelling/expect.txt | 4 ++++ .github/workflows/spelling.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index de9db88f..9be42eca 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -35,6 +35,7 @@ COPYLEFT colek Corail CPython +CRob crob CSAF curating @@ -150,6 +151,7 @@ Rezilion RFPs rhaning rnjudge +Roadmap roadmap RPi Rubygems @@ -167,6 +169,7 @@ semesterly Shopify Shortlist sif +Sigstore sigstore Sirish SKF @@ -190,6 +193,7 @@ timezones Trishank trishankatdatadog TSC +TUF tuf typosquatting Unicode diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index 9f0c8136..ace97c02 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -130,6 +130,7 @@ jobs: uses: check-spelling/check-spelling@main with: checkout: true + quit_without_error: 1 spell_check_this: check-spelling/spell-check-this@prerelease only_check_changed_files: 1 task: ${{ needs.spelling.outputs.followup }} @@ -147,6 +148,7 @@ jobs: uses: check-spelling/check-spelling@main with: checkout: true + quit_without_error: 1 spell_check_this: check-spelling/spell-check-this@prerelease only_check_changed_files: 1 task: ${{ needs.spelling.outputs.followup }}