tac
tac copied to clipboard
ossf
bomctl - OpenSSF Sandbox Application
The bomctl project was developed as an experiment within the Security Tooling WG as a response to a 2023 Secure Open Source Software Summit item. We are seeking admission to the OpenSSF sandbox and continued alignment to the Security Tooling WG.
Overview
bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom.
It is intended to help developers who need to manipulate SBOMs at the CLI or within a workflow. Example operations would be merging in project specific SBOM data that would not be detected by a SBOM generation tool.
List of project maintainers
The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.
- "Jonathan Howard", "Lockheed Martin", @jhoward-lm
- "Eddie Zaneski", "Defense Unicorns", @eddiezane
- "Allen Shearin", "Lockheed Martin", @ashearin
- "Ian Dunbar-Hall", "Lockheed Martin", @idunbarh
Sponsor
Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.
- Security Tooling WG - This project was initial developed as an experiment under the Security Tooling WG.
Mission of the project
The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.
- "bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom."
- "bomctl started as an action from Secure Open Source Summit 2023 in DC. The action item was to merge existing sbom tooling into a single source for sbom format agnostic tooling to manage relationships between SBOM files. No existing tooling beyond the protobom work existed that was format agnostic. This lead to bomctl being developed by the Security Tooling WG."
- "bomctl heavily builds on protobom."
- "Protobom is a go library for manipulating SBOM data in an agnostic manner"
- "Bomctl is a CLI that handles movement, operations, and caching of SBOM files and will allow linkages between SBOM files"
Specific Goals Include:
- Simplify the process of manipulate SBOM Files while being SBOM format agnostic
- Simplify linking SBOM Files to allow "trees" of SBOM Files to handle capturing systems of systems
- Manage reading SBOM Files from a variety of sources
- Manage writing SBOM Files to a variety of destinations
- Create a CLI to wrap protobom go library functionality
Non-Goals Include:
- Enriching SBOM from data sources
- Providing Software Supply Chain Insights (please use GUAC for this)
- Managing SBOMs "at scale"
IP policy and licensing due diligence
When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).
- "TBD" - https://github.com/ossf/tac/issues/368
Project References
The project should provide a list of existing resources with links to the repository, and if available, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.
| Reference | URL |
|---|---|
| Repo | https://github.com/bomctl/bomctl |
| Website | https://github.com/bomctl/bomctl |
| Contributing guide | https://github.com/bomctl/bomctl/blob/main/CONTRIBUTING.md |
| Security.md | https://github.com/bomctl/bomctl/blob/main/SECURITY.md |
| Scorecard Report | https://securityscorecards.dev/viewer/?uri=github.com/bomctl/bomctl |
I also agree with this and will approve once legal review is complete.
The legal review has significant backlog and might take a few weeks to complete. Because the announcement is desired at the beginning of September can we shift this to getting a vote from all TAC members for the following options:
- [ ] Approve pending no concerns from license review
- [ ] Waiting until license review for my vote
- [ ] Needs improvements (comments)
- [ ] Denied
An "approved review" we will take as the first option :)
Approve pending no concerns from license review
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Amanda L Martin @.> Sent: Wednesday, July 31, 2024 7:24:09 AM To: ossf/tac @.> Cc: Jay White @.>; Review requested @.> Subject: Re: [ossf/tac] bomctl - OpenSSF Sandbox Application (PR #367)
The legal review has significant backlog and might take a few weeks to complete. Because the announcement is desired at the beginning of September can we shift this to getting a vote from all TAC members for the following options:
- Approve pending no concerns from license review
- Waiting until license review for my vote
- Needs improvements (comments)
- Denied
— Reply to this email directly, view it on GitHubhttps://github.com/ossf/tac/pull/367#issuecomment-2260648973, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AYSMSZWNFRYMQRL6QFLLXHTZPDXQTAVCNFSM6AAAAABLVPFM5OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRQGY2DQOJXGM. You are receiving this because your review was requested.Message ID: @.***>
The IP and license review concluded with no issues. We can close this out as approved 🎉
Wooh! Very excited for bomctl to gain sandbox status.
@SecurityCRob Any remaining steps for this PR to be merged?
The majoriy of the TAC has approved, so this is complete! Congrats & welcome to OpenSSF!
@SecurityCRob - as TAC chair, do you want to officially push the merge button?
