Software Bill of Materials

[bvhme]

Dear colleagues,

A Software Bill of Materials is an important instrument for cybersecurity and for public administrations to understand what open source the software they use (closed or open) is based on.

It would be valuable for European Public administrations to include requirements for Software Bills of Material into their procurement as a requirement.

Would it be interesting to make this a part of the publiccode.yml standard, or otherwise make this a part of something that is facilitated by the standard? Or should this be a new and separate standard?

I'm curious to hear what you think.

[ruphy]

hello @bvhme,

it sounds great and has been something we've tried to implement with the dependencies key, although with mixed luck.

I would be happy to see a better way to represent the dependencies, either directly or through facilitation, as cybersecurity is an important use case for us. Do you have any examples of how this could look like in practice?

[libremente]

I guess that in the dependencies world @bzg is the one with the most experience. WDYT about this SBOM proposal?

[marcvanandel]

I'm interested in a collection and overview of standards for SBOMs. Maybe the Standard for Public Code should be extended with a Standard for SBOM?

[ruphy]

@marcvanandel do you have any proposal on how that could be integrated?

[marcvanandel]

Well ... I haven't done any research on the existence of standards for SBoMs ... but I expect some sort of dependencies list or tree. This could be generated out of any build script like e.g. build.gradle.kts, pom.xml or package.json and put into a programming language agnostic standard? These days that would be a YAML file? Or added to the publiccode.yml? Or a more LinkedData appraoch might be adding a link to a transformation script / template which produces the language agnostic output directly from the build script? Something like this?

[bzg]

Hi Boris, Boris van Hoytema ***@***.***> writes:

A Software Bill of Materials is an important instrument for cybersecurity and for public administrations to understand what open source the software they use (closed or open) is based on.

Agreed.

It would be valuable for European Public administrations to include requirements for Software Bills of Material into their procurement as a requirement.

Yes. We recently held a workshop ([PDF](https://box.bzg.io/cloud/index.php/s/FPbnaPiR5B4iefK) and french [replay](https://dai.ly/x866ogt) of the conference, both in French, sorry) on intellectual property in procurement for public software, explaining how to ensure that public agencies can publish the code they develop or pay for. There is room for more practical advice, e.g. by providing procurement templates, ones that could require a more formal approach to SBOM. The goals would be for agencies (1) to ensure license compliance via the SBOM (2) to let them know upfront what source code they can publish under a free license.

Would it be interesting to make this a part of the publiccode.yml standard, or otherwise make this a part of something that is facilitated by the standard? Or should this be a new and separate standard?

I'm not sure what value this would provide. I very much see a SBOM being useful *at the procurement level*, but not at the source code level. For repos with a publiccode.yml file, reusers can assume that the code is free software and that they can reuse it, either as a standalone software (in which case the SBOM is not useful), or as part of a larger project (in which case they will have to build a SBOM anyway, a process that cannot really be automated by tracking down all the dependencies and their dependencies.) Perhaps I'm wrong of course - I'd love to see how SBOM-related declarations in publiccode.yml could ease the process of write a SBOM for reusers.

I'm curious to hear what you think.

I think it's worth exploring :)

[bzg]

libremente ***@***.***> writes:

I guess that in the dependencies world @bzg is the one with the most experience. WDYT about this SBOM proposal?

We are only tracking 1st level dependencie of code.gouv.fr repos. E.g., here are the repos using [log4j](https://code.gouv.fr/#/deps?q=log4j&platform=all). If this kind of information helps writing a SBOM, good, but I doubt so, because "materials" in the SBOM I've seen reads much more like "We are relying on an ElasticSearch DB" than "Repo X will depend on log4j v2.4". They are more high level functional "dependencies", rather than low level ones. But maybe SBOM requirements vary a lot.

[bzg]

Marc van Andel ***@***.***> writes:

I'm interested in a collection and overview of standards for SBOMs.

I would be interested too!