Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convert NTIA tool list into a more GitHub friendly format #2

Open
joshbressers opened this issue Aug 4, 2022 · 18 comments
Open

Convert NTIA tool list into a more GitHub friendly format #2

joshbressers opened this issue Aug 4, 2022 · 18 comments
Labels

Comments

@joshbressers
Copy link
Contributor

Work done with NTIA - crowdsourced from NTIA (maybe should merge, because many tools support multiple formats)

Tooling Ecosystem working with SPDX

Tooling Ecosystem working with CycloneDX

Tooling Ecosystem working with SWID

TODO: Turn these into a machine readable format [Kate, Vicky, David, Bunny, Georg]

@stevespringett
Copy link

The CycloneDX community created the Tool Center from the original NTIA doc and largely abandoned the doc while NTIA was still referencing it. The current data is located at https://github.com/CycloneDX/cyclonedx.org/blob/master/_data/tools.yml

It uses a similar, but not identical taxonomy.

@joshbressers
Copy link
Contributor Author

@anoncam
Copy link
Contributor

anoncam commented Aug 13, 2022

@joshbressers if you'd like to assign i'm happy to take a stab

@anoncam
Copy link
Contributor

anoncam commented Aug 13, 2022

@joshbressers @stevespringett

fair to state that the two formats of viable futures are SPDX and CycloneDX. Bringing this up in the public forum to address alternate formats, which have far less adoption to warrant inclusion at the standardization level of SBOM(s) everywhere.

@stevespringett
Copy link

The NTIA effort identified three formats which could be used as SBOM formats. SWID clearly isn't one. OWASP does not recognize SWID as an SBOM format. And CycloneDX natively supports SWID for the identification of commercial software, which is what SWID was designed for.

@gkunz
Copy link

gkunz commented Aug 15, 2022

Hi @anoncam. Just for clarification: the landscape we are envisioning to create here focuses primarily on providing an overview of available tooling for managing SBOMs. Obviously, the supported SBOM formats is a key property of the tools listed here, but the intention of this work is not really to dive into alternate SBOM formats themselves.

@anoncam
Copy link
Contributor

anoncam commented Aug 15, 2022

Agreed. I don't think explicitly stating formatting standards changes that.

Arguably it offloads the focus of formatting to the project level where it is well-documented and supported.

@gkunz

@vmbrasseur
Copy link

As I skim the document my first impression is that this is likely far too academic and in the weeds for a first pass at collecting this information. Starting at categorisation—and in such detail—doesn't feel especially actionable/useful at this point.

Wouldn't it be better if we were first to gather a list of tools and then categorise them? That would provide a list for end users/developers to reference in some form while also allowing a better view for comparisons in the categorisation stage.

@joshbressers
Copy link
Contributor Author

I think @vmbrasseur is on to something. Just having a list of tools would go a long way. Every list I've seen to date is VERY hard to navigate

joshbressers pushed a commit that referenced this issue Aug 17, 2022
@kestewart
Copy link

@vmbrasseur - did you have a chance to look at the NTIA tool summary individual pages at the start of this thread? The categorization work has already been done based on crowd sourcing. Key is to get an interface so people can find the tools they are interested in "easily".

@joshbressers - I think we need to decide do we want to organize by tools or organize by which format they support? Lots of tools nowaday support multiple formats.

@joshbressers
Copy link
Contributor Author

@kestewart I'm a fan of organizing by use case and format. Nobody is going to come to us looking for a tool, they will have a specific problem to solve with an expected outcome. We should help them find the best tool for that job

@gkunz
Copy link

gkunz commented Aug 25, 2022

Given the discussions we had on the last call, which revolved around how this work fits into the larger picture of the SIG, I'd like to give it a try to detail the scope of this work item (according to my understanding). This may be considered input for #12 :

"The purpose of this work item is to create a landscape, i.e., a human-friendly navigatable list of SBOM tools, which allows users to identify relevant tools based on filters (e.g., use cases, capabilities, formats supported etc.). The data for this landscape should be sourced from the NTIA documents listed above. The value of this is to help users in identifying the right SBOM tool for their problem, thereby supporting the adoption of SBOMs across the industry."

This can be considered complementary to the idea of promoting a short list of specific tools, this SIG recommends for adoption by open source projects.

@joshbressers joshbressers changed the title Convert NTIA documents into a more GitHub friendly format Convert NTIA tool list into a more GitHub friendly format Aug 30, 2022
@david-a-wheeler
Copy link

david-a-wheeler commented Aug 30, 2022

I think the idea here is to create a landscape like https://landscape.cncf.io/ - that can be implemented an easily-edited YAML file, using Dan Kohn's library, but someone needs to figure out what's important to record.

@mrutkows
Copy link

mrutkows commented Aug 30, 2022

One of the missing "tools" is a that which can create an independent dependency graph (across artifact types, language/package deps., base images, etc.) as every SBOM tool tends to create its own graph based upon its own assumptions. In terms of language-specific SBOM tools, they are often coded to only a partial graph for files (package lists) they look for and can interpret. Effectively, we need a graphing tool that can be used for traversal for any language as almost all applications (and products) are composed of a plurality of languages.

Opened a separate issue: #21

@AevaOnline
Copy link

One of the missing "tools" is a that which can create an independent dependency graph (across artifact types, language/package deps., base images, etc.

May I point you towards https://gitbom.dev/ ? :)

@gkunz
Copy link

gkunz commented Aug 30, 2022

@david-a-wheeler: yes, this would be the outcome - if the group agrees that this is useful. @kestewart pointed me to an existing yet still empty landscape, based on the LF landscape tooling, at https://landscape.spdx.dev

It would be important to provide filtering and search capabilities. The landscape tool already supports this. It remains to be investigated - again if deemed useful by the group - if our use case requires significant changes to the existing tool.

@joshbressers
Copy link
Contributor Author

We should consider creating a proposal to to have someone fund creating the initial landscape rather than trying to have volunteers create the first landscape

@joshbressers
Copy link
Contributor Author

Here is the current landscape proposal we are working on https://docs.google.com/document/d/1gLSMHJ-l09r73aBDAIG4ld4pbC85D5UgTaICKqmKXKg/edit#

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

9 participants