Add SLSA + SBOM blogpost

[lumjjb]

SLSA + SBOM blogpost

Signed-off-by: Brandon Lum lumjjb@gmail.com

[netlify]

✅ Deploy Preview for slsa ready!

Name	Link
🔨 Latest commit	8f69a7f
🔍 Latest deploy log	https://app.netlify.com/sites/slsa/deploys/626fe48dd63bb80007f06758
😎 Deploy Preview	https://deploy-preview-376--slsa.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[dlorenc]

Great post!

[mlieberman85]

I would cite it as the minimum elements for an SBOM don't require this information thus meaning you can't rely on it to include build information https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf

I state this because different SBOM tools and specifications CAN include build information but don't need to leading to you not being able to rely on it to contain that information

[lumjjb]

Yup - I see where you're coming from. Yea I think from the current functional standpoint as well, most tooling doesn't do this, or at least most people are not thinking about it. Maybe, we can phrase it as:

"Today, SBOMs, don't include ..."

I am a bit hesitant to quote the minimum elements. I am afraid of going down the road of discussion of sbom minimum standards is going to be what's implemented, because today, for the most part we are doing much better than it. My view on the minimum elements is more for vendors of proprietary software that are very reluctant to put out information, that this is the absolute minimum to meet compliance.

[mlieberman85]

I would word it a bit less concretely. It provides evidence allowing an end user to trust. I worry that it gives the wrong impression. I wouldn't say SLSA itself secures the step.

I like the wording below that the guidelines help providence confidence that you are protected against certain kinds of attacks.

[lumjjb]

I would word it a bit less concretely. It provides evidence allowing an end user to trust. I worry that it gives the wrong impression. I wouldn't say SLSA itself secures the step.

Hmm, I'm trying to tease this apart between SLSA as the provenance document and as the framework. I think we were trying to encompass some of the broader goals of the SLSA framework around securing the build system, etc. - slsa4 hardening, etc. (i.e. the SSDF stuff).

Wondering how this can be worded to be clearer.

[lumjjb]

How about "The SLSA framework provides this trust by providing guidelines and evidence for securing each step of the software production process..."

[mlieberman85]

SGTM

[mlieberman85]

I would word it slightly differently to make sure that SLSA provides evidence of protections against certain attacks.

[lumjjb]

Hmm, what do you think about taking the phrasing from https://slsa.dev/spec/v0.1/threats

to say "These guidelines mitigate against the risk"

[mlieberman85]

Good point. I think we might just want to highlight that it is both. That SLSA compared to alternatives provides attestations that you are performing those practices.

[mlieberman85]

One thing I've done that I think is complementary and might prove to be valuable is I use SLSA attestations to provide provenance metadata for how my SBOM was built in the first place. So I would have SLSA attestation for my actual software and another one for how I generated my SBOM. I think it's valuable because it helps provide additional evidence as to what tool generated the SBOM as well as what the SBOM used as its "materials" for generation, e.g. did it build the SBOM from a container image, from a go mod file, from a binary analysis of the compiled software, etc.

[stevespringett]

One thing to note, SBOMS, as defined by consensus through NTIA, are incompatible with reproducible builds. This should be addressed.

[lumjjb]

Hmm, can you elaborate a bit more on this - it does sound like a much broader discussion. Think this is a good idea to bring up during the next SLSA call if there's room in the agenda.

I think from a content delivery perspective, the discussion around reproducible builds + SBOM deserves its own story and perhaps a different audience.

[stevespringett]

From the NTIA minimum elements:

Timestamp records when the data is assembled -- the point of the SBOM creation.

For every build, even if most artifacts are reproducible, the SBOM created during a build must have a different timestamp. There are many audit and assurance reasons for this requirement.

The data about software components can be collected at different stages in the software lifecycle, including from the software source, at build time, or after build through a binary analysis tool. Due to unique features of each of these stages, the SBOM may have some differences depending on when and where the data was created.

Timestamps are obviously tied to "when", however, a component's point-of-origin may vary depending on build tool configuration, DNS, or repository proxying and mirroring.

---

The consensus among NTIA participants is that SBOM must be a non-reproducible artifact. It can be repeatable. It can be predictable, but it will not conform to reproducable builds.

[mlieberman85]

LGTM