Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding the SBOM everywhere wiki project to the SBOM-everywhere OpenSSF repository #60

Merged
merged 2 commits into from
Jul 2, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions .github/workflows/build-and-publish-page.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,35 @@ jobs:
with:
node-version: 'lts/*'

# Build main page for the wiki
- name: Install dependencies
run: cd SBOM-wiki && npm install

- name: Run build
run: cd SBOM-wiki && npm run build

# Build the SBOM Catalog and copy the artifact to the wiki
- name: Install dependencies
run: cd SBOM-Catalog && npm install

- name: Run lint
run: cd SBOM-Catalog && npm run lint

- name: Run build
run: cd SBOM-Catalog && npm run build

- name: copy Catalog to build artifact
run: rm -rf SBOM-wiki/.vitepress/dist/catalog/* && mv SBOM-Catalog/dist/* SBOM-wiki/.vitepress/dist/catalog

# Publish all aritifacts
- name: Upload pages artifact to action workflow
uses: actions/upload-artifact@v4
with:
name: pages-build-artifact
path: SBOM-Catalog/dist
path: SBOM-wiki/.vitepress/dist/

- name: Create zip for release file
run: zip -r sbom-catalog-${{github.ref_name}}.zip SBOM-Catalog/dist
run: zip -r sbom-catalog-${{github.ref_name}}.zip SBOM-wiki/.vitepress/dist

- name: Upload pages release asset
uses: softprops/action-gh-release@v2
Expand All @@ -41,9 +56,10 @@ jobs:
- name: Deploy
uses: JamesIves/github-pages-deploy-action@v4
with:
folder: SBOM-Catalog/dist
folder: SBOM-wiki/.vitepress/dist
branch: gh-pages

# Create a SBOM with Syft for SPDX
create_spdx_sbom:
runs-on: ubuntu-latest

Expand All @@ -61,6 +77,7 @@ jobs:
artifact-name: sbom-catalog-${{github.ref_name}}.spdx.json
format: spdx-json

# Create a SBOM with Syft for CycloneDX
create_cdx_sbom:
runs-on: ubuntu-latest

Expand Down
27 changes: 25 additions & 2 deletions .github/workflows/build-pull-request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@ name: CI
on:
pull_request:

workflow_dispatch:

jobs:
build:
build-catalog:
runs-on: ubuntu-latest

steps:
Expand All @@ -18,5 +20,26 @@ jobs:
- name: Install dependencies
run: cd SBOM-Catalog && npm install

- name: Run lint
run: cd SBOM-Catalog && npm run lint

- name: Run build
run: cd SBOM-Catalog && npm run build


build-wiki:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: 'lts/*'

- name: Install dependencies
run: cd SBOM-wiki && npm install

- name: Run build
run: cd SBOM-Catalog && npm run build
run: cd SBOM-wiki && npm run build
30 changes: 15 additions & 15 deletions SBOM-Catalog/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion SBOM-Catalog/vite.config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import vue from '@vitejs/plugin-vue'
// https://vitejs.dev/config/
export default defineConfig({
assetsInclude: ['**/*.yaml'],
base: '/',
base: '/catalog/',
// base: '/sbom-everywhere/catalog/',
plugins: [vue()],
})
24 changes: 24 additions & 0 deletions SBOM-wiki/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Logs
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
pnpm-debug.log*
lerna-debug.log*

node_modules
dist
dist-ssr
*.local

# Editor directories and files
.vscode/*
!.vscode/extensions.json
.idea
.DS_Store
*.suo
*.ntvs*
*.njsproj
*.sln
*.sw?
52 changes: 52 additions & 0 deletions SBOM-wiki/.vitepress/config.mts
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
import { defineConfig } from 'vitepress'

// https://vitepress.dev/reference/site-config
export default defineConfig({
// base: "/sbom-everywhere/",
title: "SBOM-Everywhere Wiki",
description: "Information and advice about using SBOM in open source projects.",
themeConfig: {
search: {
provider: "local"
},

// https://vitepress.dev/reference/default-theme-config
nav: [
{ text: 'Home', link: '/' },
{ text: 'Basics', link: '/basics' },
{ text: 'About us', link: '/about-us'}
],

sidebar: [
{
text: 'Essentials',
items: [
{ text: 'Basics', link: '/basics' },
{ text: 'Getting Started', link: '/getting-started' },
{ text: 'Glossary', link: '/glossery' },
{ text: 'FAQ', link: '/faq' }
]
},
{
text: 'Cataloges',
items: [
{ text: 'SBOM Tools', link: 'https://sbom-catalog.openssf.org/catalog/' },
{ text: 'SBOM Compliance', link: '/sbom-compliance' },
{ text: 'SBOM working groups', link: '/sbom-working-groups'},
{ text: 'SBOM Example Integrations', link: '/example-integrations' }
]
},
{
text: 'Guidance',
items: [
{ text: 'SBOM Types', link: '/sbom-types' },
{ text: 'SBOM Naming', link: '/sbom-naming' },
{ text: 'About us', link: '/about-us'}
]
}
],
socialLinks: [
{ icon: 'github', link: 'https://github.com/ossf/sbom-everywhere' }
]
}
})
9 changes: 9 additions & 0 deletions SBOM-wiki/.vitepress/theme/index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
import DefaultTheme from 'vitepress/theme'

/** @type {import('vitepress').Theme} */
export default {
extends: DefaultTheme,
enhanceApp({ app }) {
// register your custom global components
}
}
120 changes: 120 additions & 0 deletions SBOM-wiki/about-us.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
# SBOM Everywhere SIG (About us)

# OSSF SBOM Everywhere SIG

Home of the OpenSSF SBOM Everywhere SIG. We're glad you're here!

## Get Involved

* Official communications occur on the [openssf-sig-sbom](https://lists.openssf.org/g/openssf-sig-sbom) mailing list
* [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups)
* We have a [Slack Channel](https://openssf.slack.com/archives/C03GKSYFRC0) for discussion various SBOM related activities

### Meeting times

* Every other Tuesday @ 11:05am EST. The invite is available on the [OpenSSF Community Calendar](https://calendar.google.com/calendar/u/0/r?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ).
* [Meeting Minutes](https://docs.google.com/document/d/193ODRga1F49WKPYYR79SNi9b27mChBqpOf5iiWJcMso/edit#heading=h.xqitfd6hs1gc) can be found in this Google Document. Feel free to add agenda items, please put your name next to items you add.

## Motivation

- The initial motivation for the formation of the OSSF SBOM Everywhere SIG is born from OpenSSF's [The Open Source Software Security Mobilization Plan](reference/mobilization_plan.pdf). SBOM standardization and consensus from within the open source community is integral to adoption of universal constructs that reveal themselves via the exploration of use cases beyond a compliance check box.

## Objective

### The 3 overarching goals from the White House meeting
- Securing OSS Production: focus on preventing security defects and
vulnerabilities in code and open source packages in the first place
- Improving Vulnerability Discovery & Remediation: improving the process
for finding defects and fixing them
- Shorten Ecosystem Patching Response Time: Shorten the response time for
distributing and implementing fixes.

### The goals for this group as defined in the mobilization plan
- The requirements needed to build use cases using SBOMs are clearly
understood, documented and implemented in current SBOM specifications
- There are “friction free” open source tools that generate SBOMs that meet
these requirements
- There is readily accessible education, awareness and implementation
guidance and 3rd party support




## Scope

The mobilization plan defines scope as
_By focusing on tools and advocacy, we can remove the barriers to
generation, consumption, and overall adoption of SBOMs everywhere, we can
improve the security posture of the entire open source ecosystem:
producers, consumers, and maintainers._



### Formatting Specifications

For the purposes of establishing ubiquity to ensure sustainability for SBOM related tooling, and future solutions for consumption, “supported” formats must be defined. At this time there are two supported formats that will be in scope for the purposes of this group: [CycloneDX](https://cyclonedx.org) and [SPDX](https://spdx.dev).

Utilization of these specifications would likely be discretionary and interchangeable depending on the use case and SBOM type and the requirements of individual organizations and internal tooling.

This group's interpretation is
- [Use cases](https://docs.google.com/document/d/15X0TspuxUg19YScqNK1tl5kYpJV2xOrcuSx6CwanYZ0/edit#)
- Defining types of SBOMs
- Source
- Binary analysis
- Build
- Deploy Runtime
- Generation
- Formats - clearly define expectations
- Consumption
- How do we track and encourage the consumption of the artifacts
- something about tools
- Adoption (how do we encourage others to create and use SBOMs)
- Something about producers, consumers, and maintainers
- Where does the burden lie on accountability and enforcement?
- something about tools
- Tools are everywhere, what do we do with this?
- something about advocacy
- Attestation?
- Not part of tooling, this needs to be a policy decision in these
conversations, don't worry about the technical details (yet)
- Where does this fit in? Producers, consumers, ???
- https://github.com/in-toto/attestation
- Compliance (regulated industry)

The Federal Government exists at every point of the Software Delivery Lifecycle, hence their minimum requirements are good guides to establish a baseline scope.
- Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations [NIST SP 800-161 Rev. 1](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final)
- [Executive Order 14028](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains)
- ![](https://www.nist.gov/sites/default/files/styles/2800_x_2800_limit/public/images/2021/07/09/software-verification-timeline.png)
- [Minimum Standards for Federal Government End Users](https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/recommended-minimum-standard-vendor-or-developer)


## SBOM Catalog
To provide a better overview of the available tooling and their capabilities, this group maintains an SBOM Catalog which can be found under the following link:

[https://ossf.github.io/sbom-everywhere/](https://ossf.github.io/sbom-everywhere/)

If you want to get involved, please see the document [here](https://github.com/ossf/sbom-everywhere/SBOM-Catalog/contribute.md)


## Prior Work
### NTIA
- [NTIA SBOM Resources](https://ntia.gov/SBOM)
- [Software Bill of Materials Elements and Considerations](https://www.regulations.gov/docket/NTIA-2021-0001/document)
- [Plan to Congress on Declassification and Clearances related to The Communications Supply Chain Risk Information Partnership](https://ntia.gov/files/ntia/publications/ntia_plan_on_declassification_and_clearances_re_c-scrip.pdf)

NTIA's legwork has been a guiding source having done the most comprehensive research to date.

### CISA
- [CISA SBOM Resources](https://www.cisa.gov/sbom)

### OWASP SCVS
- [OWASP SCVS Resources](https://owasp.org/scvs)

#### Tickets related to BOM Maturity model:
- [OWASP/Software-Component-Verification-Standard#34](https://github.com/OWASP/Software-Component-Verification-Standard/issues/34)
- [OWASP/Software-Component-Verification-Standard#35](https://github.com/OWASP/Software-Component-Verification-Standard/issues/35)
- [OWASP/Software-Component-Verification-Standard#36](https://github.com/OWASP/Software-Component-Verification-Standard/issues/36)

## Governance

The [CHARTER.md](https://github.com/ossf/sbom-everywhere/CHARTER.md) outlines the scope and governance of our group activities.
5 changes: 5 additions & 0 deletions SBOM-wiki/basics.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Basics

::: warning Work in Progress
This site is Work in progress and just a concept.
:::
3 changes: 3 additions & 0 deletions SBOM-wiki/catalog/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
::: warning
THIS IS A PLACEHOLDER FOR THE SBOM CATALOG THAT GETS DEPLOYED HERE. DONT USE THIS PATH FOR OTHER RESOURCES!
:::
5 changes: 5 additions & 0 deletions SBOM-wiki/example-integrations.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Example integrations

::: warning Work in Progress
This site is Work in progress and just a concept.
:::
Loading
Loading