From 2b31db09c77b82c201e48d64194f046aeb584038 Mon Sep 17 00:00:00 2001 From: Rob Craig Date: Tue, 10 Oct 2023 15:40:06 -0400 Subject: [PATCH] Create SPDX FuSa Group Meeting - June 16, 2023.md Adds meeting minutes and agenda from SPDX FuSa Group Meeting - 2023.06.16 --- ...SPDX FuSa Group Meeting - June 16, 2023.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 safety/SPDX FuSa Group Meeting - June 16, 2023.md diff --git a/safety/SPDX FuSa Group Meeting - June 16, 2023.md b/safety/SPDX FuSa Group Meeting - June 16, 2023.md new file mode 100644 index 00000000..6faa39be --- /dev/null +++ b/safety/SPDX FuSa Group Meeting - June 16, 2023.md @@ -0,0 +1,26 @@ +## SPDX FuSa Group Meeting - June 16, 2023 + +## Attendees +* Nicole Pappler +* Maximillian Huber +* Kate Stewart + +## Notes + +* SBOM types - Kate wants to do a formal mapping of the safety documents and determine which "Type" to classify each artifact in. Will use the Zephyr documents as a starting point + +* TODO: System BOM diagram for OpenAPS (note, without safety), but lining up with STPA components. + * Source --> Build , then grouping of Builds into "System". How to show when different devices are in use. + * System --> set of hardware devices, each of which have a set of software on them. + * Deploy App "A" on Android Devices + * Android Deployed SBOM - contains how it was configured, and what runtimes should be available + * App A - Deployed SBOM - how configured when put on Android Device --> Depends runtime from Android Deployed SBOM + * App A - Deployed SBOM --> Depends on App A Build SBOM --> App A Source SBOM + * Vulnerabilities --> understand Deployed (component level), Build --> part assembled inside Source --> vuln present. ***Sucessive Filtering*** emerging + + +* Strictdoc - may make sense to work with them on the relationships for linkage + * https://www.youtube.com/watch?v=k2MCFWvCs7E + * https://github.com/strictdoc-project/strictdoc-templates + * https://strictdoc.readthedocs.io/en/stable/strictdoc_01_user_guide.html + * Strictdoc will enforce mandatory fields. It's YAML based.