Skip to content

Commit

Permalink
SBOMit Application Added to TAC
Browse files Browse the repository at this point in the history
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
  • Loading branch information
idunbarh committed Sep 8, 2023
1 parent d8e3bb8 commit 573b169
Showing 1 changed file with 60 additions and 0 deletions.
60 changes: 60 additions & 0 deletions process/project-lifecycle-documents/SBOMit_sandbox_stage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
## Application for creating a new project at Sandbox stage

Check failure

Code scanning / check-spelling

Check File Path Error

SBO is not a recognized word. (check-file-path)

### List of project maintainers

* Justin Cappos, NYU, justincappos

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

Cappos is not a recognized word. (unrecognized-spelling)

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

justincappos is not a recognized word. (unrecognized-spelling)
* Ian Dunbar-Hall, Lockheed Martin, idunbarh

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

idunbarh is not a recognized word. (unrecognized-spelling)
* Cole Kennedy, TestifySec, colek42

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

colek is not a recognized word. (unrecognized-spelling)
* Marina Moore, NYU, mnm678

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

mnm is not a recognized word. (unrecognized-spelling)
* Trishank Kuppusamy, Datadog, trishankatdatadog

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

Datadog is not a recognized word. (unrecognized-spelling)

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

trishankatdatadog is not a recognized word. (unrecognized-spelling)

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

Trishank is not a recognized word. (unrecognized-spelling)

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

Kuppusamy is not a recognized word. (unrecognized-spelling)

### Mission of the project

SBOMit's goal is to provide SBOMs to end users with minimal effort that provide cryptographic validation of the steps performed in the software

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

SBO is not a recognized word. (unrecognized-spelling)

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

SBO is not a recognized word. (unrecognized-spelling)
supply chain. This differs from other SBOM efforts in that the data in the SBOM is validated cryptographically using [in-toto](in-toto.io)
link metadata and layouts, which provides a strong threat model while providing a robust set of guarantees about the SBOM's accuracy.

Specific goals include:

* Maintain compatibility with existing SBOM formats (could generate existing SBOMs), and ideally operable with SPDX, CycloneDX, and similar efforts
* Define use cases and outcomes (end user ux) including machine readable
* Emphasize usability / on-boarding for users. Acknowledged as critical by many stakeholders.
* Cryptographic verification that exactly the steps in the verifiable SBOM were performed
* Threat model of an attacker that can compromise any part of the software supply chain (e.g., Section 2.2 of https://www.usenix.org/system/files/sec19-torres-arias.pdf )
* Define which pieces of the Verifiable SBOM are cryptographically verifiable
* Be applicable anywhere (not just cloud native)!
* Utilize in-toto delivered bundle for distribution of a single file
* Optionally enabling the capture of reasonable information about the runtime environment of the supply chain steps including pre-build, post-build, and all other portions
* Optionally enabling the capture of the output of scanning tools, etc. that may make inferences. Note that these may be based upon incomplete and / or incorrect information, but surfacing this information may be useful.
* Provide a clear specification that other groups can implement for Verifiable SBOMs
* Provide exemplars of the tooling needed to generate and process Verifiable SBOMs
* Enable users of Verifiable SBOMs to be able to understand clearly what steps were performed, possibly via plug-ins through things like Testify, SLSA, FRSCA, etc.

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

FRSCA is not a recognized word. (unrecognized-spelling)
* Multi-language tooling

Non-Goals:
* Picking a winning SBOM format (SPDX, CycloneDX, etc.)
* Recursing into components like the packages inside of a container image when the build process does not otherwise do so.
* Knowing that an individual action is actually a good security practice
* Assertions about the quality of the implementation of the tool / security processes describing how the SBOM or artifact came to exist




### IP policy and licensing due dilligence

Check failure

Code scanning / check-spelling

Unrecognized Spelling Error

dilligence is not a recognized word. (unrecognized-spelling)

When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

* See [#191](https://github.com/ossf/tac/issues/191) for LF IP Review
* Our reference implementations will use the Apache 2.0 license
* Our specification uses [Community Specification License 1.0](https://github.com/SBOMit/specification/blob/main/LICENSE.md)
* Our website uses [Creative Commons Attribution 4.0 International](https://github.com/SBOMit/website/blob/main/LICENSE.md)

### Project References

| Reference | URL |
|--------------------|------|
| Repo | https://github.com/SBOMit |
| Website | https://sbomit.dev/ |
| Contributing guide | TODO |
| Roadmap | TODO |
| Demos | N/A |

0 comments on commit 573b169

Please sign in to comment.