[Chaoss-Board] [CHAOSS][WG-RISK] All the SBOM are a circle? Or a Tree? Where to start. Where too Prune?

Sean Goggins s at goggins.com
Tue Aug 27 21:50:43 UTC 2019 

Hi Everyone: 

For those who would benefit from auto-generated SBoM’s, this thread is for you!

We had a hearty discussion of “Software Bills of Material” during this week’s Risk call (Monday’s at 1pm CDT). To summarize, we discussed three strategies: 

1. We can build SBoM’s at the repository level. 
2. We can build many SBoM’s at the repository level, using either user specified or pattern matching “rules” implemented in software
3. Many firms build SMoM’s for each binary developed in a tree. There are, of course, different language patterns that exit. 

Below is a sample SBoM from the https://www.github.com/chaoss/augur-sbom.git project (The artist formerly known as DoSOCS). 

This is the HIGHEST level SOFTWARE (.git) REPOSITORY representation. We are also able to produce detailed, file by file reports for each Repository. 

SPDXVersion: SPDX-2.0
DataLicense: CC0-1.0
DocumentNamespace: sqlite:////home/sean/.config/dosocs2/dosocs2.sqlite3/zephyr-2ba91afb-01c8-4d6b-b173-ce533fb187aa
DocumentName: zephyr
SPDXID: SPDXRef-DOCUMENT
DocumentComment: 

## External Document References


## Creation Information
Creator: Tool: dosocs2-0.16.1
Created: 2019-08-26T18:15:01Z
CreatorComment: 
LicenseListVersion: 2.2


## Document Annotations

## Package Information

PackageName: zephyr
SPDXID: SPDXRef-package-zephyr-ec4c-e1a5ceca
PackageFileName: zephyr
PackageSupplier: NOASSERTION
PackageOriginator: NOASSERTION
PackageDownloadLocation: /home/sean/zephyr/zephyr
PackageVerificationCode: ec4c5a30814599f663e64ec77222e50bc7114789
PackageHomePage: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageLicenseComments: 
PackageCopyrightText: NOASSERTION
PackageSummary: 
PackageDescription: 
PackageComment: 


## License Information

LicenseID: LicenseRef-UnclassifiedLicense
LicenseName: UnclassifiedLicense
ExtractedText: \x4c6963656e73652041677265656d656e74
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-GPL
LicenseName: GPL
ExtractedText: \x2047504c
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-Dual-license
LicenseName: Dual-license
ExtractedText: \x535044582d4c6963656e73652d4964656e7469666965723a204170616368652d322e300a0a2320412073637269707420746f2067656e65726174652061206c697374206f6620626f6172647320746861742068617665206368616e676564206f7220
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-Public-domain
LicenseName: Public-domain
ExtractedText: \x746f207468697320736f66747761726520746f20746865207075626c696320646f6d61696e
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-See-file
LicenseName: See-file
ExtractedText: \x5365650a3a7a65706879725f66696c653a60696e636c7564652f6e65742f6e65745f6d676d742e686020666f722064657461696c732e
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-See-URL
LicenseName: See-URL
ExtractedText: \x53656520687474703a2f2f6a6f726973726f6f766572732e6769746875622e696f2f6769746c696e742f757365725f646566696e65645f72756c657320666f722064657461696c73
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-BSD
LicenseName: BSD
ExtractedText: \x4265726b656c657920736f667477617265204c6963656e73652041677265656d656e740a202a2073706563696669657320746865207465726d7320616e6420636f6e646974696f6e7320666f72207265646973747269627574696f6e2e
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-NoWarranty
LicenseName: NoWarranty
ExtractedText: \x4142534f4c5554454c59204e4f2057415252414e54
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-See-doc.OTHER
LicenseName: See-doc.OTHER
ExtractedText: \x73656520746865205c6d736366696c650a2320636f6d6d616e64292e0a0a4d534346494c455f4449525320202020202020202020203d0a0a23205468652044494146494c455f44495253207461672063616e206265207573656420746f2073706563696679206f6e65206f72206d6f726520646972
LicenseCrossReference: 
LicenseComment: found by nomos

LicenseID: LicenseRef-GCC-exception-3.1
LicenseName: GCC-exception-3.1
ExtractedText: \x796f7520617265206772616e746564206164646974696f6e616c0a2020207065726d697373696f6e732064657363726962656420696e20746865204743432052756e74696d65204c69627261727920457863657074696f6e2c2076657273696f6e0a202020332e31
LicenseCrossReference: 
LicenseComment: found by nomos

TotalFiles: 9718
DeclaredLicenseFiles: 7166
PercentTotalLicenseCoverage: 73.74%

More information about the CHAOSS-members mailing list