CPAN Security Group

A forum for coordinating and help resolving security issues on CPAN. CVE Numbering Authority (CNA) for Perl and CPAN. Subscribe, contribute or join!

19 minute read

comment: # (…or by running the Makefile with “make”) comment: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/)

comment: # (width: “1440”) comment: # (height: “810”) comment: # (help: true) comment: # (progress: true) comment: # (controlsBackArrows: “true”)

[Recital (15)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15 ‘CRA applies to economic operators tha t have an intention to monetise a product’ [Recital (18)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18 ‘Open Source Software Contributors’ [Recital (19)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19 ‘Open Source Software Stewards, light- touch regulatory regime, and CE mark implications’ [Recital (20)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_20 ‘Open Source package managers consider ations as “distributors”’ [Recital (21)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21 ‘Voluntary security attestation progra ms for Open Source projects’ [Recital (22)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_22 ‘Submission of SBOMs for Open Source p rojects’ [Recital (24)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_24 ‘CRA relevance for the NIS2 directive’ [Recital (31)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_31 “Manufacturer’s liability due to lack of security updates” [Recital (34)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_34 ‘Exercise due diligence when integrati ng third-party components’ [Recital (37)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_37 ‘Software for testing purposes, alphas , betas’ [Recital (39)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_39 ‘Continued security updates’ [Recital (41)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_41 ‘Substantial modifications requires a new conformity assessment to be done’ [Recital (43)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_43 ‘Important products with digital eleme nts’ [Recital (44)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_44 ‘Class I and Class II products’ [Recital (45)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_45 ‘Class II products are subject to mandatory third-party conformity assessment’ [Recital (56)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_56 ‘On the download and installation of security updates, and notification of end of support’ [Recital (57)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_57 ‘On the requirement to be able to get security updates separately from functionality updates’ [Recital (60)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_60 ‘Support period’ [Recital (61)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_61 ‘Support period’ [Recital (62)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_62 ‘Support period’ [Recital (63)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_63 ‘Point of contact’ [Recital (64)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_64 ‘Secure by default’ [Recital (77)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_77 ‘Manufacturers should facilitate vulnerability analysis by drawing up an SBOM, though they are not obliged to make it public’ [Recital (117)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_117 ‘[…] establish voluntary security attestation programmes for assessing the conformity of products with digital elements qualifying as free and open-source software […]’

What is an Open Source Steward?

PTS 2025

Salve J. Nilsen

🐘 Mastodon — @sjn\@chaos.social

Note:

What is an Open Source Steward?

  • […] legal persons who provide support on a sustained basis (Article 3 (14)) for the development […] of products which are intended for commercial activities, and who play a main role in ensuring the viability of those products […] ([Recital (19)])
    • […] include certain
      • foundations […]
      • entities that develop and publish free and open-source software in a business context,
        • including not-for-profit entities.
    • […] should be subject to a light-touch and tailor-made regulatory regime.
    • [and…] only cover […] free and open-source software that are ultimately intended for commercial activities.

Note:

comment: # (     data-auto-animate)

Why even ask this question?

“Where does the metadata come from?”

> Supplying incorrect, incomplete or misleading information may be fined up to 5M EUR or 1% of global turnover
> — Cyber Resilience Act, [Article 64(4)],
e.g. w.r.t. metadata described in [Annex II],
as required in [Article 13(18)]
comment: # (     data-auto-animate)

Why even ask this question?

“Where does the metadata come from?”

> Supplying **incorrect**, **incomplete** or **misleading** information may be fined up to 5M EUR or 1% of global turnover
> — Cyber Resilience Act, [Article 64(4)],
w.r.t. metadata described in [Annex II],
as required in [Article 13(18)]
comment: # (     data-auto-animate)

(I am not a lawyer)

comment: # (     data-auto-animate)

(I am not a ~lawyer~)

  • (Also, I am not an “authority”)
comment: # (     data-auto-animate)

(I am not a ~lawyer~)

  • (Also, I am not an ~”authority”~)
  • I’m a volunteer
comment: # (     data-auto-animate)

(I am not a ~lawyer~)

  • (Also, I am not an ~”authority”~)
  • I’m a volunteer

⚠️ DRAFT ⚠️

This is a work in progress

comment: # (     data-auto-animate)

⚠️ DRAFT ⚠️

This is a work in progress

Contributions appreciated!

![Supply chain](media/metadata-sources.png)

Supply-chain Metadata

«Ecosystem perspective»

  • Actions
  • Actors
  • Attributes
  • Metadata
comment: # (     data-auto-animate)
![Supply chain](media/metadata-sources.png)

Supply-chain Metadata

«Ecosystem perspective»

  • Actions
  • Actors
  • Attributes
  • Metadata
  • … More?
comment: # (     data-auto-animate)
![Supply chain](media/metadata-sources.png)

Metadata Actions

  • 🟥 Create
  • 🟨 Contribute
  • 🟩 Distribute
  • 🟦 Verify
  • 🟪 Censor
![Supply chain](media/metadata-sources.png)

Metadata Actors

* 🟦 Analyst * 🟨🟦 Assembler * 🟦 Auditor * 🟦 Authenticator * 🟥 Author * 🟨🟦 Builder * 🟨 Contributor * 🟨 Curator * 🟨 Custodian * 🟨🟩 Deployer * 🟩 Depositary * 🟦 Distributor * 🟦 End-user * 🟦 Importer * 🟥🟨🟦 Integrator * 🟥🟨 Maintainer * 🟥 Manufacturer * 🟦 Distributor * 🟦 Importer * 🟥🟨🟩🟦 OSS Steward * 🟥 Owner * 🟨🟦 Packager * 🟨 Patcher * 🟩 Publisher * 🟩🟪 Censor * …
comment: # (     data-auto-animate)
![Supply chain](media/metadata-sources.png)

Metadata Actors

* 🟥 Author * 🟥🟨 Maintainer * 🟨 Custodian * 🟨 Contributor * 🟨🟦 Builder * 🟨 Curator * 🟥🟨🟦 OSS Steward * 🟨 Patcher * 🟨🟦 Packager * 🟨🟦 Assembler * 🟥🟨🟦 Integrator * 🟨🟩 Deployer * 🟩🟪 Censor
comment: # (     data-auto-animate)
![Supply chain](media/metadata-sources.png)

Metadata Actors

* 🟥 Author * 🟥🟨 Maintainer * 🟨 Custodian * 🟨 Contributor * 🟨🟦 Builder * 🟨 Curator * 🟥🟨🟦 OSS Steward * 🟨 Patcher * 🟨🟦 Packager * 🟨🟦 Assembler * 🟥🟨🟦 Integrator * 🟨🟩 Deployer * 🟩🟪 Censor

These are the sources of the Required Metadata

![Supply chain](media/metadata-sources.png)

Metadata Attributes

comment: # (     data-auto-animate)
![Supply chain](media/metadata-sources.png)

Metadata Attributes

SBOM Metadata

* **SBOM Author** * **SBOM Creation Time-stamp** * **SBOM Format** * **SBOM Generation Tool** * **SBOM Location** * **SBOM Primary Component** * **SBOM Release** * **SBOM Serial Number** * **SBOM Type**
comment: # (     data-auto-animate)
![Supply chain](media/metadata-sources.png)

Metadata Attributes

NTIA Minimum Elements

* **Dependencies** * **Primary Component Name** * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * **Supplier Name** * **Unique Product Identifier**
comment: # (     data-auto-animate)
![Supply chain](media/metadata-sources.png)

Metadata Attributes

CISA Framing

* **Copyright Notice** * **Cryptographic Hash** * Dependencies * **Dependency Relationships** * **License(s)** * Primary Component Name * **SBOM Author** * **SBOM Creation Time-stamp** * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * **SBOM Type** * Supplier Name * Unique Product Identifier * **Version** [comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
## Metadata Attributes ### EU CRA
* **CE Authorised Representative** * **CE Conformity Assessment Body** * **CE Declaration of Conformity** * **CE Support End Date** * **CE Technical Documentation** * Copyright Notice * Cryptographic Hash * Dependencies * Dependency Relationships * **Intended for Commercial Use** * License(s) * **Open Source Software Steward** * Primary Component Name * **Purpose, Intended Use** * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * **Security Attestation** * **Security contact** * Supplier Name * Unique Product Identifier * Version
[comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' ## Metadata Attributes ### BSI [TR-03183] 2.0
* **Archive Property** * CE Authorised Representative * CE Conformity Assessment Body * CE Declaration of Conformity * CE Support End Date * CE Technical Documentation * Copyright Notice * Cryptographic Hash * Dependencies * Dependency Relationships * **Executable Property** * Intended for Commercial Use * License(s) * Open Source Software Steward * Primary Component Name * Purpose, Intended Use * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * Security Attestation * Security contact * **Structured Property** * Supplier Name * Unique Product Identifier * Version
Note: * Bundesamt für Sicherheit in der Informationstechnik * Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products [comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
[CSCRF]:https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' ## Metadata Attributes ### SEBI [CSCRF]
* **Access control** * Archive Property * CE Authorised Representative * CE Conformity Assessment Body * CE Declaration of Conformity * CE Support End Date * CE Technical Documentation * Copyright Notice * Cryptographic Hash * **Dependencies (Known unknowns)** * Dependencies * Dependency Relationships * **Encryption used** * Executable Property * **Frequency of updates** * Intended for Commercial Use * License(s) * **Methods for accommodating errors** * Open Source Software Steward * Primary Component Name * Purpose, Intended Use * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * Security Attestation * Security contact * Structured Property * Supplier Name * Unique Product Identifier * Version
notes: * Securities and Exchange Board of India * Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) [comment]: # (!!! data-auto-animate)
![Supply chain](media/metadata-sources.png)
## (Ecosystem response)
* Ecosystems **are Open Source** * Tooling * Services * Specs * Open Source Constraints * Break nothing * Preserve compatibility * No-fuzz upgrades * Information & outreach * As volunteers! * **Contribution = life-blood**

### _Well volunteered!_ [comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
## (Ecosystem response) ### _Well volunteered!_
* Access control * Archive Property * CE Authorised Representative * CE Conformity Assessment Body * CE Declaration of Conformity * CE Support End Date * CE Technical Documentation * Copyright Notice * Cryptographic Hash * Dependencies (Known unknowns) * **Dependencies** * **Dependency Relationships** * Encryption used * Executable Property * Frequency of updates * Intended for Commercial Use * **License(s)** * Methods for accommodating errors * Open Source Software Steward * **Primary Component Name** * **Purpose, Intended Use** * SBOM Author * SBOM Creation Time-stamp * SBOM Format * SBOM Generation Tool * SBOM Location * SBOM Primary Component * SBOM Release * SBOM Serial Number * SBOM Type * Security Attestation * Security contact * Structured Property * **Supplier Name** * Unique Product Identifier * **Version**
[comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
## (Ecosystem response) ### _Well volunteered!_ Who? * Ecosystem people * Standards people * Regulators 🆕 [comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
## (Ecosystem response) ### _Well volunteered!_ Who? * Ecosystem people * Standards people * Regulators 🆕

**"Where do SBOM attributes come from?"** [comment]: # (!!! data-auto-animate) ## A quick Attribute Poll [comment]: # (||| data-auto-animate) [TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' ### Component Attributes
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' [NTIA-SBOM]:https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9 'NTIA Minimum Elements for a Software Bill of Materials (SBOM)' [CISA-2023-4]:https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom 'CISA Types of Software Bill of Materials (SBOM)' [CISA-2024-10]:https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf 'CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)' [CRA-II]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [CRA-AV]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V 'EU Declaration of Conformity' [CSCRF]:https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' | Attribute name | Required | References | | :---------------------------------- | :------: | ----------------------------------------------------: | | Primary Component Name | Yes | [NTIA-SBOM], [CISA-2024-10], [CRA-AV], [TR-03183] | | Version | Yes | CISA-2024-10, CRA-AV, TR-03183 | | Purpose, Intended Use | Yes | [CRA-AII]\(4) | | Supplier Name | Yes | CRA-AII(1), CRA-AV, NTIA-SBOM, CISA-2024-10, TR-03183 | | Security contact | Yes | CRA-AII(2) | | Copyright Notice | Yes | CISA-2024-10 | | License(s) | Yes | CISA-2024-10, TR-03183, [CSCRF] |
Note: [comment]: # (|||) ### Dependency Attributes
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resiliencee Requirements for Manufacturers and Products, Part 2' [NTIA-SBOM]:https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9 'NTIA Minimum Elements for a Software Bill of Materials (SBOM)' [CISA-2023-4]:https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom 'CISA Types of Software Bill of Materials (SBOM)' [CISA-2024-10]:https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf 'CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)' [CRA-AII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [CRA-AV]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V 'EU Declaration of Conformity' [CSCRF]:https://www.sebi.gov.in/legal/cireculars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------------------: | | Unique Product ID | Yes | [CRA-AII]\(3), [CRA-AV], [NTIA-SBOM], [CISA-2024-10] | | Cryptographic Hash | Yes | CISA-2024-10, [TR-03183], [CSCRF] | | Primary Component Filename | Yes | TR-03183 | | Dependencies | Yes | CRA-AII(5), NTIA-SBOM, CISA-2024-10, TR-03183, CSCRF | | Dependency Relationships | Yes | CISA-2024-10 |
Note: [comment]: # (|||) ### SBOM Attributes
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' [NTIA-SBOM]:https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9 'NTIA Minimum Elements for a Software Bill of Materials (SBOM)' [CISA-2023-4]:https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom 'CISA Types of Software Bill of Materials (SBOM)' [CISA-2024-10]:https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf 'CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)' [CRA-AII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | SBOM Author | Yes | [NTIA-SBOM], [CISA-2024-10], [TR-03183] | | SBOM Creation Time-stamp | Yes | NTIA-SBOM, CISA-2024-10, TR-03183 | | SBOM Format | Yes | CycloneDX 1.6, SPDX 2.3 | | SBOM Generation Tool | No | | | SBOM Location | Yes | [CRA-AII]\(9), TR-03183 | | SBOM Primary Component | No | CycloneDX 1.6, SPDX 3.0 | | SBOM Release | Yes | CycloneDX 1.6, SPDX 2.3 | | SBOM Serial Number | Yes | CycloneDX 1.6 SPDX 2.3 | | SBOM Type | No | [CISA-2023-4], CISA-2024-10 |
Note: [comment]: # (|||) ### Open Source Steward Attributes
[CRA-Rec-15]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15 'CRA applies to economic operators that have an intention to monetise a product' [CRA-Rec-18]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18 'Open Source Software Contributors' [CRA-Rec-19]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19 'Open Source Software Stewards, light-touch regulatory regime, and CE mark implications' [CRA-Rec-21]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21 'Voluntary security attestation programs for Open Source projects' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Intended for Commercial Use | No | [CRA-Rec-15], [CRA-Rec-18] | | Open Source Software Steward | No | [CRA-Rec-19] | | Security Attestation | No | [CRA-Rec-21] |
Note: [comment]: # (|||) ### Manufacturer Attributes
[CRA-Art-18]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_18 'Authorised representatives' [CRA-Art-47]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_47 'Operational obligations of notified bodies' [CRA-AII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [CRA-AV]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V 'EU Declaration of Conformity' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | CE Conformity Assessment Body | No | [CRA-Art-47]\(1), [CRA-AV] | | CE Declaration of Conformity | No | [CRA-AII]\(6), CRA-AV | | CE Support End Date | No | CRA-AII(7) | | CE Technical Documentation | No | CRA-AII(8) | | CE Authorized Representative | No | [CRA-Art-18] |
Note: * What's needed for components that are monetized? * Maintainer becomes a Manufacturer * Does the Manufacturer have a Authorised representative? * This needs also to be supported [comment]: # (|||) ### Special Attributes for Integrators in Germany
[TR-03183]:https://bsi.bund.de/dok/TR-03183 'TR-03183 Cyber Resilience Requirements for Manufacturers and Products, Part 2' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Executable Property | Yes | [TR-03183] | | Archive Property | Yes | TR-03183 | | Structured Property | Yes | TR-03183 |
[comment]: # (|||) ### Special Attributes for Integrators in the Indian Financial Sector
[CSCRF]:https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), (GV.SC.S5, page 89), Securities and Exchange Board of India' | Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Dependencies (Known unknowns) | Yes | [CSCRF] | | Encryption used | Yes | CSCRF | | Frequency of updates | Yes | CSCRF | | Access control | Yes | CSCRF | | Methods for accommodating errors | Yes | CSCRF |
[comment]: # (|||) ### (Optional Attributes)
| Attribute name | Required | References | | :---------------------------------- | :------: | -----------------------------------------: | | Download location | No | | | Code Commit Revision | No | | | Code Repository | No | |
Note: [comment]: # (!!! data-auto-animate)
![Supply chain](media/metadata-sources.png)
## Dear Regulators
Note: * Not just BSI or the Securities and Exchange Board of India [comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
## Dear Regulators
### Welcome to the Open Source Communities! * We're many * We're _everywhere_ * We support _everyone_ * We don't _work for free_ * We _volunteer_ note: [comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
## Dear Regulators ### Your contributions _are welcome_ * But not all of them * — Only the useful ones! * Do like NIST and CISA * — Only require the minimum! [comment]: # (||| data-auto-animate)
![Supply chain](media/metadata-sources.png)
## Dear Regulators ### Your contributions _are welcome_ * But not all of them * — Only the useful ones! * Do like NIST and CISA * — Only require the minimum!

### Well volunteered! [comment]: # (!!! data-auto-animate) ## Questions & Comments [comment]: # (!!!) ## References
* (CISA-2023-4) [CISA Types of Software Bill of Materials (SBOM)](https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom), published 2023-04-21 * (CISA-2024-10) [CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)](https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf), Third edition, sections 2.2.1.4, 2.2.2 and Appendix B; Published 2024-10-15 * (CRA-AII) [Cyber Resilience Act, Annex II](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II) Information and Instructions to the User * (CRA-AV) [Cyber Resilience Act, Annex V](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V) EU Declaration of Conformity * (CRA-AVII) [Cyber Resilience Act, Annex VII](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_VII) Contents of the Technical Documentation * (CRA-Art-18) [Cyber Resilience Act, Article 18](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_18) Obligations of Authorized Representatives * (CRA-Art-47) [Cyber Resilience Act, Article 47](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_47) Operational obligations of notified bodies * (CRA-Rec-15) [Cyber Resilience Act, Recital 15](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15) Economic operators * (CRA-Rec-18) [Cyber Resilience Act, Recital 18](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18) Open Source Software Contributors * (CRA-Rec-19) [Cyber Resilience Act, Recital 19](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19) Open Source Software Stewards * (CRA-Rec-21) [Cyber Resilience Act, Recital 21](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21) Open Source Security Attestation * (CSCRF) [Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)](https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html), (GV.SC.S5, page 89), Securities and Exchange Board of India, Published 2024-08-20 * (TR-03183) German Technical Requirement [TR-03183 Cyber Resilience Requirements for Manufacturers and Products](https://bsi.bund.de/dok/TR-03183), Part 2: Software Bill of Materials (SBOM), Version 2.0.0, published 2024-09-20 * (NTIA-SBOM) [NTIA Minimum Elements for a Software Bill of Materials (SBOM)](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9), Published 2021-07-12
[comment]: # (!!!) # Thanks! Salve J. Nilsen 🐘 Mastodon — @sjn\@chaos.social 🦆🦆