Test page
- https://kramdown.gettalong.org/quickref.html
- https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
H1
{::warning} don’t break it! {:/warning}
!!! note this is a note
!!! danger do not try this danger sign
Note: more notes
Note
test note
H2
A citation
H3
; term ; definition
H3
We make a link with Foo*bar in it
H4
H3
Click me
### Heading 1. Foo 2. Bar * Baz * Qux ### Some Javascript ```js function logSomething(something) { console.log('Something', something); } ```Click me
| Header 1 | Header 2 | | -------- | -------- | | Row 1 | Row 1 | | Row 2 | Row 2 |H2
Here is a simple footnote1. No mention of SBOM.
H2
A named footnote2.
H3
This is an HTML example.
GitHub variables
Found on https://jekyll.github.io/github-metadata/site.github/
public_repositories
Edit this
Debug
site: null
page: {"layout":"single","author_profile":true,"read_time":true,"comments":false,"share":false,"related":false,"show_date":true,"toc":true,"toc_sticky":true,"type":"page","title":"Test page","mastodon":{"username":"sjn","instance":"chaos.social"},"content":"* https://kramdown.gettalong.org/quickref.html\n* https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax\n\n\n# H1\n\n<!-- Does not work -->\n{::warning}\ndon't break it!\n{:/warning}\n\n\n!!! note this is a note\n\n!!! danger do not try this danger sign\n\n> **Note:** more notes\n\n<div class='markdown-alert markdown-alert-note'><p class='markdown-alert-title'><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><p>test note</p>\n</div>\n\n\n## H2\n\n> A citation\n\n\n### H3\n\n; term\n; definition\n\n\n### H3\n\n[Foo*bar]:../docs/glossary.md#author 'title (with parens)'\n[Foo*baz]:../docs/glossary.md#maintainer 'Someone who maintains a project'\n\nWe make a link with [Foo*bar] in it\n\n\n#### H4\n\n[Foo*bar]{: #foo-id}\n: definition with [Foo*baz] in it\n\n### H3\n\n<details>\n\n<summary>Click me</summary>\n \n### Heading\n\n1. Foo\n2. Bar\n * Baz\n * Qux\n\n### Some Javascript\n\n```js\n function logSomething(something) {\n console.log('Something', something);\n }\n```\n\n</details>\n\n<details>\n\n<summary>Click me</summary>\n\n| Header 1 | Header 2 |\n| -------- | -------- |\n| Row 1 | Row 1 |\n| Row 2 | Row 2 |\n \n</details>\n\n\n## H2\n\nHere is a simple footnote[^1]. No mention of SBOM.\n\n[^1]: My ref.\n\n\n## H2\n\nA named footnote[^foo].\n\n[^foo]: New ref with foo, but no HTML.\n\n\n### H3\n\nThis is an HTML\nexample.\n\n----\n\n*[HTML]: Hyper Text Markup Language\n*[SBOM]: Software Bill of Materials – a common machine-readable set of standards for storing and communicating metadata\n\n----\n\n## GitHub variables\n\nFound on https://jekyll.github.io/github-metadata/site.github/\n\n### public_repositories\n\n{% for repository in site.github.public_repositories %}\n* [{{ repository.name }}]({{ repository.html_url }})\n{% endfor %}\n\n### Edit this\n\n[Edit this page]({{ site.github.repository_url }}/{{ page.path }})\n\n\n### Debug\n\n<pre>\n site: {{ site.google | jsonify | escape }}\n page: {{ page | jsonify | escape }}\n layout: {{ layout | jsonify | escape }}\n content: {{ content | jsonify | escape }}\n paginator: {{ paginator | jsonify | escape }}\n</pre>\n","dir":"/notes/","name":"test.md","path":"notes/test.md","url":"/notes/test.html"}
layout: {"layout":"default"}
content: "\n\n\n\n\n\n<div id=\"main\" role=\"main\">\n \n <div class=\"sidebar sticky\">\n \n\n\n<h3>Author</h3>\n<hr>\n<div itemscope itemtype=\"https://schema.org/Person\" class=\"h-card\">\n\n \n <div class=\"author__avatar\">\n <a href=\"https://security.metacpan.org/\">\n <img src=\"/media/authors/sjn.png\" alt=\"Salve J. Nilsen\" itemprop=\"image\" class=\"u-photo\">\n </a>\n </div>\n \n\n <div class=\"author__content\">\n <h5 class=\"author__name p-name\" itemprop=\"name\">\n <a class=\"u-url\" rel=\"me\" href=\"https://security.metacpan.org/\" itemprop=\"url\">Salve J. Nilsen</a>\n </h5>\n \n <div class=\"author__bio p-note\" itemprop=\"description\">\n <p>Policy, metadata and OSS sustainability guy in CPANSec. Based in Oslo, Norway.</p>\n\n </div>\n \n </div>\n\n <div class=\"author__urls-wrapper\">\n <button class=\"btn btn--inverse\">Connect</button>\n <ul class=\"author__urls social-icons\">\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n <li>\n <a href=\"https://github.com/sjn\" itemprop=\"sameAs\" rel=\"nofollow noopener noreferrer me\">\n <i class=\"fab fa-fw fa-github\" aria-hidden=\"true\"></i><span class=\"label\">GitHub</span>\n </a>\n </li>\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n \n\n <!--\n <li>\n <a href=\"http://link-to-whatever-social-network.com/user/\" itemprop=\"sameAs\" rel=\"nofollow noopener noreferrer me\">\n <i class=\"fas fa-fw\" aria-hidden=\"true\"></i> Custom Social Profile Link\n </a>\n </li>\n-->\n </ul>\n </div></div>\n\n \n </div>\n\n\n\n <article class=\"page\" itemscope itemtype=\"https://schema.org/CreativeWork\">\n <meta itemprop=\"headline\" content=\"Roles and metadata in Open Source supply-chains\">\n \n \n \n\n <div class=\"page__inner-wrap\">\n \n <header>\n <h1 id=\"page-title\" class=\"page__title\" itemprop=\"headline\">\n <a href=\"https://security.metacpan.org/docs/supplychain-sbom.html\" itemprop=\"url\">Roles and metadata in Open Source supply-chains\n</a>\n </h1>\n \n\n\n\n <p class=\"page__meta\">\n \n\n \n\n \n \n \n\n <span class=\"page__meta-readtime\">\n <i class=\"far fa-clock\" aria-hidden=\"true\"></i>\n \n 49 minute read\n \n </span>\n \n\n \n \n <span class=\"page__meta-sep\"></span>\n <span itemprop=\"author\" itemscope itemtype=\"http://schema.org/Person\"><span class=\"p-author h-card\" itemprop=\"name\">Salve J. Nilsen</span></span></p>\n\n\n </header>\n \n\n <section class=\"page__content\" itemprop=\"text\">\n \n <aside class=\"sidebar__right sticky\">\n <nav class=\"toc\">\n <header><h4 class=\"nav__title\"><i class=\"fas fa-file-alt\"></i> On this page</h4></header>\n <ul class=\"toc__menu\"><li><a href=\"#document-status\">Document status: ⚠️ DRAFT</a></li><li><a href=\"#about\">About this document (TL;DR)</a><ul><li><a href=\"#a-typical-open-source-supply-chain-simplified\">A Typical Open Source supply-chain (Simplified)</a></li><li><a href=\"#intention\">Intention</a></li><li><a href=\"#motivation\">Motivation</a></li></ul></li><li><a href=\"#supply-chain-ecosystems-environments--roles-and-attributes\">Supply-chain Ecosystems, Environments & Roles and Attributes</a><ul><li><a href=\"#a-post-cra-open-source-supply-chain-simplified\">A Post-CRA Open Source supply-chain (Simplified)</a></li><li><a href=\"#legend-of-metadata-operations\">Legend of Metadata Operations</a></li></ul></li><li><a href=\"#open-source-supply-chain\">Graph: Open Source supply-chain</a></li><li><a href=\"#supply-chain-ecosystems-their-roles-and-metadata\">Supply-chain Ecosystems, their Roles and Metadata</a><ul><li><a href=\"#environment-independent-baseline-attributes\">Environment-independent Baseline Attributes</a></li><li><a href=\"#oss-project-environment\">OSS Project Environment</a><ul><li><a href=\"#author\">Author (Project Role)</a></li><li><a href=\"#maintainer\">Maintainer (Project Role)</a></li><li><a href=\"#custodian\">Custodian</a></li><li><a href=\"#packager-maintainer\">Packager (Maintainer)</a></li></ul></li><li><a href=\"#collaboration-forge-ecosystem\">Collaboration Forge (Ecosystem)</a><ul><li><a href=\"#depositary\">Depositary</a></li><li><a href=\"#contributor\">Contributor</a></li></ul></li><li><a href=\"#language-ecosystem\">Language Ecosystem</a><ul><li><a href=\"#ingester\">Ingester (Language, Package, Container ecosystem)</a></li><li><a href=\"#open-source-software-steward\">Open Source Software Steward</a></li></ul></li><li><a href=\"#package-ecosystem\">Package Ecosystem</a><ul><li><a href=\"#patcher\">Patcher (Package ecosystem)</a></li><li><a href=\"#builder\">Builder (Package ecosystem)</a></li><li><a href=\"#packager\">Packager (Package ecosystem)</a></li><li><a href=\"#curator\">Curator (Package ecosystem)</a></li><li><a href=\"#provider\">Provider</a></li><li><a href=\"#assembler\">Assembler (Container ecosystem)</a></li></ul></li><li><a href=\"#integrator-environment\">Integrator Environment</a><ul><li><a href=\"#manufacturer\">Manufacturer</a></li><li><a href=\"#integrator\">Integrator</a></li><li><a href=\"#developer\">Developer</a></li><li><a href=\"#publisher\">Publisher</a></li><li><a href=\"#analyst\">Analyst</a></li></ul></li><li><a href=\"#production-environment\">Production Environment</a><ul><li><a href=\"#deployer\">Deployer</a></li><li><a href=\"#installer\">Installer</a></li></ul></li><li><a href=\"#non-ecosystem-roles\">Non-Ecosystem Roles</a><ul><li><a href=\"#auditor\">Auditor</a></li><li><a href=\"#distributor\">Distributor</a></li><li><a href=\"#importer\">Importer</a></li><li><a href=\"#end-user\">End-user</a></li></ul></li><li><a href=\"#other-common-terms-for-ecosystems-and-roles\">Other common terms for Ecosystems and Roles</a><ul><li><a href=\"#repository-ecosystem\">Repository Ecosystem</a></li><li><a href=\"#author-environment\">Author Environment</a></li><li><a href=\"#manufacturer-environment\">Manufacturer Environment</a></li><li><a href=\"#customer-environment\">Customer Environment</a></li><li><a href=\"#supplier\">Supplier</a></li><li><a href=\"#compliance\">Compliance</a></li><li><a href=\"#consumer\">Consumer</a></li><li><a href=\"#user\">User</a></li><li><a href=\"#steward\">Steward</a></li><li><a href=\"#secops\">SecOps</a></li><li><a href=\"#pentester\">Pentester</a></li><li><a href=\"#janitor\">Janitor</a></li><li><a href=\"#owner\">Owner</a></li></ul></li></ul></li><li><a href=\"#references\">References</a></li><li><a href=\"#commentary-and-fixmes\">Commentary and FIXMEs</a></li><li><a href=\"#license-and-use-of-this-document\">License and use of this document</a><ul><li><a href=\"#acknowledgements\">Acknowledgements</a></li></ul></li><li><a href=\"#appendix\">Appendix</a><ul><li><a href=\"#sbom-metadata-attributes-and-obligation-sources\">SBOM Metadata Attributes and obligation sources</a></li><li><a href=\"#sbom-json-paths-and-data-types\">SBOM JSON Paths and data types</a></li></ul></li></ul>\n </nav>\n </aside>\n \n <h2 id=\"document-status\">Document status: ⚠️ DRAFT</h2>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><p>What you see here is a DRAFT of the supply-chain SBOM roles & responsibilities overview, by the CPAN Security Group (CPANSec).\nAs long as this document is in DRAFT, all of the points and ideas below are <em>suggestions</em>, and open to revision, deletion or amending – by you!</p>\n<ul>\n <li>Contribute on Github: <a href=\"https://github.com/CPAN-Security/security.metacpan.org/tree/supplychain-sbom/docs/supplychain-sbom.md\">https://github.com/CPAN-Security/security.metacpan.org/tree/supplychain-sbom/docs/supplychain-sbom.md</a></li>\n <li>Discuss on IRC: <a href=\"ircs://ssl.irc.perl.org:7063/#cpan-security\">ircs://ssl.irc.perl.org:7063/#cpan-security</a></li>\n <li>Discuss on Matrix: <a href=\"https://matrix.to/#/#cpansec:matrix.org\">https://matrix.to/#/#cpansec:matrix.org</a></li>\n</ul>\n</div>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><p>This document has two companion documents:</p>\n<ul>\n <li>The CPANSec <a href=\"glossary.md\">Glossary</a></li>\n <li>The CPANSec <a href=\"readinglist.md\">Reading List</a></li>\n <li>A proposed overview of <a href=\"foss-project-lifecycle.md\">Open Source project life-cycle states and indicators</a>\nPlease refer to them as needed.</li>\n</ul>\n</div>\n\n<h2 id=\"about\">About this document (TL;DR)</h2>\n\n<p>This document offers <strong>an overview of <a href=\"/docs/glossary.html#open-source-software\">Open Source Software</a> supply-chains</strong>.</p>\n\n<ul>\n <li>Taking into account the following perspectives:\n <ol>\n <li>Environments and Ecosystems,</li>\n <li>Roles,</li>\n <li>Metadata, and</li>\n <li>Industry <a href=\"/docs/glossary.html\">Terms and Concepts</a></li>\n </ol>\n </li>\n <li>…Enumerating and describing the Metadata Attributes these Roles typically care about.</li>\n <li>…Noting the ways each Role may operate on any given Metadata Attribute,\n <ul>\n <li>🟥 Create (authoritative),</li>\n <li>🟨 Assemble or Update (contributing),</li>\n <li>🟩 Distribute,</li>\n <li>🟦 Verify, or</li>\n <li>🟪 Censor</li>\n </ul>\n </li>\n <li>…Acknowledging that some ecosystems and environments may have interesting features\n <ul>\n <li>🔃 Is upstream or downstream of own ecosystem type</li>\n <li>🆕 Is a new participant in OSS supply chains</li>\n </ul>\n </li>\n <li>…Showing any relevant regulation or other requirements that impose expectations of the presence of specific Metadata Attributes.</li>\n <li>…So that people having a Role within the supply-chain can:\n <ol>\n <li>Draw an overarching map of what other Roles may operate within their supply-chain</li>\n <li>Form a idea of what purpose each Role may have, and find out where they fit</li>\n <li>Get an idea where an Attribute is likely to come from, and which Roles care about these</li>\n <li>Become aware of both upstream and downstream Communities, Ecosystems and Environments are involved in their supply-chain, in order to interact with them in effective and sustainable ways</li>\n <li>Use this information to both live up to their new Regulatory Obligations and to help improve their Security Posture in general</li>\n </ol>\n </li>\n</ul>\n\n<h3 id=\"a-typical-open-source-supply-chain-simplified\">A Typical Open Source supply-chain (Simplified)</h3>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><p>The graphs in this document do <em>not</em> include <em>Content Delivery Networks</em>, <em>Model Ecosystems</em> or <em>Plugin Ecosystems</em>.\nIf you know of other parts of an Open Source supply-chain that involves the managing of metadata somehow, then please <a href=\"#document-status\">reach out</a>!\nWe’d love to add them – or at least to be aware of them.</p>\n</div>\n\n<p>This is a simplified “TL;DR” overview of a typical Open Source supply chain.</p>\n\n<pre><code class=\"language-mermaid\">stateDiagram-v2\n direction TB\n\n state \"🟥&zwj;🟨&zwj;🟦&nbsp;OSS&nbsp;Project&nbsp;Environment&nbsp;🔃\" as environment_project\n state \"🟨 Contributor\" as environment_contributor\n state \"🟩&nbsp;Collaboration&nbsp;Ecosystem\" as ecosystem_forge\n state \"🟨&zwj;🟩&nbsp;Language&nbsp;Ecosystem&nbsp;🔃\" as ecosystem_lang\n state \"🟨&zwj;🟩&nbsp;Package&nbsp;Ecosystem&nbsp;🔃\" as ecosystem_package\n state \"🟩 Container Ecosystem\" as ecosystem_container\n state \"🟥🟨 Integrator\" as environment_integrator\n state \"🟦 Production\" as environment_prod\n\n [*] --> environment_project\n ecosystem_forge --> environment_project\n ecosystem_forge --> environment_contributor\n ecosystem_forge --> ecosystem_lang\n environment_project --> ecosystem_forge\n environment_project --> ecosystem_lang\n environment_contributor --> ecosystem_forge\n ecosystem_lang --> ecosystem_package\n ecosystem_forge --> ecosystem_package\n %%ecosystem_package --> ecosystem_package\n %%ecosystem_lang --> ecosystem_lang\n ecosystem_package --> ecosystem_container\n %%ecosystem_container --> ecosystem_container\n ecosystem_forge --> environment_integrator\n ecosystem_lang --> environment_integrator\n ecosystem_lang --> ecosystem_container\n ecosystem_package --> environment_integrator\n ecosystem_container --> environment_integrator\n environment_integrator --> environment_prod\n environment_prod --> [*]\n\n %% Copyright © 2024 Salve J. Nilsen <sjn@oslo.pm>\n %% Some rights reserved. Licensed CC-BY-SA-4.0\n</code></pre>\n\n<h3 id=\"intention\">Intention</h3>\n\n<p>This document is intended for presenting an opinionated overview that includes aspects that are <strong>visionary</strong> and <strong>proposed</strong> – especially topics related to the role of Open Source Stewards and the role of OSS Attestations.</p>\n\n<h3 id=\"motivation\">Motivation</h3>\n\n<p>Originally, this document stems from the main author’s frustration with the lack of a clear Open Source perspective in current SBOM documentation (as of 2023). This brought him to the SBOM devroom at FOSDEM 2024 to offer <a href=\"https://fosdem.org/2024/schedule/event/fosdem-2024-3358-can-sboms-become-first-class-citizens-in-open-source-ecosystems-/\">a rant</a> about what he perceived as a less-than-ideal state of affairs.</p>\n\n<p>Furthermore, this document is also an attempt to explore and map out the consequences that the EU Cyber Resilience Act (CRA) is likely have for Open Source Ecosystems.\nThe CRA is the first regulation that has language that explicitly affects Open Source ecosystems.\nThis law introduces a new entity – the Open Source Software Steward – with obligations to them (and other Roles) to improve the state of Cybersecurity throughout Open Source supply-chains.\nThis shown us that there’s a need to map out what Open Source supply-chains actually look like, and spell out what Roles can be found throughout it, and more.\nThis document therefore also represents the author’s exploration of this topic, and could be considered as “public notes” on the matter.\nStill, the author hopes this document also can be useful for others than himself and the CPAN Security Group.</p>\n\n<p>Please take this document as it is – a public set of notes, intended as a source for illumination and as an ongoing conversation – taking incremental steps toward more transparent and accountable Open Source supply-chains.</p>\n\n<p>For license information and acknowledgements, see the <a href=\"#license-and-use-of-this-document\">end of this document</a>.</p>\n\n<h2 id=\"supply-chain-ecosystems-environments--roles-and-attributes\">Supply-chain Ecosystems, Environments & Roles and Attributes</h2>\n\n<p>In this section, we map out the different parts of typical Open Source supply-chains – the Environments and Ecosystems we use, the Roles that are operating within these, what Metadata Attributes they care about, and which Operations they are expected to execute when caring.\nAdditionally, you should get some indications of what regulations, standards or other requirements that call for the presence of a given Attribute.\nAnd all this, with the goal of allowing downstream users to both live up to their regulatory obligations and to improve their security posture in general.\nTo improve by ensuring that the metadata they need is available, updated and authoritative, and can be helpful in both mitigating vulnerabilities and interacting with the maintainers of any Open Source projects that may be involved.</p>\n\n<h3 id=\"a-post-cra-open-source-supply-chain-simplified\">A Post-CRA Open Source supply-chain (Simplified)</h3>\n\n<p>This diagram is equivalent to the simplified one above, but showing the new Roles implied and introduced by the EU Cyber Resilience Act (CRA).</p>\n\n<pre><code class=\"language-mermaid\">stateDiagram-v2\n direction TB\n\n state \"🟥&zwj;🟨&zwj;🟦&nbsp;OSS&nbsp;Project&nbsp;Environment&nbsp;🔃\" as environment_project\n state \"🟨 Contributor\" as environment_contributor\n state \"🟩&nbsp;Collaboration&nbsp;Ecosystem\" as ecosystem_forge\n state \"🟨&zwj;🟩&nbsp;Language&nbsp;Ecosystem&nbsp;🔃\" as ecosystem_lang\n state \"🟥&zwj;🟨&zwj;🟩&nbsp;Package&nbsp;Ecosystem&nbsp;🔃\" as ecosystem_package\n state \"🟨&zwj;🟩&nbsp;Container&nbsp;Ecosystem&nbsp;🔃\" as ecosystem_container\n state \"🟥🟩🟦 OSS Steward 🆕🔃\" as ecosystem_steward\n state \"🟨🟦 Integrator<br>🟥&zwj;🟨&zwj;🟦&zwj;🟪&nbsp;Manufacturer&nbsp;🆕\" as environment_integrator\n state \"🟦 Auditor<br>🟦 Market Authority 🆕\" as authority_auditor\n state \"🟦 Importer 🆕<br>🟦 Distributor 🆕\" as environment_market\n state \"🟦 Customer\" as environment_customer\n\n [*] --> environment_project\n ecosystem_forge --> environment_project\n ecosystem_forge --> environment_contributor\n ecosystem_forge --> ecosystem_lang\n environment_project --> ecosystem_forge\n environment_project --> ecosystem_lang\n environment_contributor --> ecosystem_forge\n ecosystem_lang --> ecosystem_package\n ecosystem_forge --> ecosystem_package\n ecosystem_package --> ecosystem_container\n ecosystem_forge --> environment_integrator\n ecosystem_lang --> environment_integrator\n ecosystem_lang --> ecosystem_container\n ecosystem_forge --> ecosystem_container\n ecosystem_package --> environment_integrator\n ecosystem_package --> ecosystem_steward\n ecosystem_lang --> ecosystem_steward\n ecosystem_container --> ecosystem_steward\n ecosystem_steward --> environment_integrator\n ecosystem_container --> environment_integrator\n environment_integrator --> authority_auditor\n environment_integrator --> environment_market\n environment_market --> environment_customer\n environment_integrator --> environment_customer\n environment_customer --> [*]\n\n %% Copyright © 2025 Salve J. Nilsen <sjn@oslo.pm>\n %% Some rights reserved. Licensed CC-BY-SA-4.0\n</code></pre>\n\n<h3 id=\"legend-of-metadata-operations\">Legend of Metadata Operations</h3>\n\n<p>In the graphs presented above and below, we color-code the different <em>metadata operations</em> in order to quickly show what activities a supply-chain Role may be involved in.</p>\n\n<p>We’re also assuming that Metadata is stored in SBOMs, but this need not be the case.\nTo distinguish between Metadata roles and supply-chain roles, we have decided to refer to the former as “SBOM Roles”.\nThis convention is also commonly used (or implied) in the referenced material.\nThis may change in later revisions of this document.</p>\n\n<p>Some of the information here is based on CISA’s “SBOM Sharing Roles and Considerations” recommendations (<a href=\"#references\">CISA-2024</a>) and other public documents, <a href=\"#references\">referenced</a> below.</p>\n\n<p>We also distinguish between SBOM Authors that are <em>Authoritative</em> sources for Attributes (“<a href=\"#sbom-author-role\">SBOM Author</a>”) and <em>Non-authoritative</em> sources (“<a href=\"#sbom-contributor-role\">SBOM Contributor</a>”), in addition SBOM Distributors and Consumers.\nThe Authoritative/Non-authoritative distinction is important so everyone is clear about where a given Metadata Attribute originally comes from.\nThis distinction is <em>not commonly used</em> in the referenced material.</p>\n\n<p>And finally, we acknowledge that some situations may call for an SBOM Censor, which is the time of writing is <em>not a commonly used term</em> in the referenced material.</p>\n\n<ul>\n <li>🟥 SBOM Author (Authoritative metadata provider) – <strong>Creates</strong>, defines, signs Metadata — <em><strong>Authoritative</strong> roles make sure the metadata and related artifacts they are the author of, <strong>Exist</strong></em>.</li>\n <li>🟨 SBOM Contributor (Non-authoritative metadata provider) – <strong>Assembles</strong>, <strong>updates</strong>, merges, enriches, augments, refines, consolidates, maintains, attests, annotates Metadata — <em><strong>Non-authoritative</strong> roles make sure the metadata and related artifacts they process, are <strong>Updated</strong> and <strong>Corrected</strong></em>.</li>\n <li>🟩 SBOM Distributor – <strong>Distributes</strong>, transports, curates, indexes Metadata — <em><strong>Distributing</strong> roles make sure the metadata and related artifacts they have, are made <strong>Available</strong> to others</em>.</li>\n <li>🟦 SBOM Consumer – <strong>Verifies</strong>, consumes, aggregates, validates, surveys, analyzes or reports Metadata — <em><strong>Consuming</strong> roles makes sure the metadata and related artifacts they consume, are <strong>Complete</strong>, <strong>Compliant</strong> and <strong>Used</strong></em>.</li>\n <li>🟪 SBOM Censor – <strong>Censors</strong>, redacts, deletes, anonymizes or filters Metadata — <em><strong>Censoring</strong> roles make sure that certain metadata about related artifacts are <strong>Prevented</strong> from being shared with others</em>.</li>\n</ul>\n\n<h2 id=\"open-source-supply-chain\">Graph: Open Source supply-chain</h2>\n\n<p>This is an attempt at a somewhat complete overview of the different Ecosystems, Roles and flow of metadata one can expect to see in an Open Source supply-chain.</p>\n\n<pre><code class=\"language-mermaid\">stateDiagram-v2\n direction TB\n accTitle: An Idealized Open Source supply-chain Graph\n %%accDescr: This graph illustrates how different types of development environments and ecosystems interconnect, what kind of roles you may find in these, and what type of metadata operations they may care to do\n\n %% Role activities\n classDef createsSBOM stroke:red,stroke-width:3px;\n classDef updatesSBOM stroke:yellow,stroke-width:3px,stroke-dasharray:15 5;\n classDef assemblesSBOM stroke:yellow,stroke-width:3px;\n classDef distributesSBOM stroke:green,stroke-width:3px;\n classDef verifiesSBOM stroke:#07f,stroke-width:3px;\n classDef censorsSBOM stroke:#07f,stroke-width:3px;\n classDef ignoresSBOM stroke:#777,stroke-width:3px;\n\n %% Open Source Project Environment\n state \"🟥 Owner<br>🟥 Author\" as project_author\n state \"🟥🟨 Maintainer<br>🟨 Custodian\" as project_maintainer\n state \"🟨🟦 Packager (Artificer)\" as project_packager\n %%\n class project_author createsSBOM\n class project_maintainer createsSBOM\n class project_packager updatesSBOM\n\n %%\n %%state \"🟥 Attestation Authority 🆕\" as authority_attester\n\n %% Language Ecosystem\n state \"🟦 Ingester\" as language_ingester\n %%state \"🟥🟨🟦 Open Source Software Steward 🆕\" as language_steward\n state \"🟨 Curator\" as language_curator\n state \"🟩 Distributor\" as language_distributor\n %% \"🟩 Reservoir\"\n %%\n class language_ingester verifiesSBOM\n class language_packager assemblesSBOM\n class language_steward createsSBOM\n class language_curator updatesSBOM\n class language_distributor distributesSBOM\n\n %% Collaboration Forge (Ecosystem)\n state \"🟩 Distributor (Depositary)\" as repository_distributor\n state \"🟨 Contributor\" as external_contributor\n %%\n class repository_distributor distributesSBOM\n class external_contributor updatesSBOM\n\n %% Package Ecosystem\n state \"🟦 Ingester\" as package_ingester\n state \"🟨🟦 Patcher\" as package_patcher\n state \"🟥🟨🟦 Builder<br>🟥🟨🟦 Packager\" as package_packager\n %% FIXME: package_steward not useful/necessary?\n state \"🟨🟦 Attester 🆕\" as package_steward\n state \"🟨 Curator\" as package_curator\n state \"🟩 Distributor (Repository)\" as package_distributor\n %%\n class package_ingester verifiesSBOM\n class package_patcher updatesSBOM\n class package_packager assemblesSBOM\n class package_steward createsSBOM\n class package_curator updatesSBOM\n class package_distributor distributesSBOM\n\n %% Container Ecosystem\n state \"🟦 Ingester\" as container_ingester\n state \"🟨🟦 Assembler\" as container_packager\n state \"🟨🟦 Attester 🆕\" as container_steward\n state \"🟨 Curator\" as container_curator\n state \"🟩 Registry<br>🟩 Distributor\" as container_distributor\n %%\n class container_ingester verifiesSBOM\n class container_packager assemblesSBOM\n class container_steward createsSBOM\n class container_curator updatesSBOM\n class container_distributor distributesSBOM\n\n %% OSS Steward Environment\n state \"🟥🟨🟦 Attester 🆕\" as steward_attester\n %%\n class steward_attester createsSBOM\n\n %% Integrator Environment\n state \"🟥 Owner<br>🟥 Manufacturer 🆕\" as integrator_owner\n state \"🟦 Procurer\" as integrator_procurer\n state \"🟥🟨🟦 Integrator\" as integrator_developer\n state \"🟨🟦 Builder<br>🟨🟦 Packager<br>🟨🟦 Assembler\" as integrator_builder\n state \"🟩🟪 Censor\" as integrator_censor\n state \"🟩 Publisher<br>🟩 Distributor\" as integrator_publisher\n state \"🟦 Analyst<br>🟦 Auditor\" as integrator_analyst\n %%\n class integrator_owner createsSBOM\n class integrator_procurer verifiesSBOM\n class integrator_developer assemblesSBOM\n class integrator_censor updatesSBOM\n class integrator_publisher distributesSBOM\n class integrator_builder assemblesSBOM\n class integrator_analyst verifiesSBOM\n\n %% Production Environment\n state \"🟨 Deployer\" as prod_deployer\n state \"🟦 End-user<br>Consumer\" as external_consumer\n state \"🟦 Importer 🆕<br>🟦 Distributor 🆕\" as prod_distributor\n %%\n class prod_deployer assemblesSBOM\n class external_consumer ignoresSBOM\n %%class authority_attester createsSBOM\n\n %% Market Surveillance Environment\n state \"🟦 Auditor<br>🟦 Market Authority 🆕\" as authority_auditor\n %%\n class authority_auditor verifiesSBOM\n\n %%\n state \"OSS Project Environment 🔃\" as environment_project {\n [*] --> project_author\n [*] --> project_maintainer\n project_author --> project_maintainer\n project_maintainer --> project_packager\n project_maintainer --> [*]\n project_packager --> [*]\n }\n\n [*] --> environment_project\n\n %%\n state \"Language Ecosystem 🔃\" as ecosystem_lang {\n [*] --> language_ingester\n language_ingester --> language_distributor\n %%language_ingester --> language_steward\n language_ingester --> language_curator\n language_curator --> language_distributor\n %%language_steward --> language_distributor\n %%language_steward --> language_curator\n language_distributor --> [*]\n }\n\n %%language_packager --> ecosystem_lang\n environment_project --> ecosystem_lang\n\n %%\n state \"Collaboration Ecosystem (Forge)\" as ecosystem_forge {\n [*] --> repository_distributor\n external_contributor --> repository_distributor\n repository_distributor --> external_contributor\n repository_distributor --> [*]\n }\n\n %%ecosystem_forge --> maintainer_author\n %%maintainer_author --> ecosystem_forge\n environment_project --> environment_steward\n environment_project --> ecosystem_forge\n ecosystem_forge --> environment_project\n\n %%external_contributor --> repository_distributor\n\n %%\n state \"Package Ecosystem (Repository) 🔃\" as ecosystem_package {\n [*] --> package_ingester\n package_ingester --> package_patcher\n package_ingester --> package_packager\n package_patcher --> package_packager\n package_packager --> package_curator\n package_steward --> package_curator\n package_packager --> package_distributor\n package_curator --> package_distributor\n package_steward --> package_distributor\n package_packager --> package_steward\n package_distributor --> [*]\n }\n\n %%\n state \"Container Ecosystem (Registry) 🔃\" as ecosystem_container {\n [*] --> container_ingester\n container_ingester --> container_packager\n container_packager --> container_curator\n container_steward --> container_curator\n container_packager --> container_distributor\n container_curator --> container_distributor\n container_steward --> container_distributor\n container_packager --> container_steward\n container_distributor --> [*]\n }\n\n ecosystem_package --> ecosystem_container\n ecosystem_container --> environment_integrator\n\n ecosystem_package --> environment_integrator\n %%ecosystem_package --> ecosystem_package\n\n %%repository_distributor --> ecosystem_package\n %%language_distributor --> ecosystem_package\n %%ecosystem_lang --> ecosystem_lang\n ecosystem_lang --> environment_integrator\n ecosystem_lang --> ecosystem_package\n ecosystem_forge --> ecosystem_package\n\n %%authority_attester --> language_steward\n %%authority_attester --> package_steward\n %%authority_attester --> environment_steward\n\n state \"OSS Steward Environment 🆕🔃\" as environment_steward {\n [*] --> steward_attester\n steward_attester --> [*]\n }\n ecosystem_lang --> environment_steward\n environment_steward --> environment_integrator\n environment_steward --> ecosystem_package\n\n %%\n state \"Integrator Environment\" as environment_integrator {\n [*] --> integrator_procurer\n [*] --> integrator_owner\n [*] --> integrator_developer\n integrator_procurer --> integrator_developer\n integrator_procurer --> integrator_owner\n integrator_owner --> integrator_developer\n integrator_builder --> integrator_publisher\n integrator_builder --> integrator_censor\n integrator_builder --> integrator_analyst\n integrator_analyst --> integrator_developer\n integrator_censor --> integrator_publisher\n integrator_developer --> integrator_builder\n integrator_analyst --> [*]\n integrator_censor --> [*]\n integrator_publisher --> [*]\n }\n\n %%repository_distributor --> environment_integrator\n ecosystem_forge --> environment_integrator\n %%language_distributor --> environment_integrator\n\n %%\n state \"Production Environment\" as environment_prod {\n [*] --> prod_deployer\n [*] --> prod_distributor\n prod_distributor --> [*]\n prod_deployer --> [*]\n }\n\n %%\n state \"Market Surveillance 🆕\" as environment_surveillance {\n [*] --> authority_auditor\n authority_auditor --> [*]\n }\n\n environment_prod --> environment_surveillance\n %%integrator_builder --> environment_prod\n %%integrator_developer --> environment_prod\n %%integrator_publisher --> environment_prod\n environment_integrator --> environment_surveillance\n environment_integrator --> environment_prod\n environment_integrator --> external_consumer\n environment_integrator --> [*]\n environment_surveillance --> [*]\n\n %%\n environment_prod --> external_consumer\n external_consumer --> [*]\n\n %% Copyright © 2024 Salve J. Nilsen <sjn@oslo.pm>\n %% Some rights reserved. Licensed CC-BY-SA-4.0\n</code></pre>\n\n<h2 id=\"supply-chain-ecosystems-their-roles-and-metadata\">Supply-chain Ecosystems, their Roles and Metadata</h2>\n\n<p>Which environments and Ecosystems are found throughout a supply-chain? Here’s an overview.</p>\n\n<p>Throughout Open Source supply-chains, we find different Roles that care about certain metadata, or are in possession of some authoritative information, or needs to verify these.\nHere, you’ll get an overview of the most important ones, which attributes they care about and how they care, and some information about why they do so (e.g. due to legal requirements).</p>\n\n<ul>\n <li>Ops: The type of operation that someone with a given Role is most likely to do on a given metadata attribute.\n <ul>\n <li>See the <a href=\"#typical-metadata-operations\">Typical Metadata Operations</a> section describing what the colors represent.</li>\n </ul>\n </li>\n <li>Attribute name: The name of the metadata field in question.\n <ul>\n <li>These attributes may differ across relevant sources and regulations.</li>\n <li>Equivalent to terms like “field name” “metadata field”.</li>\n </ul>\n </li>\n <li>Required: CPANSec interpretation on whether or not the attribute is required.</li>\n <li>Required by: Reference to relevant regulation, guides or standards where the attribute is mentioned.\n <ul>\n <li>See the <a href=\"#references\">References</a> section for links to the documents mentioned.</li>\n </ul>\n </li>\n <li>Comment: CPANSec commentary on a attribute.</li>\n <li>FIXME: CPANSec Remaining work related to this attribute.</li>\n</ul>\n\n<h3 id=\"environment-independent-baseline-attributes\">Environment-independent Baseline Attributes</h3>\n\n<p>These are common across all roles, and considered to be <em>baseline</em> because they are required independently of the Roles’ needs.</p>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Author</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, CISA-2024-10, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Creation Time-stamp</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, CISA-2024-10, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Format</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CycloneDX 1.6, SPDX 2.3</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Generation Tool</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm req/spec</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Location</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(9), TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Primary Component</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CycloneDX 1.6, SPDX 3.0</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Release</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CycloneDX 1.6, SPDX 2.3</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Serial Number</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CycloneDX 1.6, SPDX 2.3</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">SBOM Type</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2023-4, CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<hr />\n\n<h3 id=\"oss-project-environment\">OSS Project Environment</h3>\n\n<pre><code class=\"language-mermaid\">stateDiagram-v2\n direction TB\n accTitle: An Idealized Open Source supply-chain Graph, OSS Project perspective\n %%accDescr: This graph illustrates how different types of development environments and ecosystems interconnect, what kind of roles you may find in these, and what type of metadata operations they may care to do\n\n %%\n classDef createsSBOM stroke:red,stroke-width:3px;\n classDef assemblesSBOM stroke:yellow,stroke-width:3px,stroke-dasharray:15 5;\n classDef updatesSBOM stroke:yellow,stroke-width:3px;\n classDef distributesSBOM stroke:green,stroke-width:3px;\n classDef verifiesSBOM stroke:#07f,stroke-width:3px;\n classDef censorsSBOM stroke:#07f,stroke-width:3px;\n classDef ignoresSBOM stroke:#777,stroke-width:3px;\n\n %% OSS Project Environment\n state \"🟥 Owner<br>🟥 Author\" as project_author\n state \"🟥🟨 Maintainer<br>🟨 Custodian\" as project_maintainer\n state \"🟨🟦 Packager (Artificer)\" as language_packager\n %%\n state \"OSS Project Environment\" as environment_project {\n [*] --> project_author\n [*] --> project_maintainer\n project_author --> project_maintainer\n project_maintainer --> language_packager\n project_author --> language_packager\n project_maintainer --> [*]\n language_packager --> [*]\n project_author --> [*]\n }\n %%\n class project_author createsSBOM\n class project_maintainer createsSBOM\n class ecosystem_forge distributesSBOM\n class ecosystem_lang updatesSBOM\n class environment_steward createsSBOM\n\n [*] --> environment_project\n\n %% Language Ecosystem\n state \"🟦🟨🟩 Language Ecosystem\" as ecosystem_lang\n environment_project --> ecosystem_lang\n\n %% Collaboration Ecosystem\n state \"🟨🟩 Collaboration Ecosystem\" as ecosystem_forge\n environment_project --> ecosystem_forge\n environment_project --> environment_steward\n ecosystem_forge --> environment_project\n\n %% OSS Steward Environment\n state \"🟥🟨🟦 OSS Steward Environment\" as environment_steward\n\n %% Copyright © 2024 Salve J. Nilsen <sjn@oslo.pm>\n %% Some rights reserved. Licensed CC-BY-SA-4.0\n</code></pre>\n\n<p>This environment represents one or more developers that publish an Open Source component.</p>\n\n<ul>\n <li>Publishes <a href=\"/docs/glossary.html#open-source-software\">Open Source Software</a></li>\n <li>May have a project development life-cycle</li>\n <li>May use a <a href=\"#collaboration-ecosystem\">Collaboration Ecosystem</a> to interact with <a href=\"#contributor\">Contributors</a></li>\n <li>May publish their project through a <a href=\"#language-ecosystem\">Language Ecosystem</a></li>\n <li>May have their project published through a <a href=\"#package-ecosystem\">Package Ecosystem</a></li>\n <li>May be intended for commercial use</li>\n</ul>\n\n<h4 id=\"author\">Author (Project Role)</h4>\n\n<p>The initial creator and main developer of an Open Source project or a product.</p>\n\n<ul>\n <li>Operates in an <a href=\"#oss-project-environment\">OSS Project Environment</a>.</li>\n <li>Has the legal ownership rights and liabilities for the component.\n <ul>\n <li>May be equivalent to the <a href=\"/docs/glossary.html#copyright-holder\">Copyright Holder</a> metadata attribute.</li>\n </ul>\n </li>\n <li>Is usually also considered a <a href=\"#maintainer\">Maintainer</a></li>\n <li>May also be considered a <a href=\"#manufacturer\">Manufacturer</a>, if they are somehow monetizing the component with the intention of earning a profit.</li>\n <li>May decide the name of the project and other project parameters for (or on behalf of) the <a href=\"#maintainer\">Maintainer</a> or <a href=\"#integrator\">Integrator</a>.</li>\n <li>Not to be confused with the <a href=\"#sbom-author-role\">SBOM Author</a> role.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th style=\"text-align: left\">Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Supplier Name (Author)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CRA-AII(1), NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Copyright Holder (Author)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">License(s) (Primary)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"glossary#author\">Author</a> in the Glossary</li>\n <li><a href=\"#manufacturer\">Manufacturer</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"maintainer\">Maintainer (Project Role)</h4>\n\n<p>A leading developer of an Open Source <a href=\"glossary#project\">Project</a>, though not necessarily the original <a href=\"#author\">Author</a>.</p>\n\n<ul>\n <li>Operates within an <a href=\"#oss-project-environment\">OSS Project Environment</a>.</li>\n <li>Is often the initial and/or main creator (<a href=\"#author\">Author</a>) of the component in question.</li>\n <li>Typically works on all aspects of the code, including planning, design, features, bug fixes, tests and security issues.</li>\n <li>Has the final say on the original contents of the package, and it’s name-spaces.</li>\n <li>The Maintainer <em>can</em> be a group of people (having co-maintainers), though a single point of responsibility is common.</li>\n <li>If a Maintainer has upstream (reverse) dependencies, the Maintainer is also considered to be an <a href=\"#developer\">Developer</a> (as seen from the upstream Maintainer’s perspective).</li>\n <li>Other common names for this role include Author, Developer, <a href=\"#owner\">Owner</a>.</li>\n <li>Maintainers may be\n <ul>\n <li>Independent (Author or Maintainer is <a href=\"#owner\">Owner</a>)</li>\n <li>Managed by a public sector <a href=\"#owner\">Owner</a></li>\n <li>Managed by a commercial sector <a href=\"#owner\">Owner</a></li>\n <li>Managed by an academic sector <a href=\"#owner\">Owner</a></li>\n <li>Managed by an ideal/non-profit/NGO sector <a href=\"#owner\">Owner</a></li>\n </ul>\n </li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Primary Component Name</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, TR-03183, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Version</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Security contact (Primary)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Unique Product Identifier</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(3), NTIA-SBOM, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Purpose, Intended Use</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(4)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Code Repository</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Consider recommendation</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Contribution Instructions</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\">CycloneDX 1.7 proposed</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Code Commit Revision</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Consider recommendation</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Intended for Commercial Use</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-Rec-15, CRA-Rec-19</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Open Source Software Steward</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-Rec-19</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Security Attestation</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-Rec-21</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Supplier Name (Maintainer)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(1), NTIA-SBOM, TR-03183, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Dependencies (Included)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(5), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Security contact (Included)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">License(s) (Included)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#owner\">Owner</a></li>\n <li><a href=\"#integrator\">Integrator</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"custodian\">Custodian</h4>\n\n<p>A role that operates as a temporary replacement of a <a href=\"#maintainer\">Maintainer</a>, or <a href=\"#owner\">Owner</a>, or works on their behalf in the case they are not available, or the project does not have any.</p>\n\n<ul>\n <li>Operates on behalf of a <a href=\"#maintainer\">Maintainer</a> in a <a href=\"#language-ecosystem\">Language Ecosystem</a> or <a href=\"#package-ecosystem\">Package Ecosystem</a>.</li>\n <li>A type of low-effort <a href=\"#maintainer\">Maintainer</a> with reduced responsibilities, working as a stand-in of the actual Maintainer.\n <ul>\n <li>Cares about the continued security posture of the project.</li>\n <li>Concerned mostly with updating dependencies or applying security fixes.</li>\n </ul>\n </li>\n <li>May step in on behalf of the Maintainer on behalf of the <a href=\"#language-ecosystem\">Language Ecosystem</a> or <a href=\"#package-ecosystem\">Package Ecosystem</a> where the component is published.</li>\n <li>May step in on behalf of the Maintainer if they are unavailable or unresponsive.</li>\n <li>May have repository commit privileges for the <a href=\"#maintainer\">Maintainer</a>’s project.</li>\n <li>May publish updates on behalf of the <a href=\"#maintainer\">Maintainer</a>.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Version</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Dependencies (Included)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(5), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Unique Product Identifier</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(3), NTIA-SBOM, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Supplier Name (Custodian)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(1), NTIA-SBOM, TR-03183, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Contribution Instructions</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\">CycloneDX 1.7 proposed</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h4 id=\"packager-maintainer\">Packager (Maintainer)</h4>\n\n<p>Prepares a Language ecosystem package for upload.\nCan sometimes be called a “Release manager”.</p>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#packager\">Packager</a></li>\n </ul>\n </li>\n</ul>\n\n<hr />\n\n<h3 id=\"collaboration-forge-ecosystem\">Collaboration Forge (Ecosystem)</h3>\n\n<p>A website or tool (“Forge”) that offers a public collaboration repository to Authors, so they may cooperate and share ongoing work in public.</p>\n\n<ul>\n <li>Examples: Github, Codeberg, Bitbucket, Gitlab, Gitea and others.</li>\n <li>May be open for public use, or project specific use only</li>\n</ul>\n\n<h4 id=\"depositary\">Depositary</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>(CPANSec-2024) Proposed role name.</li>\n</ul>\n</div>\n\n<p>Takes care of the hosting of a project’s public source code repository on behalf of it’s <a href=\"#maintainer\">Maintainer</a>.\nCommon responsibilities include ensuring availability, non-tampering and hosting supporting services like continuous integration (CI) pipelines.</p>\n\n<ul>\n <li>Operates within a <a href=\"#collaboration-ecosystem\">Collaboration Ecosystem</a>.</li>\n <li>Ensures the integrity and availability of the public source code repository.</li>\n <li>Facilitates collaboration through the hosting of the server components used by git, bzr or similar tooling.</li>\n <li>May assist in updating some SBOM metadata attributes.</li>\n <li>\n <p>May function as a distribution point for releases of a Maintainer’s project.</p>\n </li>\n <li>See also\n <ul>\n <li><a href=\"/docs/glossary.html#distributor\">Distributor</a> in the Glossary</li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"contributor\">Contributor</h4>\n\n<ul>\n <li>Operates independently, but through a <a href=\"#collaboration-ecosystem\">Collaboration Ecosystem</a>.</li>\n <li>Interacts with a project by offering bug reports, feedback, documentation, quality assurance, testing, patches, pull requests or any number of other ways to assist.</li>\n <li>May or may not have repository commit privileges.</li>\n <li>May also have additional roles, including being a downstream <a href=\"#integrator\">Integrator</a>, <a href=\"#patcher\">Patcher</a> or <a href=\"#maintainer\">Maintainer</a>.</li>\n</ul>\n\n<hr />\n\n<h3 id=\"language-ecosystem\">Language Ecosystem</h3>\n\n<p>A language ecosystem hosts, indexes and distributes components specific for a programming language.\nUsed for publishing Open Source components for use when writing software in the given programming language.\nTypically, the Ecosystem has dedicated services and tooling for interacting with it.</p>\n\n<ul>\n <li>Examples: CPAN (Perl), PyPI (Python), NPM (Node/JS)</li>\n <li>May have upstream language ecosystems</li>\n <li>May have downstream language ecosystems</li>\n <li>May have automated Patcher</li>\n <li>May be Public</li>\n <li>May be Private</li>\n</ul>\n\n<h4 id=\"ingester\">Ingester (Language, Package, Container ecosystem)</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Not done</li>\n <li>FIXME – Find a better name</li>\n</ul>\n</div>\n\n<p>Ingesters ensure that only authorized Maintainers are allowed to publish their components to a <a href=\"#language-ecosystem\">Language Ecosystem</a>, <a href=\"#package-ecosystem\">Package Ecosystem</a> or <a href=\"#container-ecosystem\">Container ecosystem</a>.\nUsually decides who gets access to which resources.</p>\n\n<ul>\n <li>Examples\n <ul>\n <li>(CPAN) Upload to the PAUSE web interface at <code class=\"language-plaintext highlighter-rouge\">https://pause.perl.org</code></li>\n <li>(Debian) Upload using the <code class=\"language-plaintext highlighter-rouge\">dput</code> tool, or manually to <code class=\"language-plaintext highlighter-rouge\">sftp://ftp.eu.upload.debian.org/pub/UPLOAD</code> for regular packages\n <ul>\n <li>For security updates, upload a patch to the stable-proposed-updates and an accompanying explanation to the <code class=\"language-plaintext highlighter-rouge\">stable-release-managers</code> list</li>\n </ul>\n </li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"open-source-software-steward\">Open Source Software Steward</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Not done</li>\n</ul>\n</div>\n\n<p>Within, or on behalf of a <a href=\"#language-ecosystem\">Language Ecosystem</a>, a <a href=\"#package-ecosystem\">Package Ecosystem</a> or [Container Ecosystem], the OSS Steward has the task to ensure that their obligations in the EU Cyber Resilience Act are met.</p>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Open Source Software Steward</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-Rec-19</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Intended for Commercial Use</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-Rec-15, CRA-Rec-19</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Security Attestation</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-Rec-21</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm with standardization body</td>\n </tr>\n </tbody>\n</table>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#maintainer\">Maintainer</a>, and</li>\n <li><a href=\"/docs/glossary.html#open-source-software-steward\">Open Source Software Steward</a> in the Glossary</li>\n </ul>\n </li>\n</ul>\n\n<hr />\n\n<h3 id=\"package-ecosystem\">Package Ecosystem</h3>\n\n<p>A package ecosystem <a href=\"#patcher\">patches</a>, <a href=\"#packager\">repackages</a>, <a href=\"#curator\">curates</a>, <a href=\"#distributor\">indexes and hosts</a> either components for a specific OS distributions, or <a href=\"#assembler\">collections</a> of components for use in container registries, made available (published) for easy download and use.\nPackage Ecosystems typically have their own tooling and services that are expected to be used when interacting with them.</p>\n\n<ul>\n <li>Examples of package systems: APT (Debian, Ubuntu), RPM (AlmaLinux, SuSE), Ports (FreeBSD)</li>\n <li>Examples of container systems: Docker Hub</li>\n <li>May have upstream package ecosystems</li>\n <li>May have downstream package ecosystems</li>\n <li>May be Public</li>\n <li>May be Private</li>\n</ul>\n\n<h4 id=\"patcher\">Patcher (Package ecosystem)</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Not done</li>\n</ul>\n</div>\n\n<p>Patchers may select and apply updates to a component before building and/or packaging.</p>\n\n<ul>\n <li>Operates like a <a href=\"#developer\">Developer</a> within a <a href=\"#package-ecosystem\">Package Ecosystem</a>.</li>\n <li>Vets and applies changes to a component, including…\n <ul>\n <li>Back-ports of features,</li>\n <li>Security fixes,</li>\n <li>Other accommodations necessary for distributing multiple parallel releases of the same upstream project,</li>\n <li>Adopts a component to make it conform to build and execution environment demands.</li>\n </ul>\n </li>\n <li>May work within publishing constraints decided by a <a href=\"#curator\">Curator</a> of the Ecosystem (e.g. LTS releases, support contracts, etc.).</li>\n <li>May work both with a downstream or their own Ecosystem <a href=\"#packager\">Packager</a>.</li>\n <li>May have a <a href=\"#maintainer\">Maintainer</a>’s downstream ecosystems as their upstream.</li>\n <li>Is a role that often is held by the same person as the <a href=\"#packager\">Packager</a> or <a href=\"#builder\">Builder</a>.</li>\n <li>May also be found in-house (e.g. a business or <a href=\"#manufacturer\">Manufacturer</a> who uses a company-internal package mirror)</li>\n <li>May work on preparing patches for a Package Ecosystem provider (e.g. applying back-ports of fixes in Debian packages), or a Language Ecosystem provider (e.g. a company-internal CPAN mirror that distributes patched packages).</li>\n <li>Some patches may contain substantial modifications and be based on the Packager’s judgement and opinions.</li>\n</ul>\n\n<p>This role is necessary when…</p>\n\n<ul>\n <li>Upstream Maintainer roles are not responsive or available, and thereby security fixes aren’t applied there.</li>\n <li>When downstream constraints and requirements call for it – e.g. when back-porting of fixes are needed due to downstream LTS requirements.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th style=\"text-align: left\">Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Security contact (Upstream)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm Role need</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Unique Product Identifier (Upstream)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CRA-AII(3), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm Role need</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Version (Upstream)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm Role need</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Download location (Upstream)</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm Role need, req/spec</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">SBOM Location (Upstream)</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: left\">CRA-AII(9)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">License(s)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Dependencies (Upstream)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CRA-AII(5), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm if necessary</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Dependencies (Included)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CRA-AII(5), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm if necessary</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Version (Patched)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Unique Product Identifier (Patched)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: left\">CRA-AII(3), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Check if attribute is replaced or added</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Contribution Instructions</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">CycloneDX 1.7 proposed</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<ul>\n <li>Examples\n <ul>\n <li>In Debian, there is a concept of “Non-Maintainer Uploads”, where contributors are allowed to do one-time uploads to fix bugs under certain conditions and following some guidelines. (Source: <a href=\"https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#non-maintainer-uploads-nmus\">Debian developers reference</a>, <a href=\"https://www.nntp.perl.org/group/perl.perl5.porters/2024/08/msg268757.html\">perl5-porters message on NMUs</a>)</li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"builder\">Builder (Package ecosystem)</h4>\n\n<div class=\"markdown-alert markdown-alert-important\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-report\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v9.5A1.75 1.75 0 0 1 14.25 13H8.06l-2.573 2.573A1.458 1.458 0 0 1 3 14.543V13H1.75A1.75 1.75 0 0 1 0 11.25Zm1.75-.25a.25.25 0 0 0-.25.25v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25Zm7 2.25v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 9a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg> Important</p><p>Builders should add build environment metadata (including resolved build dependencies) in an accompanying SBOM file.</p>\n</div>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Cryptographic Hash</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2024-10, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#packager\">Packager</a></li>\n <li><a href=\"#assembler\">Assembler</a></li>\n <li><a href=\"#deployer\">Deployer</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"packager\">Packager (Package ecosystem)</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>Packagers take upstream components from an upstream source and build and install them into a custom environment for producing system packages for their native packaging ecosystem (e.g. APT).</li>\n <li>Upstream sources may be…</li>\n <li>Author’s repository, or a Custodian’s if a project is dormant (e.g. a repository on Codeberg).</li>\n <li>Language-specific packages distributed by a Language Ecosystem (e.g. CPAN).</li>\n <li>E.g. someone in the #debian-perl group downloads, builds, tests and installs something from CPAN, but instead of doing a regular install, they us tooling like <code class=\"language-plaintext highlighter-rouge\">dh-make-perl</code> to produce a custom installation directory that can be incorporated into a .deb archive.</li>\n <li>A Packager can both be found in-house (e.g. a business who uses a company-internal package mirror), for a Package Ecosystem Provider (e.g. Debian), or a Language Ecosystem Provider (e.g. a company-internal CPAN mirror that distributes patched packages).</li>\n</ul>\n</div>\n\n<ul>\n <li>Operates within a <a href=\"#package-ecosystem\">Package Ecosystem</a> or an <a href=\"#oss-project-environment\">OSS Project Environment</a>.</li>\n <li>Within a package ecosystem, builds and creates packages from components received from an upstream source, optionally with patches applied from the <a href=\"#patcher\">Patcher</a>.</li>\n <li>Within an author environment, creates packages from their own project in preparation for publication in a downstream <a href=\"#language-ecosystem\">Language Ecosystem</a> (e.g. create a CPAN package for uploading to CPAN using the PAUSE interface).</li>\n <li>Concerns themselves with correct package format and structure, and that package metadata is preserved and updated.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Security contact (Redistributed)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm Role need</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Unique Product Identifier (Redistributed)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(3), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm Role need</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Version (Redistributed)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm Role need</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Dependencies (Resolved)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(5), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h4 id=\"curator\">Curator (Package ecosystem)</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>Curators may decide both whether and where the output of a Packager is distributed.</li>\n <li>Curators may operate both in-house, in order to keep an eye on what is being automatically installed there, or they may make the decisions that happen on the Package or Language Ecosystem Provider side.</li>\n <li>Typically, a curator may consider LTS status, support contract terms or other reasons for distributing a package.</li>\n</ul>\n</div>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Not done</li>\n</ul>\n</div>\n\n<ul>\n <li>Operates within a <a href=\"#package-ecosystem\">Package Ecosystem</a> or a <a href=\"#language-ecosystem\">Language Ecosystem</a>.</li>\n <li>Selects or pins which components are suitable for use downstream of the package ecosystem.</li>\n <li>Works mainly with the <a href=\"/docs/glossary.html#distributor\">Distributor</a> role (as defined in the Glossary).</li>\n <li>Concerns themselves with both the stability and predictability of components, and how this is prioritized against the need for features, bug fixes and security updates.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Download location (Repackaged)</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">SBOM Location (Repackaged)</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(9)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h4 id=\"provider\">Provider</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Not done</li>\n</ul>\n</div>\n\n<p>Operates within a <a href=\"#package-ecosystem\">Package Ecosystem</a> or a <a href=\"#language-ecosystem\">Language Ecosystem</a>.\nEnsures the availability of packages or containers, that they are indexed correctly, and that any related metadata is up-to-date, correct and available.</p>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"/docs/glossary.html#provider\">Provider</a> in the Glossary</li>\n <li><a href=\"/docs/glossary.html#distributor\">Distributor</a> in the Glossary</li>\n <li><a href=\"#references\">CISA SBOM Sharing Roles and Considerations</a> (CISA-2024)</li>\n <li><a href=\"#references\">CRA Article 20</a> (CRA-Art-20)</li>\n </ul>\n </li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟩</td>\n <td style=\"text-align: left\">Download location (Repackaged)</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟩</td>\n <td style=\"text-align: left\">SBOM Location (Repackaged)</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(9)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h4 id=\"assembler\">Assembler (Container ecosystem)</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>FIXME – “Assembler” probably isn’t the best name for the role that creates container images. If you have suggestions for a better single-word name for this role, that isn’t ambiguous or obscure, then please reach out!</li>\n <li>FIXME – Flesh out details</li>\n</ul>\n</div>\n\n<ul>\n <li>Operates within a <a href=\"#package-ecosystem\">Package Ecosystem</a>, creating containers.</li>\n <li>Builds, installs package dependencies and creates container images from a base images.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Dependencies (Resolved)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(5), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Cryptographic Hash</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2024-10, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<hr />\n\n<h3 id=\"integrator-environment\">Integrator Environment</h3>\n\n<pre><code class=\"language-mermaid\">stateDiagram-v2\n direction TB\n accTitle: An Idealized Open Source supply-chain Graph\n %%accDescr: This graph illustrates how different types of development environments and ecosystems interconnect, what kind of roles you may find in these, and what type of metadata operations they may care to do\n\n %% Role activities\n classDef createsSBOM stroke:red,stroke-width:3px;\n classDef assemblesSBOM stroke:yellow,stroke-width:3px,stroke-dasharray:15 5;\n classDef updatesSBOM stroke:yellow,stroke-width:3px;\n classDef distributesSBOM stroke:green,stroke-width:3px;\n classDef verifiesSBOM stroke:#07f,stroke-width:3px;\n classDef censorsSBOM stroke:green,stroke-width:3px;\n classDef ignoresSBOM stroke:#777,stroke-width:3px;\n\n %%\n state \"🟥🟨🟦 OSS Steward 🆕\" as language_steward\n %%\n class language_steward createsSBOM\n\n %% Language Ecosystem\n state \"Language Ecosystem\" as ecosystem_lang\n %%\n class ecosystem_lang updatesSBOM\n\n\n %% Collaboration Ecosystem\n state \"Collaboration Ecosystem\" as ecosystem_forge\n %%\n class ecosystem_forge distributesSBOM\n\n %% Package Ecosystem\n state \"Package Ecosystem\" as ecosystem_package\n %%\n class ecosystem_package assemblesSBOM\n\n %% Container Ecosystem\n state \"Container Ecosystem\" as ecosystem_container\n %%\n class ecosystem_container assemblesSBOM\n\n\n %% Integrator Environment\n state \"🟥 Manufacturer 🆕\" as integrator_owner\n state \"🟥🟨🟦 Integrator (Developer)\" as integrator_developer\n state \"🟨🟦 Builder<br>🟨🟦 Packager<br>🟨🟦 Assembler\" as integrator_builder\n state \"🟩🟪 SBOM Censor\" as integrator_censor\n state \"🟩 Publisher\" as integrator_publisher\n state \"🟦 Analyst<br>🟦 Auditor\" as integrator_analyst\n state \"Integrator Environment\" as environment_integrator {\n [*] --> integrator_developer\n integrator_owner --> integrator_developer\n integrator_builder --> integrator_censor\n integrator_builder --> integrator_publisher\n integrator_developer --> integrator_builder\n integrator_analyst --> integrator_developer\n integrator_builder --> integrator_analyst\n }\n %%\n class integrator_owner createsSBOM\n class integrator_developer updatesSBOM\n class integrator_censor censorsSBOM\n class integrator_publisher distributesSBOM\n class integrator_builder assemblesSBOM\n class integrator_analyst verifiesSBOM\n\n %%\n state \"🟦 End-user<br>Consumer\" as external_consumer\n class external_consumer ignoresSBOM\n\n %% Market Authorities\n state \"🟦 Market Authority 🆕<br>🟦 Importer 🆕<br>🟦 Distributor 🆕\" as authority_auditor\n %%\n class authority_attester createsSBOM\n class authority_auditor verifiesSBOM\n\n %% Production Environment\n state \"Production Environment\" as environment_prod\n %%\n class prod_deployer assemblesSBOM\n\n %%\n language_steward --> environment_integrator\n ecosystem_forge --> environment_integrator\n ecosystem_lang --> environment_integrator\n ecosystem_package --> environment_integrator\n ecosystem_container --> environment_integrator\n %%\n integrator_builder --> environment_prod\n integrator_developer --> environment_prod\n integrator_publisher --> authority_auditor\n integrator_publisher --> environment_prod\n integrator_censor --> external_consumer\n\n %% Copyright © 2024 Salve J. Nilsen <sjn@oslo.pm>\n %% Some rights reserved. Licensed CC-BY-SA-4.0\n</code></pre>\n\n<p>A business or institution that is responsible for developing and building the application that is required to have an accompanying SBOM document.</p>\n\n<ul>\n <li>Operates commercially</li>\n <li>May publish <a href=\"/docs/glossary.html#open-source-software\">Open Source Software</a></li>\n <li>\n <p>Has a project development life-cycle</p>\n </li>\n <li>See also:\n <ul>\n <li><a href=\"#manufacturer-environment\">Manufacturer Environment</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"manufacturer\">Manufacturer</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><p>Manufacturer has a specific defined meaning in the EU Cyber Resilience Act (CRA), so until this definition is established, be careful when using the term.\nThese attributes are in addition to the attributes listed under <a href=\"#owner\">Owner</a>.\nSPDX 2.3 doesn’t support the CE attributes. SPDX 3.0 should be used at a future date.</p>\n</div>\n\n<ul>\n <li>A role within an <a href=\"#integrator-environment\">Integrator Environment</a>.</li>\n <li>When doing business within the European Economic Area (EEA), has the duty to ensure that the conformity obligations in the EU Cyber Resilience Act (CRA) are met.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Supplier Name (Manufacturer)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(1), NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">CE Declaration of Conformity</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(6), CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">CE Support End Date</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(7)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">CE Technical Documentation</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(8), CRA-AVII</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">CE Conformity Assessment Body</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA Article 47.1, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#owner\">Owner</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"integrator\">Integrator</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>Used in the EU Cyber Resilience Act Annex II to denote someone who integrates <em>a product with digital elements intended for integration</em> into other products with digital elements.</li>\n</ul>\n</div>\n\n<ul>\n <li>Operates within an <a href=\"#integrator-environment\">Integrator Environment</a>.</li>\n <li>Uses packages and components as dependencies in their own project, product or component.</li>\n <li>A Developer is in many ways identical to an <a href=\"#maintainer\">Maintainer</a> from the upstream Maintainer’s perspective, with the main difference being that a Developer doesn’t publish their work as <a href=\"/docs/glossary.html#open-source-software\">Open Source Software</a>.</li>\n <li>\n <p>A Developer that publishes their software as <a href=\"/docs/glossary.html#open-source-software\">Open Source Software</a>, is called an <a href=\"#maintainer\">Maintainer</a>.</p>\n </li>\n <li>See also\n <ul>\n <li><a href=\"#maintainer\">Maintainer</a></li>\n <li><a href=\"#developer\">Developer</a></li>\n </ul>\n </li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Contribution Instructions (Upstream)</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\">CycloneDX 1.7 proposed</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">License(s)</td>\n <td style=\"text-align: center\">Yes</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Primary Component Name</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, TR-03183, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Version</td>\n <td style=\"text-align: center\">Yes</td>\n <td>NTIA-SBOM, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Dependencies</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(5), NTIA-SBOM, CISA-2024-10, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Dependency Relationships</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Security contact</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Confirm attribute variations</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Unique Product ID</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(3), NTIA-SBOM, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Purpose, Intended Use</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(4)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Code Repository</td>\n <td style=\"text-align: center\">Yes</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Contribution Instructions</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\">CycloneDX 1.7 proposed</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Code Commit Revision</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\">Consider recommendation</td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Cryptographic Hash</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2024-10, TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Primary Component Filename</td>\n <td style=\"text-align: center\">Yes</td>\n <td>TR-03183</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">License (Primary)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">Supplier Name (Integrator)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(1), NTIA-SBOM, TR-03183, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟨</td>\n <td style=\"text-align: left\">License(s) (Included, Dependency)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h4 id=\"developer\">Developer</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Not done</li>\n</ul>\n</div>\n\n<ul>\n <li>Equivalent to an <a href=\"#integrator\">Integrator</a>\n <ul>\n <li>(CPANSec) Avoid using this term, since it doesn’t distinguish between developers who publish their work as Open Source (<a href=\"#maintainer\">Maintainer</a>), Developers who work on behalf of a <a href=\"#manufacturer\">Manufacturer</a>, <a href=\"#integrator\">Integrating</a> components into some product, service or application, or a <a href=\"#patcher\">Patcher</a> working on behalf of a Package Ecosystem figuring out how to backport a fix.</li>\n </ul>\n </li>\n <li>See also\n <ul>\n <li><a href=\"#integrator\">Integrator</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"publisher\">Publisher</h4>\n\n<ul>\n <li>Operates within an <a href=\"#integrator-environment\">Integrator Environment</a> or a <a href=\"#manufacturer-environment\">Manufacturer Environment</a>.</li>\n <li>Makes available a component or product on a market on behalf of the Integrator or Manufacturer.</li>\n <li>With regard to the EU Cyber Resilience Act, a Publisher is the same as a <a href=\"#distributor\">Distributor</a>.</li>\n</ul>\n\n<h4 id=\"analyst\">Analyst</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Check refs for CRA-Rec-34 and others</li>\n <li>FIXME – Consider need for an Maintainer’s list of known/addressed vulnerabilities, to check against public vulnerability databases.</li>\n</ul>\n</div>\n\n<ul>\n <li>Security analyst, or vulnerability checker.</li>\n <li>Also knows as “SecOps” or “Pentester”.</li>\n <li>May operate within a <a href=\"#production-environment\">Production Environment</a> or an <a href=\"#integrator-environment\">Integrator Environment</a>.</li>\n <li>Responsible for security checks, including runtime, dynamic and static checks, vulnerability monitoring, etc.</li>\n <li>Communicates any issues or findings to any number of upstream roles, including the component <a href=\"#deployer\">Deployer</a>, <a href=\"#developer\">Developer</a> or <a href=\"#maintainer\">Maintainer</a>.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Security contact</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Unique Product ID</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(3), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Security Attestation</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-Rec-21</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Contribution Instructions</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\">CycloneDX 1.7 proposed</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<hr />\n\n<h3 id=\"production-environment\">Production Environment</h3>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>FIXME – Add examples of physical products, services that apply</li>\n</ul>\n</div>\n\n<p>The environment and systems where a product or service is executed on behalf of a customer, and thereby made available to their users.</p>\n\n<h4 id=\"deployer\">Deployer</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>FIXME – Not done</li>\n</ul>\n</div>\n\n<ul>\n <li>Operates within a <a href=\"#production-environment\">Production Environment</a>.</li>\n <li>Final preparation and installation of the software into a CI/CD or other deployment method an <a href=\"#integrator-environment\">Integrator</a> or <a href=\"#production-environment\">Production Environment</a>.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟥</td>\n <td style=\"text-align: left\">Dependencies (Deployed)</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(5), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h4 id=\"installer\">Installer</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><p>Mentioned once in the EU Cyber Resilience Act.</p>\n</div>\n\n<ul>\n <li>See\n <ul>\n <li><a href=\"#deployer\">Deployer</a></li>\n </ul>\n </li>\n</ul>\n\n<hr />\n\n<h3 id=\"non-ecosystem-roles\">Non-Ecosystem Roles</h3>\n\n<h4 id=\"auditor\">Auditor</h4>\n\n<p>Verifies that all necessary metadata is available, up-to-date and made use of.\nThis role is required by the EU Cyber Resilience Act. FIXME – find specific article.</p>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Security contact</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Unique Product ID</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(3), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Purpose, Intended Use</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(4)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Security Attestation</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-Rec-21</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">License(s)</td>\n <td style=\"text-align: center\">Yes</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">SBOM Location</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(9)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Declaration of Conformity</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(6), CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Support End Date</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(7)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Technical Documentation</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(8)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Conformity Assessment Body</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-Art-47(1), CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Download location</td>\n <td style=\"text-align: center\">Yes</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Contribution Instructions</td>\n <td style=\"text-align: center\">No</td>\n <td> </td>\n <td style=\"text-align: left\">CycloneDX 1.7 proposed</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h4 id=\"distributor\">Distributor</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>Confusion between EU CRA’s idea of a Distributor, and an OSS Package Distributor,</li>\n</ul>\n</div>\n\n<ul>\n <li>Distributor is a term commonly used throughout Open Source Ecosystems, but\n <ul>\n <li>(CISA-2024) Distributors have additional requirements and considerations laid out in CISA-2024.</li>\n <li>(CRA-Art-20) Distributors have additional requirements around compliance, laid out in the EU Cyber Resilience Act Article 20.</li>\n </ul>\n </li>\n <li>(CPANSec-2024) Use the term <a href=\"#provider\">Provider</a> for roles who make package artifacts available for downstream users.</li>\n</ul>\n\n<blockquote>\n <p>(Ref: <a href=\"#references\">CISA-2024</a>, <a href=\"#references\">CRA-Art-20</a>,(<a href=\"#references\">CPANSec-2024</a>)</p>\n</blockquote>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#provider\">Provider</a></li>\n <li><a href=\"/docs/glossary.html#distributor\">Distributor</a> in the Glossary</li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"importer\">Importer</h4>\n\n<div class=\"markdown-alert markdown-alert-caution\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-stop\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M4.47.22A.749.749 0 0 1 5 0h6c.199 0 .389.079.53.22l4.25 4.25c.141.14.22.331.22.53v6a.749.749 0 0 1-.22.53l-4.25 4.25A.749.749 0 0 1 11 16H5a.749.749 0 0 1-.53-.22L.22 11.53A.749.749 0 0 1 0 11V5c0-.199.079-.389.22-.53Zm.84 1.28L1.5 5.31v5.38l3.81 3.81h5.38l3.81-3.81V5.31L10.69 1.5ZM8 4a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 4Zm0 8a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Caution</p><ul>\n <li>Not directly part of an Open Source supply-chain, but can be found downstream of Manufacturers that use these.</li>\n <li>FIXME – Not done</li>\n</ul>\n</div>\n\n<ul>\n <li>A role specific for the EU Cyber Resilience Act.</li>\n <li>Operate downstream of Manufacturers.</li>\n <li>A role specifically used when a EU entity makes available software on the EU market,</li>\n <li>Is required to verify that the imported software is compliant with the EU Cyber Resilience Act according to it’s Article 19.</li>\n</ul>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: center\">Ops</th>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th>Required by</th>\n <th style=\"text-align: left\">Comment</th>\n <th style=\"text-align: left\">FIXME</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Security contact</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(2)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Unique Product ID</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(3), NTIA-SBOM</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Purpose, Intended Use</td>\n <td style=\"text-align: center\">Yes</td>\n <td>CRA-AII(4)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">SBOM Location</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(9)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Declaration of Conformity</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(6), CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Support End Date</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(7)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Instructions (Documentation)</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA-AII(8)</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">CE Conformity Assessment Body</td>\n <td style=\"text-align: center\">No</td>\n <td>CRA Article 47.1, CRA-AV</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: center\">🟦</td>\n <td style=\"text-align: left\">Download location</td>\n <td style=\"text-align: center\">FIXME</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"/docs/glossary.html#importer\">Importer</a> in the Glossary</li>\n <li><a href=\"/docs/glossary.html#distributor\">Distributor</a> in the Glossary</li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"end-user\">End-user</h4>\n\n<ol>\n <li>(CPANSec-2024) The software in use, in a production environment, by a user or customer.</li>\n</ol>\n\n<p>(Ref: <a href=\"#references-and-terms\">CPANSec-2024</a>)</p>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"/docs/glossary.html#end-user\">End-user</a> in the Glossary</li>\n </ul>\n </li>\n</ul>\n\n<hr />\n\n<h3 id=\"other-common-terms-for-ecosystems-and-roles\">Other common terms for Ecosystems and Roles</h3>\n\n<h4 id=\"repository-ecosystem\">Repository Ecosystem</h4>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#collaboration-ecosystem\">Collaboration Ecosystem</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"author-environment\">Author Environment</h4>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#oss-project-environment\">OSS Project Environment</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"manufacturer-environment\">Manufacturer Environment</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>FIXME – Much more to add!</li>\n <li>e.g. from https://blog.nlnetlabs.nl/what-i-learned-in-brussels-the-cyber-resilience-act/</li>\n <li>Check also out the work coming out of the Eclipse ORC Working Group</li>\n <li>Cover the CE mark requirements, the roles of downstream Importers and Distributors in verifying these,</li>\n <li>Cover the roles of upstream Roles in attesting the security of the components they use</li>\n</ul>\n</div>\n\n<ul>\n <li>Used specifically in the context of the EU Cyber Resilience Act, to mean a commercial entity that places a product with digital elements on the EU market.</li>\n <li>\n <p>Is expected to produce a complete SBOM document describing their application, including all dependencies.</p>\n </li>\n <li>See also\n <ul>\n <li><a href=\"#integrator-environment\">Integrator Environment</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"customer-environment\">Customer Environment</h4>\n\n<p>The environment and systems where a product or service is executed by a customer and thereby made available to their users.</p>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#production-environment\">Production Environment</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"supplier\">Supplier</h4>\n\n<p>The Supplier is a term used throughout the supply-chain, but most often represents a Role within a <a href=\"#maintainer-environment\">Maintainer</a> or an <a href=\"#integrator-environment\">Integrator</a> Environment.</p>\n\n<ul>\n <li>This term is used within the NTIA “SBOM Minimum Elements” document as the legal source of a component.</li>\n <li>(CPANSec) This term is confusing, as it doesn’t distinguish between the different types of “Suppliers” that may be involved in the creation of a product.\n <ul>\n <li>Please use a more precise term, like <a href=\"#owner\">Owner</a>, <a href=\"#author\">Author</a>, <a href=\"#maintainer\">Maintainer</a> or <a href=\"#manufacturer\">Manufacturer</a>.</li>\n </ul>\n </li>\n <li>See also\n <ul>\n <li><a href=\"/docs/glossary.html#supplier\">Supplier</a> in the Glossary</li>\n <li><a href=\"#author\">Author</a></li>\n <li><a href=\"#owner\">Owner</a></li>\n <li><a href=\"#maintainer\">Maintainer</a></li>\n <li><a href=\"#custodian\">Custodian</a></li>\n <li><a href=\"#manufacturer\">Manufacturer</a></li>\n <li><a href=\"#oss-project-environment\">OSS Project Environment</a></li>\n <li><a href=\"#integrator-environment\">Integrator Environment</a></li>\n <li><a href=\"#open-source-software-steward\">Open Source Software Steward</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"compliance\">Compliance</h4>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#auditor\">Auditor</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"consumer\">Consumer</h4>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#end-user\">End-user</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"user\">User</h4>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#end-user\">End-user</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"steward\">Steward</h4>\n\n<div class=\"markdown-alert markdown-alert-note\"><p class=\"markdown-alert-title\"><svg class=\"octicon octicon-info\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg> Note</p><ul>\n <li>Possible synonym for <a href=\"#custodian\">Custodian</a>.</li>\n <li>“Steward” has a specific defined meaning in the EU Cyber Resilience Act, so it’s better to avoid using the term as a synonym for “Custodian”.</li>\n</ul>\n</div>\n\n<ul>\n <li>See also\n <ul>\n <li><a href=\"#custodian\">Custodian</a></li>\n <li><a href=\"#open-source-software-steward\">Open Source Software Steward</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"secops\">SecOps</h4>\n\n<ul>\n <li>See\n <ul>\n <li><a href=\"#analyst\">Analyst</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"pentester\">Pentester</h4>\n\n<ul>\n <li>See\n <ul>\n <li><a href=\"#analyst\">Analyst</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"janitor\">Janitor</h4>\n\n<ul>\n <li>See\n <ul>\n <li><a href=\"#custodian\">Custodian</a></li>\n </ul>\n </li>\n</ul>\n\n<h4 id=\"owner\">Owner</h4>\n\n<p>The legal owner of the component or project.</p>\n\n<ul>\n <li>May be a business or other entity, distinct from the component <a href=\"#author\">Author</a>.</li>\n <li>An Owner may be\n <ul>\n <li>Independent (<a href=\"#author\">Author</a> or <a href=\"#maintainer\">Maintainer</a> is Owner)</li>\n <li>Public sector entity (e.g. a city administration)</li>\n <li>Commercial sector entity (e.g. a shareholder-owned business)</li>\n <li>Academic sector (e.g. a university)</li>\n <li>Ideal/non-profit/NGO sector</li>\n </ul>\n </li>\n <li>\n <p>Project needs, risks, predictability, sustainability and strategy may depend greatly on the Owner entity</p>\n </li>\n <li>See also\n <ul>\n <li><a href=\"#author\">Author</a></li>\n <li><a href=\"/docs/glossary.html#copyright-holder\">Copyright Holder</a></li>\n </ul>\n </li>\n</ul>\n\n<hr />\n\n<h2 id=\"references\">References</h2>\n\n<ul>\n <li>(CISA-2023-4) <a href=\"https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom\">CISA Types of Software Bill of Materials (SBOM)</a>, dated 2023-04-21</li>\n <li>(CISA-2024-10) <a href=\"https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf\">CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)</a>, Third edition, sections 2.2.1.4, 2.2.2 and Appendix B; dated 2024-10-15</li>\n <li>(CPANSec-2024) CPAN Security Group commentary by Author. If you (dis)agree or have improvements, <a href=\"#document-status-%EF%B8%8F--draft\">share it with us</a>!</li>\n <li>(CRA-Art-3) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_3\">Cyber Resilience Act, Article 3</a> Definitions, dated 2024-11-20</li>\n <li>(CRA-Art-18) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_18\">Cyber Resilience Act, Article 18</a> Obligations of Authorized Representatives, dated 2024-11-20</li>\n <li>(CRA-Art-20) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_20\">Cyber Resilience Act, Article 20</a> Obligations of distributors, dated 2024-11-20</li>\n <li>(CRA-Art-47) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_47\">Cyber Resilience Act, Article 47</a> Operational obligations of notified bodies, dated 2024-11-20</li>\n <li>(CRA-AII) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II\">Cyber Resilience Act, Annex II</a> Information and Instructions to the User, dated 2024-11-20</li>\n <li>(CRA-AV) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V\">Cyber Resilience Act, Annex V</a> EU Declaration of Conformity, dated 2024-11-20</li>\n <li>(CRA-AVII) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_VII\">Cyber Resilience Act, Annex VII</a> Contents of the Technical Documentation, dated 2024-11-20</li>\n <li>(CRA-Rec-15) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15\">Cyber Resilience Act, Recital 15</a> Economic operators, dated 2024-11-20</li>\n <li>(CRA-Rec-18) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18\">Cyber Resilience Act, Recital 18</a> Open Source Software Contributors, dated 2024-11-20</li>\n <li>(CRA-Rec-19) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19\">Cyber Resilience Act, Recital 19</a> Open Source Software Intended for Commercial Use, dated 2024-11-20</li>\n <li>(CRA-Rec-21) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21\">Cyber Resilience Act, Recital 21</a> Open Source Security Attestation, dated 2024-11-20</li>\n <li>(CSCRF) <a href=\"https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html\">Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)</a>, (GV.SC.S5, page 89), Securities and Exchange Board of India, Published 2024-08-20</li>\n <li>(EUBG-2022) <a href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022XC0629(04)\">The ‘Blue Guide’ on the implementation of EU product rules</a></li>\n <li>(IMDRF) <a href=\"https://www.imdrf.org/documents/principles-and-practices-software-bill-materials-medical-device-cybersecurity\">Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity</a>, International Medical Device Regulators Forum, dated 2023-04-13</li>\n <li>(METI-2023) <a href=\"https://www.meti.go.jp/policy/netsecurity/wg1/sbom_tebiki_en.pdf\">Guidance on Introduction of Software Bill of Materials (SBOM) for Software Management, version 1.0</a>; Ministry of Economy, Trade and Industry Commerce (Japan); Published 2023-07-28</li>\n <li>(NTIA-2021-3) <a href=\"https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf\">SBOM Tool Classification Taxonomy</a>, dated 2021-03-30.</li>\n <li>(NTIA-SBOM) <a href=\"https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9\">NTIA Minimum Elements for a Software Bill of Materials (SBOM)</a>, dated 2021-07-12</li>\n <li>(PCI-SSF) <a href=\"https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-Software-Standard-v1_2_1.pdf\">Payment Card Industry Secure Software Framework v1.2.1</a>, Control Objective C.1, Published May 2023</li>\n <li>(TR-03183 ) German Technical Requirement <a href=\"https://www.bsi.bund.de/dok/TR-03183-en\">TR-03183 Cyber Resilience Requirements for Manufacturers and Products</a>, Part 2 “Software Bill of Materials (SBOM)”, Section 5; Version 2.0.0 dated 2024-09-20</li>\n</ul>\n\n<h2 id=\"commentary-and-fixmes\">Commentary and FIXMEs</h2>\n\n<ol>\n <li>Open Source in CRA… Maintainer -> Provider -> Supplier -> Steward -> Manufacturer -> Distributor</li>\n <li>Open Source in CRA (simplified)… Hobbyist -> Maintainer -> Maintainer w/Steward -> Manufacturer</li>\n <li>Add graph/description on build steps, to illustrate how different SBOM files may be found, sourced, generated, assembled, installed and shared for later verification or analysis.</li>\n <li>Enumerate what distinguishes the different environments\n <ul>\n <li>Language: Not built, not deployed, Is source code, No execution environment</li>\n <li>Distro/package: Built, Deployed, Is object code, No execution environment</li>\n <li>Model/plugin: Built, Not deployed, Is data, No execution environment (FIXME – unsure)</li>\n <li>Image/container: Built, Deployed, Is object code, Has execution environment</li>\n </ul>\n </li>\n <li>Enumerate the different dependencies\n <ul>\n <li>Stages; Author/develop, configure, build, test, install/deploy, packaging, container assembly, post-deploy (plugin/dynamic), runtime.</li>\n <li>States; resolved, required/unresolved, embedded/included</li>\n <li>Types; component, patch, system resource, environment, ecosystem, service</li>\n <li>Descriptions; cross-ecosystem vs. in-ecosystem, up-river vs. down-river (within language ecosystem), upstream vs. downstream (outside language ecosystem), reverse, assumed/implied vs. stated/explicit, static vs. dynamic</li>\n </ul>\n </li>\n <li>Clearer distinction between Builder, Deployer, Packager, Assembler, Integrator</li>\n <li>Add example of a chain of edits to an SBOM document, as it is passed down the supply-chain</li>\n <li>Distinguish between Dependencies (as resolved by the Builder, Packager, Assembler or Integrator roles) and Requirements (unresolved, but as defined by the Author or Integrator roles).</li>\n <li>Distinguish in which SBOM Types (or stages) different attributes are expected to be set, in order to help SBOM Authors produce and verify attributes as expected.</li>\n <li>PCI-SSF v1.2.1 requires not only that component dependencies are listed, but also service dependencies (<a href=\"https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-Software-Standard-v1_2_1.pdf\">download link</a>)</li>\n <li>Use “Metadata” as the primary term, instead of “SBOM”</li>\n <li>Add columns for attributes, describing downstream consumers and upstream producers</li>\n <li>Add some text regarding an “Vulnerability report SBOM”, since this is required in the Cyber Resilience Act Annex I, part II(1)</li>\n <li>Make colors/boxes more colorblind-friendly</li>\n <li>Describe the Supply Chain Roles section (intention, use, how to read, etc.), including why it has been split up into different roles</li>\n <li>Add some words for each Role/section on what it can be used for</li>\n <li>Add a Rosetta stone</li>\n <li>Integrate better with the Glossary</li>\n</ol>\n\n<h2 id=\"license-and-use-of-this-document\">License and use of this document</h2>\n\n<ul>\n <li>Version: 0.8.7</li>\n <li>License: <a href=\"https://creativecommons.org/licenses/by-sa/4.0/deed\">CC-BY-SA-4.0</a></li>\n <li>Copyright: © Salve J. Nilsen <a href=\"mailto:sjn@oslo.pm\">sjn@oslo.pm</a>, Some rights reserved.</li>\n</ul>\n\n<p>You may use, modify and share this file under the terms of the <a href=\"https://creativecommons.org/licenses/by-sa/4.0/deed\">CC-BY-SA-4.0</a> license.</p>\n\n<h3 id=\"acknowledgements\">Acknowledgements</h3>\n\n<p>Several people have been involved in the development of this document</p>\n\n<ul>\n <li>Salve J. Nilsen (main author)</li>\n <li>Stian Kristoffersen</li>\n <li>Josh Bressers</li>\n <li>Stig Palmquist</li>\n <li>Florian von Samson</li>\n</ul>\n\n<h2 id=\"appendix\">Appendix</h2>\n\n<h3 id=\"sbom-metadata-attributes-and-obligation-sources\">SBOM Metadata Attributes and obligation sources</h3>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Required</th>\n <th style=\"text-align: right\">Obligation References</th>\n <th style=\"text-align: left\">Upstream Attribute Source</th>\n <th style=\"text-align: left\">Comment</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: left\">Primary Component Name</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">NTIA-SBOM, CISA-2024-10, CRA-AV, TR-03183, PCI-SSF, METI-2023</td>\n <td style=\"text-align: left\">🟥 Author, 🟨 Packager</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>Unique Product Identifier</strong></td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CRA-AII(3), CRA-AV, NTIA-SBOM, CISA-2024-10, METI-2023</td>\n <td style=\"text-align: left\">🟥 Maintainer, 🟨 Packager</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Version</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CISA-2024-10, CRA-AV, TR-03183, PCI-SSF</td>\n <td style=\"text-align: left\">🟥 Maintainer, 🟨 Packager</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Purpose, Intended Use</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CRA-AII(4)</td>\n <td style=\"text-align: left\">🟥 Maintainer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Supplier Name</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CRA-AII(1), CRA-AV, NTIA-SBOM, CISA-2024-10, CSCRF, TR-03183, PCI-SSF, METI-2024</td>\n <td style=\"text-align: left\">🟥 Author, 🟨 Maintainer, 🟨 Custodian, 🟨 Builder</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>Security contact</strong></td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CRA-AII(2)</td>\n <td style=\"text-align: left\">🟥 Author, 🟨 Maintainer, 🟨 Custodian, 🟨 Builder</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>Cryptographic Hash</strong></td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CISA-2024-10, CSCRF</td>\n <td style=\"text-align: left\">🟥 Maintainer, 🟨 Curator, 🟨 Builder, 🟨 Packager</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Copyright Notice</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CISA-2024-10</td>\n <td style=\"text-align: left\">🟥 Author</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">License(s)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CISA-2024-10, CSCRF</td>\n <td style=\"text-align: left\">🟥 Author</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Dependencies</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CRA-AII(5), NTIA-SBOM, CISA-2024-10, CSCRF, PCI-SSF, METI-2023</td>\n <td style=\"text-align: left\">🟥 Maintainer, 🟨 Packager</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Dependencies (Known unknowns)</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CSCRF</td>\n <td style=\"text-align: left\">🟨 Packager, 🟨 Manufacturer</td>\n <td style=\"text-align: left\">🙄 Write a bug report!</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Dependency Relationships</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CISA-2024-10, PCI-SSF</td>\n <td style=\"text-align: left\">🟥 Maintainer, 🟨 Packager</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Encryption used</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CSCRF</td>\n <td style=\"text-align: left\">🟥 Maintainer, 🟨 Builder</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Frequency of updates</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CSCRF</td>\n <td style=\"text-align: left\">🟥 Author, 🟨 Maintainer, 🟨 Custodian, 🟨 Builder</td>\n <td style=\"text-align: left\">😬 Start funding OSS!</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Access control</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CSCRF</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\">😑</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Methods for accommodating errors</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CSCRF</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\">🤨 Write a bug report!</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Executable Property</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">TR-03183</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\">😑</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Archive Property</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">TR-03183</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\">😑</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Structured Property</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">TR-03183</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\">😑</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Download location</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\"> </td>\n <td style=\"text-align: left\">🟥 Maintainer, 🟨 Curator</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>Code Commit Revision</strong></td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\"> </td>\n <td style=\"text-align: left\">🟥 Maintainer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Code Repository</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\"> </td>\n <td style=\"text-align: left\">🟥 Maintainer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>Intended for Commercial Use</strong></td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-Rec-15, CRA-Rec-19</td>\n <td style=\"text-align: left\">🟥 Author</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>Open Source Software Steward</strong></td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-Rec-19</td>\n <td style=\"text-align: left\">🟥 Author</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>Security Attestation</strong></td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-Rec-21</td>\n <td style=\"text-align: left\">🟥 Open Source Software Steward</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Conformity Assessment Body</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-Art-47(1), CRA-AV</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Declaration of Conformity</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-AII(6), CRA-AV</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Support End Date</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-AII(7)</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Technical Documentation</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-AII(8)</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Authorised Representative</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CRA-Art-18</td>\n <td style=\"text-align: left\">🟥 Manufacturer</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Author</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">NTIA-SBOM, CISA-2024-10, TR-03183, METI-2023</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Creation Time-stamp</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">NTIA-SBOM, CISA-2024-10, TR-03183, METI-2023</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Format</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CycloneDX 1.6, SPDX 2.3</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Generation Tool</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\"> </td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\"><strong>SBOM Location</strong></td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CRA-AII(9), TR-03183</td>\n <td style=\"text-align: left\">🟨 Curator</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Primary Component</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CycloneDX 1.6, SPDX 3.0</td>\n <td style=\"text-align: left\">🟥 Author, 🟨 Packager</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Release</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CycloneDX 1.6, SPDX 2.3</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Serial Number</td>\n <td style=\"text-align: center\">Yes</td>\n <td style=\"text-align: right\">CycloneDX 1.6 SPDX 2.3</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Type</td>\n <td style=\"text-align: center\">No</td>\n <td style=\"text-align: right\">CISA-2023, CISA-2024-10</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n </tbody>\n</table>\n\n<h3 id=\"sbom-json-paths-and-data-types\">SBOM JSON Paths and data types</h3>\n\n<table>\n <thead>\n <tr>\n <th style=\"text-align: left\">Attribute name</th>\n <th style=\"text-align: center\">Data type</th>\n <th style=\"text-align: left\">CycloneDX 1.6 (ECMA-424)</th>\n <th style=\"text-align: left\">SPDX 2.3</th>\n <th>SPDX 3.0</th>\n <th style=\"text-align: left\">Comment</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td style=\"text-align: left\">Primary Component Name</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.components[].name</td>\n <td style=\"text-align: left\">packages[].name</td>\n <td>Software.Package.name</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Security contact (Integrator)</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.components[].externalReferences[].security-contact</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Security contact (Manufacturer)</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.metadata[manufacturer].contact.email, bom.externalReferences[].security-contact</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Security contact (Maintainer)</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.metadata[supplier].contact.email, bom.externalReferences[].security-contact</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Supplier Name (Author)</td>\n <td style=\"text-align: center\">Text, URL</td>\n <td style=\"text-align: left\">bom.metadata[supplier], bom.components[].authors[]</td>\n <td style=\"text-align: left\">creationInfo.creators[]</td>\n <td>Software.Package.suppliedBy</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Supplier Name (Manufacturer)</td>\n <td style=\"text-align: center\">Text, URL</td>\n <td style=\"text-align: left\">bom.metadata[manufacturer], bom.components[].manufacturer</td>\n <td style=\"text-align: left\">creationInfo.creators[], packages[].originator, packages[].supplier</td>\n <td>Software.Package.suppliedBy</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Unique Product Identifier</td>\n <td style=\"text-align: center\">PURL</td>\n <td style=\"text-align: left\">bom.components[].purl</td>\n <td style=\"text-align: left\">packages[].externalRefs.referenceCategory = “PACKAGE-MANAGER”, packages[].externalRefs.referenceType = “purl”, packages[].externalRefs.referenceLocator</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Version</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.components[].version</td>\n <td style=\"text-align: left\">packages[].versionInfo</td>\n <td>Software.Package.packageVersion</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Version (Redistributed)</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.metadata.version</td>\n <td style=\"text-align: left\">packages[].versionInfo</td>\n <td>Software.Package.packageVersion</td>\n <td style=\"text-align: left\">FIXME – confirm</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Code Commit Revision</td>\n <td style=\"text-align: center\">SHA1</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Code Repository</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.metadata.component.externalReferences[].vcs</td>\n <td style=\"text-align: left\">packages[].externalRefs.referenceCategory = “PERSISTENT_ID”, packages[].externalRefs.referenceType = “gitoid”, packages[].externalRefs.referenceLocator</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Dependencies</td>\n <td style=\"text-align: center\">List</td>\n <td style=\"text-align: left\">bom.components[], bom.dependencies[]</td>\n <td style=\"text-align: left\">relationships[].[spdxElementId,relatedSpdxElement]</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Download location</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">URL/pURL of where the component artifact was downloaded from</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Cryptographic Hash</td>\n <td style=\"text-align: center\">SHA256</td>\n <td style=\"text-align: left\">components[].hashes[]</td>\n <td style=\"text-align: left\"> </td>\n <td>Software.Package.verifiedUsing</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">License(s)</td>\n <td style=\"text-align: center\">SPDX License</td>\n <td style=\"text-align: left\">bom.metadata.licenses[], bom.components[].licenses[], components[].licenses[].acknowledgement[declared], components[].licenses[].acknowledgement[concluded], components[].licenses[].licensing (proprietary)</td>\n <td style=\"text-align: left\">packages[].licenseConcluded, packages[].licenseDeclared</td>\n <td>Core.Relationship hasConcludedLicense hasDeclaredLicense</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Copyright Holder</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.components[].copyright, bom.components[].evidence.copyright</td>\n <td style=\"text-align: left\"> </td>\n <td>Software.SoftwareArtifact.copyrightText</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Purpose, Intended Use</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.components[].description</td>\n <td style=\"text-align: left\">packages[].comment</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Open Source Software Steward</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Security Attestation</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Intended for Commercial Use</td>\n <td style=\"text-align: center\">Boolean</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Author</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.metadata.authors</td>\n <td style=\"text-align: left\">creationInfo.creators[]</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Creation Time-stamp</td>\n <td style=\"text-align: center\">DateTime</td>\n <td style=\"text-align: left\">bom.metadata.timestamp</td>\n <td style=\"text-align: left\">creationInfo.created</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Format</td>\n <td style=\"text-align: center\">Enum</td>\n <td style=\"text-align: left\">bom.properties.bomFormat</td>\n <td style=\"text-align: left\">SPDXVersion</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Generation Tool</td>\n <td style=\"text-align: center\">List</td>\n <td style=\"text-align: left\">bom.metadata.tools[]</td>\n <td style=\"text-align: left\">creationInfo.creators[]</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Location</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.externalReferences[].bom, bom.components.externalReferences[].bom</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Primary Component</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.metadata.component</td>\n <td style=\"text-align: left\"> </td>\n <td>Software.Sbom.rootElement</td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Release</td>\n <td style=\"text-align: center\">Int</td>\n <td style=\"text-align: left\">bom.properties.specVersion</td>\n <td style=\"text-align: left\">SPDXVersion</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Serial Number</td>\n <td style=\"text-align: center\">UUID</td>\n <td style=\"text-align: left\">bom.metadata.serialNumber</td>\n <td style=\"text-align: left\">SPDXID</td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Type (Maintainer)</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.metadata.lifecycles[pre-build]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">Produces a CISA ‘Source’ Type SBOM; FIXME – confirm</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Type (Builder)</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.metadata.lifecycles[build]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">Produces a CISA ‘Build’ Type SBOM; FIXME – confirm</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Type (Packager)</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.metadata.lifecycles[post-build]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">Produces a CISA ‘Deployed’ Type SBOM; FIXME – confirm</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">SBOM Type (Deployer)</td>\n <td style=\"text-align: center\">Text</td>\n <td style=\"text-align: left\">bom.metadata.lifecycles[operations]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">Produces a CISA ‘Runtime’ Type SBOM; FIXME – confirm</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Conformity Assessment Body</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.externalReferences[?(@.conformity-body)]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Declaration of Conformity</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.externalReferences[?(@.conformity-declaration)]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Support End Date</td>\n <td style=\"text-align: center\">DateTime</td>\n <td style=\"text-align: left\">bom.externalReferences[?(@.support-horizon)]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Technical Documentation</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\">bom.externalReferences[?(@.documentation)]</td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">CE Authorised Representative</td>\n <td style=\"text-align: center\">URL</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\"> </td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Executable Property</td>\n <td style=\"text-align: center\">Bool</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">TR-03183</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Archive Property</td>\n <td style=\"text-align: center\">Bool</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">TR-03183</td>\n </tr>\n <tr>\n <td style=\"text-align: left\">Structured Property</td>\n <td style=\"text-align: center\">Bool</td>\n <td style=\"text-align: left\"> </td>\n <td style=\"text-align: left\"> </td>\n <td> </td>\n <td style=\"text-align: left\">TR-03183</td>\n </tr>\n </tbody>\n</table>\n\n \n </section>\n\n <footer class=\"page__meta\">\n \n \n\n\n \n\n </footer>\n\n \n\n \n\n </div>\n\n \n </article>\n\n \n \n</div>\n"
paginator: null