Re: [OPSAWG] 2nd try: how many SBOMs do we need to locate and discover?
Patrick Dwyer <patrick.dwyer@owasp.org> Wed, 14 April 2021 21:44 UTC
Return-Path: <patrick.dwyer@owasp.org>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 176E33A2110 for <opsawg@ietfa.amsl.com>; Wed, 14 Apr 2021 14:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=owasp.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIEpnC9zBG04 for <opsawg@ietfa.amsl.com>; Wed, 14 Apr 2021 14:44:41 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96E2A3A210F for <opsawg@ietf.org>; Wed, 14 Apr 2021 14:44:41 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id sd23so25004946ejb.12 for <opsawg@ietf.org>; Wed, 14 Apr 2021 14:44:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owasp.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BlWR2v+VMi/u/di10EPkx4/H7CdokX0JRhstkT0JtQk=; b=dZn1fw8iTAXXFBd6lxytrOWMRVlq9NVZ96VJy/qxQIn0tE0WaiPJxjxfZEslE874KS cv3TBVZTLVMAIOfWBTzz+zV7rWIwK+nY+rOE1KHuaUqaMC+GoPnjjGug8szJjW8cCUC4 lum0uvHWeeMVvN/ifnFoSITPHdv10OXWhHbTVrc/F6BlZn8f4Xh22UuNL6xfYuHuX+RP qI/lkILPIXkkhxwOcXDdB9Epe4LmV3Xu8StEULOxBbipTjbB5VK/VeIiAU7rBcednKCm sZTrGNXp6XH3x9s4EHClF52/2Wg8BNRiQ/G/KxI+NMNJq6qKBI3uPMNn/27GZRFOKlwl V5Ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BlWR2v+VMi/u/di10EPkx4/H7CdokX0JRhstkT0JtQk=; b=actLEpSP2YuJsePUXUJ7uUGCQqWR3NqkuIywien4Fd42I2+2ZptwdiHSAK9K1N3WiC BFwjCvmWkp5mFJ0lF6xOuMTWcS18C6M+z4OHTYoFWLm4r+j8OmBfbzc9XIThx9iRUm13 +gOaa5eOl3+UU2LwhhU5EJpKgNCrWqemr6jJba6nTuaZnEHcKeEcN8GYI+f8Byv8gx7V Vc5oBKg9c1Kau2ebRi02ZQ0teoCTEFcu1ffBLQnlfjUJgo8lbLSJpsJFU4+utId6hylj nB5NETpBni3w9pULaAVo3IZdQH9YHqy4YOtGwkZG3QkF4esHGT2po3EvnqQJ5GwL18g+ oa8w==
X-Gm-Message-State: AOAM532qlTCHd6nLK/gIJmKgUZTb5dhW5hbkZMnKLjhxwZSGckZ05HjW LKR9hYDHznzOguhGsdqj4Mc1R/9uN80O2oTO4YnJmtsHRBY=
X-Google-Smtp-Source: ABdhPJyeN26CapN5UFXWLsJbWPkCGjrK5CW4T9ZuQW7ydn1+fjHmTzmhAanIy6R4gXD+Bg7kH0yc7E+TbtLWVOkrBVk=
X-Received: by 2002:a17:906:fa07:: with SMTP id lo7mr137201ejb.321.1618436678735; Wed, 14 Apr 2021 14:44:38 -0700 (PDT)
MIME-Version: 1.0
References: <70EA8ACD-B546-43A1-BC8C-A34B30A8FA4F@cisco.com>
In-Reply-To: <70EA8ACD-B546-43A1-BC8C-A34B30A8FA4F@cisco.com>
From: Patrick Dwyer <patrick.dwyer@owasp.org>
Date: Thu, 15 Apr 2021 07:44:27 +1000
Message-ID: <CACjy5ZfF_16ZmmjYtRqKp+whQbLPvDhYizpz01ZWN0jzqNogiw@mail.gmail.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Cc: opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000053ef1405bff5a7b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/0dM-_NxbS9BNY9MKaitaSYVoc3Y>
Subject: Re: [OPSAWG] 2nd try: how many SBOMs do we need to locate and discover?
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 21:44:46 -0000
Comparing the SBOM you've been given to upstream SBOMs is one that springs to mind. Especially if any sort of analysis/audit has been done to augment the SBOM. But in that case they would be referenced inside the SBOM you're looking at. On Thu, Apr 15, 2021 at 1:41 AM Eliot Lear <lear=40cisco.com@dmarc.ietf.org> wrote: > It seems that my mail system ate my first attempt at this. > > One of the questions I raised in the opsawg meeting was how many SBOMs we > would need to be able to retrieve. I am looking for use cases where there > would be more than one. To me, I think the place to look is around VMs and > containers, where the SBOM might be internalized. But that’s just one > model. Another model would be that the container SBOM is hierarchically > incorporated into the overall device SBOM. If that is done by reference, > then I guess we get more than one. And every time we try to define what a > device is at the IETF we seem to get burned if the model is not flexible. > > Thoughts? > > Eliot > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg >
- [OPSAWG] 2nd try: how many SBOMs do we need to lo… Eliot Lear
- Re: [OPSAWG] 2nd try: how many SBOMs do we need t… Dick Brooks
- Re: [OPSAWG] 2nd try: how many SBOMs do we need t… Patrick Dwyer
- Re: [OPSAWG] 2nd try: how many SBOMs do we need t… Eliot Lear