[comment]: # (Compile this presentation with the command below) [comment]: # (mdslides pts2024-sbom-intro.md --include ../media) [comment]: # (...or by running the Makefile with "make") [comment]: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/) ## Where in the OSS Supply Chain
do SBOM attributes come from? FOSDEM 2025 Salve J. Nilsen π Mastodon β @sjn\@chaos.social Note:
## Where in the OSS Supply Chain
does SBOM
_metadata_
come from? FOSDEM 2025 Salve J. Nilsen π Mastodon β @sjn\@chaos.social Note:
## Why even ask this question? "Where does the metadata come from?" Note:
[Annex II]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [Article 13(18)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.018 'Manufacturers shall ensure product s are accompanied by documentation listed in Annex II, and available for at least 10 years' [Article 64(4)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#064.004 'Supplying incorrect, incomplete or misleading information may be fined up to 5M EUR or 1% of global turnover' ## Why even ask this question? "Where does the metadata come from?"
> Supplying incorrect, incomplete or misleading information may be fined up to 5M EUR or 1% of global turnover
> β Cyber Resilience Act, [Article 64(4)],
e.g. w.r.t. metadata described in [Annex II],
as required in [Article 13(18)]
[Annex II]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [Article 13(18)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.018 'Manufacturers shall ensure product s are accompanied by documentation listed in Annex II, and available for at least 10 years' [Article 64(4)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#064.004 'Supplying incorrect, incomplete or misleading information may be fined up to 5M EUR or 1% of global turnover' ## Why even ask this question? "Where does the metadata come from?"
> Supplying
**incorrect**
,
**incomplete**
or
**misleading**
information may be fined up to 5M EUR or 1% of global turnover
> β Cyber Resilience Act, [Article 64(4)],
w.r.t. metadata described in [Annex II],
as required in [Article 13(18)]
## (I am not a lawyer)
## (I am not a ~lawyer~) * (Also, I am not an "authority")
## (I am not a ~lawyer~) * (Also, I am not an ~"authority"~) * I'm a _volunteer_
## (I am not a ~lawyer~) * (Also, I am not an ~"authority"~) * I'm a _volunteer_
## β οΈ DRAFT β οΈ This is a __work in progress__
## β οΈ DRAFT β οΈ This is a __work in progress__ Contributions appreciated!

## Supply-chain Metadata ### Β«Ecosystem perspectiveΒ» * Actions * Actors * Attributes * Metadata

## Supply-chain Metadata ### Β«Ecosystem perspectiveΒ» * Actions * Actors * Attributes * Metadata * β¦ More?

## Metadata Actions * π₯ Create * π¨ Contribute * π© Distribute * π¦ Verify * πͺ Censor

## Metadata Actors
* π¦ Analyst * π¨π¦ Assembler * π¦ Auditor * π¦ Authenticator * π₯ Author * π¨π¦ Builder * π¨ Contributor * π¨ Curator * π¨ Custodian * π¨π© Deployer * π© Depositary * π¦ Distributor * π¦ End-user * π¦ Importer * π₯π¨π¦ Integrator * π₯π¨ Maintainer * π₯ Manufacturer * π¦ Distributor * π¦ Importer * π₯π¨π©π¦ OSS Steward * π₯ Owner * π¨π¦ Packager * π¨ Patcher * π© Publisher * π©πͺ Censor * β¦

## Metadata Actors
* π₯ Author * π₯π¨ Maintainer * π¨ Custodian * π¨ Contributor * π¨π¦ Builder * π¨ Curator * π₯π¨π¦ OSS Steward * π¨ Patcher * π¨π¦ Packager * π¨π¦ Assembler * π₯π¨π¦ Integrator * π¨π© Deployer * π©πͺ Censor

## Metadata Actors
* π₯ Author * π₯π¨ Maintainer * π¨ Custodian * π¨ Contributor * π¨π¦ Builder * π¨ Curator * π₯π¨π¦ OSS Steward * π¨ Patcher * π¨π¦ Packager * π¨π¦ Assembler * π₯π¨π¦ Integrator * π¨π© Deployer * π©πͺ Censor
**These are the sources of the Required Metadata**

## Metadata Attributes

## Metadata Attributes ### SBOM Metadata
* **SBOM Author** * **SBOM Creation Time-stamp** * **SBOM Format** * **SBOM Generation Tool** * **SBOM Location** * **SBOM Primary Component** * **SBOM Release** * **SBOM Serial Number** * **SBOM Type**

## Metadata Attributes ### NTIA Minimum Elements
* **Dependencies** * **Primary Component Name** * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * **Supplier Name** * **Unique Product Identifier**

## Metadata Attributes ### CISA Framing
* **Copyright Notice** * **Cryptographic Hash** * Dependencies * **Dependency Relationships** * **License(s)** * Primary Component Name * **SBOM Author** * **SBOM Creation Time-stamp** * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * **SBOM Type** * Supplier Name * Unique Product Identifier * **Version**

## Metadata Attributes ### EU CRA
* **CE Authorised Representative** * **CE Conformity Assessment Body** * **CE Declaration of Conformity** * **CE Support End Date** * **CE Technical Documentation** * Copyright Notice * Cryptographic Hash * Dependencies * Dependency Relationships * **Intended for Commercial Use** * License(s) * **Open Source Software Steward** * Primary Component Name * **Purpose, Intended Use** * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * **Security Attestation** * **Security contact** * Supplier Name * Unique Product Identifier * Version

[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' ## Metadata Attributes ### BSI [TR-03183] 2.0
* **Archive Property** * CE Authorised Representative * CE Conformity Assessment Body * CE Declaration of Conformity * CE Support End Date * CE Technical Documentation * Copyright Notice * Cryptographic Hash * Dependencies * Dependency Relationships * **Executable Property** * Intended for Commercial Use * License(s) * Open Source Software Steward * Primary Component Name * Purpose, Intended Use * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * Security Attestation * Security contact * **Structured Property** * Supplier Name * Unique Product Identifier * Version
Note: * Bundesamt fΓΌr Sicherheit in der Informationstechnik * Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products

[CSCRF]:https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' ## Metadata Attributes ### SEBI [CSCRF]
* **Access control** * Archive Property * CE Authorised Representative * CE Conformity Assessment Body * CE Declaration of Conformity * CE Support End Date * CE Technical Documentation * Copyright Notice * Cryptographic Hash * **Dependencies (Known unknowns)** * Dependencies * Dependency Relationships * **Encryption used** * Executable Property * **Frequency of updates** * Intended for Commercial Use * License(s) * **Methods for accommodating errors** * Open Source Software Steward * Primary Component Name * Purpose, Intended Use * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * Security Attestation * Security contact * Structured Property * Supplier Name * Unique Product Identifier * Version
notes: * Securities and Exchange Board of India * Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)

## (Ecosystem response)
* Ecosystems **are Open Source** * Tooling * Services * Specs * Open Source Constraints * Break nothing * Preserve compatibility * No-fuzz upgrades * Information & outreach * As volunteers! * **Contribution = life-blood**
### _Well volunteered!_

## (Ecosystem response) ### _Well volunteered!_
* Access control * Archive Property * CE Authorised Representative * CE Conformity Assessment Body * CE Declaration of Conformity * CE Support End Date * CE Technical Documentation * Copyright Notice * Cryptographic Hash * Dependencies (Known unknowns) * **Dependencies** * **Dependency Relationships** * Encryption used * Executable Property * Frequency of updates * Intended for Commercial Use * **License(s)** * Methods for accommodating errors * Open Source Software Steward * **Primary Component Name** * **Purpose, Intended Use** * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * Security Attestation * Security contact * Structured Property * **Supplier Name** * Unique Product Identifier * **Version**

## (Ecosystem response) ### _Well volunteered!_ Who? * Ecosystem people * Standards people * Regulators π

## (Ecosystem response) ### _Well volunteered!_ Who? * Ecosystem people * Standards people * Regulators π
**"Where do SBOM attributes come from?"**
## A quick Attribute Poll
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' ### Component Attributes
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' [NTIA-SBOM]:https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9 'NTIA Minimum Elements for a Software Bill of Materials (SBOM)' [CISA-2023-4]:https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom 'CISA Types of Software Bill of Materials (SBOM)' [CISA-2024-10]:https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf 'CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)' [CRA-II]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [CRA-AV]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V 'EU Declaration of Conformity' [CSCRF]:https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' | Attribute name | Required | References | | :---------------------------------- | :------: | ----------------------------------------------------: | | Primary Component Name | Yes | [NTIA-SBOM], [CISA-2024-10], [CRA-AV], [TR-03183] | | Version | Yes | CISA-2024-10, CRA-AV, TR-03183 | | Purpose, Intended Use | Yes | [CRA-AII]\(4) | | Supplier Name | Yes | CRA-AII(1), CRA-AV, NTIA-SBOM, CISA-2024-10, TR-03183 | | Security contact | Yes | CRA-AII(2) | | Copyright Notice | Yes | CISA-2024-10 | | License(s) | Yes | CISA-2024-10, TR-03183, [CSCRF] |
Note:
### Dependency Attributes
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resiliencee Requirements for Manufacturers and Products, Part 2' [NTIA-SBOM]:https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9 'NTIA Minimum Elements for a Software Bill of Materials (SBOM)' [CISA-2023-4]:https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom 'CISA Types of Software Bill of Materials (SBOM)' [CISA-2024-10]:https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf 'CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)' [CRA-AII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [CRA-AV]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V 'EU Declaration of Conformity' [CSCRF]:https://www.sebi.gov.in/legal/cireculars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------------------: | | Unique Product ID | Yes | [CRA-AII]\(3), [CRA-AV], [NTIA-SBOM], [CISA-2024-10] | | Cryptographic Hash | Yes | CISA-2024-10, [TR-03183], [CSCRF] | | Primary Component Filename | Yes | TR-03183 | | Dependencies | Yes | CRA-AII(5), NTIA-SBOM, CISA-2024-10, TR-03183, CSCRF | | Dependency Relationships | Yes | CISA-2024-10 |
Note:
### SBOM Attributes
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' [NTIA-SBOM]:https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9 'NTIA Minimum Elements for a Software Bill of Materials (SBOM)' [CISA-2023-4]:https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom 'CISA Types of Software Bill of Materials (SBOM)' [CISA-2024-10]:https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf 'CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)' [CRA-AII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | SBOM Author | Yes | [NTIA-SBOM], [CISA-2024-10], [TR-03183] | | SBOM Creation Time-stamp | Yes | NTIA-SBOM, CISA-2024-10, TR-03183 | | SBOM Format | Yes | CycloneDX 1.6, SPDX 2.3 | | SBOM Generation Tool | No | | | SBOM Location | Yes | [CRA-AII]\(9), TR-03183 | | SBOM Primary Component | No | CycloneDX 1.6, SPDX 3.0 | | SBOM Release | Yes | CycloneDX 1.6, SPDX 2.3 | | SBOM Serial Number | Yes | CycloneDX 1.6 SPDX 2.3 | | SBOM Type | No | [CISA-2023-4], CISA-2024-10 |
Note:
### Open Source Steward Attributes
[CRA-Rec-15]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15 'CRA applies to economic operators that have an intention to monetise a product' [CRA-Rec-18]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18 'Open Source Software Contributors' [CRA-Rec-19]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19 'Open Source Software Stewards, light-touch regulatory regime, and CE mark implications' [CRA-Rec-21]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21 'Voluntary security attestation programs for Open Source projects' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Intended for Commercial Use | No | [CRA-Rec-15], [CRA-Rec-18] | | Open Source Software Steward | No | [CRA-Rec-19] | | Security Attestation | No | [CRA-Rec-21] |
Note:
### Manufacturer Attributes
[CRA-Art-18]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_18 'Authorised representatives' [CRA-Art-47]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_47 'Operational obligations of notified bodies' [CRA-AII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [CRA-AV]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V 'EU Declaration of Conformity' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | CE Conformity Assessment Body | No | [CRA-Art-47]\(1), [CRA-AV] | | CE Declaration of Conformity | No | [CRA-AII]\(6), CRA-AV | | CE Support End Date | No | CRA-AII(7) | | CE Technical Documentation | No | CRA-AII(8) | | CE Authorized Representative | No | [CRA-Art-18] |
Note: * What's needed for components that are monetized? * Maintainer becomes a Manufacturer * Does the Manufacturer have a Authorised representative? * This needs also to be supported
### Special Attributes for Integrators in Germany
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Executable Property | Yes | [TR-03183] | | Archive Property | Yes | TR-03183 | | Structured Property | Yes | TR-03183 |
### Special Attributes for Integrators in the Indian Financial Sector
[CSCRF]:https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Dependencies (Known unknowns) | Yes | [CSCRF] | | Encryption used | Yes | CSCRF | | Frequency of updates | Yes | CSCRF | | Access control | Yes | CSCRF | | Methods for accommodating errors | Yes | CSCRF |
### (Optional Attributes)
| Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Download location | No | | | Code Commit Revision | No | | | Code Repository | No | |
Note:

## Dear Regulators
Note: * Not just BSI or the Securities and Exchange Board of India

## Dear Regulators
### Welcome to the Open Source Communities! * We're many * We're _everywhere_ * We support _everyone_ * We don't _work for free_ * We _volunteer_ note:

## Dear Regulators ### Your contributions _are welcome_ * But not all of them * β Only the useful ones! * Do like NIST and CISA * β Only require the minimum!

## Dear Regulators ### Your contributions _are welcome_ * But not all of them * β Only the useful ones! * Do like NIST and CISA * β Only require the minimum!
### Well volunteered!
## Questions & Comments
## References
* (CISA-2023-4) [CISA Types of Software Bill of Materials (SBOM)](https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom), published 2023-04-21 * (CISA-2024-10) [CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)](https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf), Third edition, sections 2.2.1.4, 2.2.2 and Appendix B; Published 2024-10-15 * (CRA-AII) [Cyber Resilience Act, Annex II](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II) Information and Instructions to the User * (CRA-AV) [Cyber Resilience Act, Annex V](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V) EU Declaration of Conformity * (CRA-AVII) [Cyber Resilience Act, Annex VII](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_VII) Contents of the Technical Documentation * (CRA-Art-18) [Cyber Resilience Act, Article 18](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_18) Obligations of Authorized Representatives * (CRA-Art-47) [Cyber Resilience Act, Article 47](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_47) Operational obligations of notified bodies * (CRA-Rec-15) [Cyber Resilience Act, Recital 15](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15) Economic operators * (CRA-Rec-18) [Cyber Resilience Act, Recital 18](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18) Open Source Software Contributors * (CRA-Rec-19) [Cyber Resilience Act, Recital 19](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19) Open Source Software Stewards * (CRA-Rec-21) [Cyber Resilience Act, Recital 21](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21) Open Source Security Attestation * (CSCRF) [Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)](https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html), (GV.SC.S5, page 89), Securities and Exchange Board of India, Published 2024-08-20 * (TR-03183) German Technical Requirement [TR-03183 Cyber Resilience Requirements for Manufacturers and Products](https://bsi.bund.de/dok/TR-03183), Part 2: Software Bill of Materials (SBOM), Version 2.0.0, published 2024-09-20 * (NTIA-SBOM) [NTIA Minimum Elements for a Software Bill of Materials (SBOM)](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9), Published 2021-07-12
# Thanks! Salve J. Nilsen π Mastodon β @sjn\@chaos.social π¦π¦