SBOM Study Group Kick-Off 2024-07-30-SPDX-Lite
ShaneCoughlan3
286 views
20 slides
Jul 30, 2024
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
SBOM Study Group Kick-Off 2024-07-30-SPDX-Lite
Slide Content
OpenChain SBOM Study Group
Kickoff meeting
-Case Study: SPDX-Lite
Norio Kobota, OpenChain Japan Working Group
Kickoff meeting
-Case Study: SPDX-Lite
Norio Kobota, OpenChain Japan Working Group
licensed under CC0-1.0, OpenChain Japan Working Group
Focus Areas of SPDX Lite
Solving the Challenges of Software Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
2
Focus Areas of SPDX Lite
Solving the Challenges of Software Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
2
licensed under CC0-1.0, OpenChain Japan Working Group
Focus Areas of SPDX Lite
Solving the Challenges of SBOM Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
3
Focus Areas of SPDX Lite
Solving the Challenges of SBOM Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
3
licensed under CC0-1.0, OpenChain Japan Working Group
What Happens when software suppliers don’t understand?
4
What Happens when software suppliers don’t understand?
4
licensed under CC0-1.0, OpenChain Japan Working Group
SBOM Supply Chain Reality
Knowledgeable team analyzes the details and manages configuration
PUSH
PULL
Team X
・・・
Team Z
w/ knowledge
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
Analyze details w/ Source Code
Insufficient Information
DISTRIBUTE
5
SBOM Supply Chain Reality
Knowledgeable team analyzes the details and manages configuration
PUSH
PULL
Team X
・・・
Team Z
w/ knowledge
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
Analyze details w/ Source Code
Insufficient Information
DISTRIBUTE
5
licensed under CC0-1.0, OpenChain Japan Working Group
Focus Areas of SPDX Lite
Solving the Challenges of SBOM Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
6
Focus Areas of SPDX Lite
Solving the Challenges of SBOM Exchange between External Parties.
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
6
licensed under CC0-1.0, OpenChain Japan Working Group
Who should know all the details of software?
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
Customers
Commercial Product
(Software, EmbeddedDevetc…
It is OUR responsibility to verify and correct
the software details if there is a problem,
not customers.
DISTRIBUTE
7
Who should know all the details of software?
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
Customers
Commercial Product
(Software, EmbeddedDevetc…
It is OUR responsibility to verify and correct
the software details if there is a problem,
not customers.
DISTRIBUTE
7
licensed under CC0-1.0, OpenChain Japan Working Group
SBOM enables us to exchange information with anyone in a common format
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
Common Language
8
SBOM enables us to exchange information with anyone in a common format
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
Our Company
End User
Customers
Other Companies
DISTRIBUTE
Common Language
8
licensed under CC0-1.0, OpenChain Japan Working Group
Minimum clues needed for experts to
investigate in detail.
https://spdx.github.io/spdx-spec/v2.3/package-information/ https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/
Full package info in SPDX v2.3
and SPDX Lite package info.
9
Minimum clues needed for experts to
investigate in detail.
https://spdx.github.io/spdx-spec/v2.3/package-information/ https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/
Full package info in SPDX v2.3
and SPDX Lite package info.
9
licensed under CC0-1.0, OpenChain Japan Working Group
SPDX Lite (Lite profile)in SPDXv3.0
❑SPDX Lite Design Principle
Because of its origins, SPDX Lite essentially considers the minimum information required to
comply with Open SourceLicense compliance.
✓Properties that are mandatory by the SPDX specification are also mandatory and are no
different, butadding recommendations on what to write. [MANDATORY]
✓Specifyadditional properties that must be provided for license compliance. [MANDATORY]
✓Specify recommended properties for reducing the burden on the recipient. [RECOMMENDED]
✓Everything else is optional. [OPTIONAL]
10
SPDX Lite (Lite profile)in SPDXv3.0
❑SPDX Lite Design Principle
Because of its origins, SPDX Lite essentially considers the minimum information required to
comply with Open SourceLicense compliance.
✓Properties that are mandatory by the SPDX specification are also mandatory and are no
different, butadding recommendations on what to write. [MANDATORY]
✓Specifyadditional properties that must be provided for license compliance. [MANDATORY]
✓Specify recommended properties for reducing the burden on the recipient. [RECOMMENDED]
✓Everything else is optional. [OPTIONAL]
10
licensed under CC0-1.0, OpenChain Japan Working Group
Overview of SPDX Data structure from Lite profile
11
Sbom [Mandatory]
SPDXDocument [Mandatory]
CreationInfo [Mandatory]
Bom [Optional]
NOTE: Can contain other information
such as VEX in Security profile.
Ref: p.17
Package [Mandatory] LicenseExpression [Mandatory]
Relationship [Mandatory]
Declared, Concluded License
CreationInfo [Mandatory]
Overview of SPDX Data structure from Lite profile
11
Sbom [Mandatory]
SPDXDocument [Mandatory]
CreationInfo [Mandatory]
Bom [Optional]
NOTE: Can contain other information
such as VEX in Security profile.
Ref: p.17
Package [Mandatory] LicenseExpression [Mandatory]
Relationship [Mandatory]
Declared, Concluded License
CreationInfo [Mandatory]
licensed under CC0-1.0, OpenChain Japan Working Group
Deep dive into Lite profile in SPDX v3.0
We need to know who created this
document and what it contains.
https://github.com/spdx/spdx-spec/blob/development/v3.0.1/docs/annexes/SPDX -Lite.md
12
Deep dive into Lite profile in SPDX v3.0
We need to know who created this
document and what it contains.
https://github.com/spdx/spdx-spec/blob/development/v3.0.1/docs/annexes/SPDX -Lite.md
12
licensed under CC0-1.0, OpenChain Japan Working Group
Deep dive into Lite profile in SPDX v3.0
Similarly, it’s essential to know who
createdthis SBOM and what it contains.
13
Deep dive into Lite profile in SPDX v3.0
Similarly, it’s essential to know who
createdthis SBOM and what it contains.
13
licensed under CC0-1.0, OpenChain Japan Working Group
Deep dive into Lite profile in SPDX v3.0
recommended
It is essential to know who
createdit and when.
It is also recommended to
write an email address etc.
for the creator.
14
Deep dive into Lite profile in SPDX v3.0
recommended
It is essential to know who
createdit and when.
It is also recommended to
write an email address etc.
for the creator.
14
licensed under CC0-1.0, OpenChain Japan Working Group
Deep dive into Lite profile in SPDX v3.0
It’s essential to have the package nameand version,
who created it, who provided it, and where it came from
in Package information.
For license compliance, it is mandatory to describe
copyright text and associate with license information by
using Relationship object.
15
Deep dive into Lite profile in SPDX v3.0
It’s essential to have the package nameand version,
who created it, who provided it, and where it came from
in Package information.
For license compliance, it is mandatory to describe
copyright text and associate with license information by
using Relationship object.
15
licensed under CC0-1.0, OpenChain Japan Working Group
Difficult to understand only with the specifications.
https://github.com/NorioKobota/spdx-examples/tree/lite-
profile/lite/example1
We are creating and evaluating samples
that are as simple as possible and fit
our use cases.
16
Difficult to understand only with the specifications.
https://github.com/NorioKobota/spdx-examples/tree/lite-
profile/lite/example1
We are creating and evaluating samples
that are as simple as possible and fit
our use cases.
16
licensed under CC0-1.0, OpenChain Japan Working Group
Verify if the Lite profile works well with VEX -Security profile
https://github.com/no-ta/spdx-examples/tree/merge-lite-
example-1/lite/example1-with-VEX/spdx-3.0
Reviewed with SPDX community engineers.
Great Thanks to Josh!
https://github.com/spdx/spdx-examples/pull/91
17
Verify if the Lite profile works well with VEX -Security profile
https://github.com/no-ta/spdx-examples/tree/merge-lite-
example-1/lite/example1-with-VEX/spdx-3.0
Reviewed with SPDX community engineers.
Great Thanks to Josh!
https://github.com/spdx/spdx-examples/pull/91
17
licensed under CC0-1.0, OpenChain Japan Working Group
SPDX Lite –Actually Used in Japan
OpenChain and AGL Collaborate to Facilitate Open Source
Compliance in Automotive Production
https://openchainproject.org/news/2019/12/05/openchain -and-agl-collaborate-to-
facilitate-open-source-compliance-in-automotive-production
SPDX Lite (v2.x) -Since the number of
properties can be managed in a spreadsheet, so
I heard that it is popular among legal and
intellectual property professionals other than
engineers in Japan.
18
SPDX Lite –Actually Used in Japan
OpenChain and AGL Collaborate to Facilitate Open Source
Compliance in Automotive Production
https://openchainproject.org/news/2019/12/05/openchain -and-agl-collaborate-to-
facilitate-open-source-compliance-in-automotive-production
SPDX Lite (v2.x) -Since the number of
properties can be managed in a spreadsheet, so
I heard that it is popular among legal and
intellectual property professionals other than
engineers in Japan.
18
licensed under CC0-1.0, OpenChain Japan Working Group
Thanks to the SPDX project
The SPDX team set up an Asia Call once a
month because it's hard to attend regular
spdx-tech meetings due to time zones.
19
Thanks to the SPDX project
The SPDX team set up an Asia Call once a
month because it's hard to attend regular
spdx-tech meetings due to time zones.
19
Thanks, Any Questions?
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 286
- Slides 20
- Age 495 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
53 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
50 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
40 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
39 views
21
Know for Certain
DaveSinNM
24 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
28 views