From 417f1ad1a9715c287d5742c830710205c728cbe8 Mon Sep 17 00:00:00 2001 From: Ryan Ware Date: Fri, 25 Oct 2024 10:31:20 -0400 Subject: [PATCH 1/3] This is the Security Tooling WG update for the TAC meeting Oct 29. Signed-off-by: Ryan Ware --- TI-reports/2024/2024-Q4-ST-WG.md | 67 ++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 TI-reports/2024/2024-Q4-ST-WG.md diff --git a/TI-reports/2024/2024-Q4-ST-WG.md b/TI-reports/2024/2024-Q4-ST-WG.md new file mode 100644 index 00000000..efd07a28 --- /dev/null +++ b/TI-reports/2024/2024-Q4-ST-WG.md @@ -0,0 +1,67 @@ +# 2024 Q4 Security Tooling WG + +## Overview +The [Security Tooling WG](https://github.com/ossf/wg-security-tooling) continues to focus on the tools that open source maintainers and developers need to create secure software. In recent years, much of this has focused on Software Bill of Materials (SBOM) work but the group is expanding to other areas that touch on the groups core objectives to: +- Identify available security tools +- Evaluate the efficacy of those tools +- Help improve those tools +- Develop new tools where needed +- Ease deployment of security tools for open source developers + +The group continues to be active and is currently in the process of expanding the number of projects it has. + +## SBOM Everywhere SIG +Chair: Josh Bressers Co-chair: Kate Stewart + +The [SBOM Everywhere SIG](https://github.com/ossf/sbom-everywhere) continues to be very active with 6-12 individuals attending weekly. There is great collaboration taking place across a wide variety of organizations including private companies, standards bodies and CISA. + +- Keeping up to date on changes in [SPDX](https://spdx.dev), [CycloneDX](https://cyclonedx.org), and [CISA workgroups](https://www.cisa.gov/sbom) through participation from and collaboration with key representatives of those organiztions +- Listening sessions with open source projects to understand how they are utilizing SBOMs +- Participation and reprepresentation of OpenSSF in [SBOM-A-Rama](https://www.cisa.gov/news-events/events/sbom-rama-fall-2024) in close collaboration with bombctl and Yocto. +- Conveying input into the updated [SBOM minimum elements Framing document](https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024) +- The creation of the [SBOM Tooling Catalog](https://sbom-catalog.openssf.org/)! + +## SBOMit +Lead: Justin Cappos + +The [SBOMit specification](https://github.com/SBOMit/specification) defines how [in-toto](https://in-toto.io) attestations can be incorporated into SBOMs. This is important because in-toto attestations are a key building block for identifying building blocks in software supply chains. + +The SBOMit team continues to work towards an evolution of the current specification. The group has 5 core attendees from multiple organizations with participation from other groups as well. Some of the key issues being examined: + +- What does complete attestation of a final SBOM look like and why should it be trusted? +- Collaboration with Protobom to support properties and annotations +- Evaluation of how SBOMit and Bomctl's technologies can work more closely together + +NOTE: Making a request for SBOMit to update their [roadmap](https://github.com/SBOMit/specification/wiki/SBOMit-Roadmap). + +## Protobom +[Protobom](https://github.com/protobom/protobom), the protocol buffers representation of SBOM data, continues to be a highly active project. Many of the other SBOM related projects at OpenSSF continue to use Protobom technology as the basis of their efforts. Protobom 0.4.4 was released in October adding: + +- Ability to store Protobom wire format messages as raw bytes in a SQL database (Bomctl request) +- Support for the CycloneDX 1.6 specification + +Protobom continues to actively collaborate with other OpenSSF SBOM projects. + +## Bomctl +The [Bomctl](https://github.com/bomctl/bomctl) project is a format-agnostic SBOM tool intended to bridge the gap bewteen SBOM generation and SBOM analysis tools focusing on supporting complex SBOM operations on multiple SBOM files. New sandbox project with high participation. + +- Very successful rollout at CISA's [SBOM-a-Rama 2024](https://www.cisa.gov/news-events/events/sbom-rama-fall-2024) +- Collaborating with Protobom to enable back-end storage +- Defining proposal around [SBOM document linking scenarios](https://docs.google.com/document/d/1Dj-OAycyAH3d6A9vPJWldNoLRArRVB607to_0s5Fk8w/edit?tab=t.0#heading=h.qflhf8nb1xeo) +- Enabled Minder for entire bomctl GitHub org + +## Minder +Co-Chair: Evan Anderson +Co-Chair: Juan Antonio Osorio + +[Minder](https://github.com/mindersec/minder) is an open source platform allowing project owners to proactively manage the security posture several aspects of their SDLC, including their repos, by providing pluggable and customizable checks and policies to minimize risk along their software supply chain and to attest their security practices to downstream consumers. + +- Has been approved by both the TAC and LF legal +- Repo has been moved to a separate GitHub organization +- Currently using Minder to [enforce branch and CODEOWNER review rules](https://github.com/mindersec/community/tree/main/policies) on the `mindersec` repo +- Commitment from team to work with Scorecard and Allstar on areas of overlap + +## Fuzzing Collaboration +Chair: Jonathan Metzman + +The OSS Fuzzing SIG (Fuzzing Collaboration) continues it's work of supporting open source developers with their fuzzing needs. There's been no significant changes in this group but they continue to help open source developers to onboard solutions such as OSS-Fuzz into their environments. From d75ae12baf7a4d65d9094cf68a70d605e1f14709 Mon Sep 17 00:00:00 2001 From: Ryan Ware Date: Tue, 29 Oct 2024 10:46:04 -0400 Subject: [PATCH 2/3] Update TI-reports/2024/2024-Q4-ST-WG.md Co-authored-by: Arnaud J Le Hors Signed-off-by: Ryan Ware --- TI-reports/2024/2024-Q4-ST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-ST-WG.md b/TI-reports/2024/2024-Q4-ST-WG.md index efd07a28..4e5c75c3 100644 --- a/TI-reports/2024/2024-Q4-ST-WG.md +++ b/TI-reports/2024/2024-Q4-ST-WG.md @@ -54,7 +54,7 @@ The [Bomctl](https://github.com/bomctl/bomctl) project is a format-agnostic SBOM Co-Chair: Evan Anderson Co-Chair: Juan Antonio Osorio -[Minder](https://github.com/mindersec/minder) is an open source platform allowing project owners to proactively manage the security posture several aspects of their SDLC, including their repos, by providing pluggable and customizable checks and policies to minimize risk along their software supply chain and to attest their security practices to downstream consumers. +[Minder](https://github.com/mindersec/minder) is an open source platform allowing project owners to proactively manage the security posture of several aspects of their SDLC, including their repos, by providing pluggable and customizable checks and policies to minimize risk along their software supply chain and to attest their security practices to downstream consumers. - Has been approved by both the TAC and LF legal - Repo has been moved to a separate GitHub organization From 8ab15861d6dc9bfa8aad0882ba95557b04f0a048 Mon Sep 17 00:00:00 2001 From: Ryan Ware Date: Tue, 29 Oct 2024 10:46:12 -0400 Subject: [PATCH 3/3] Update TI-reports/2024/2024-Q4-ST-WG.md Co-authored-by: Arnaud J Le Hors Signed-off-by: Ryan Ware --- TI-reports/2024/2024-Q4-ST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-ST-WG.md b/TI-reports/2024/2024-Q4-ST-WG.md index 4e5c75c3..8a7d7c34 100644 --- a/TI-reports/2024/2024-Q4-ST-WG.md +++ b/TI-reports/2024/2024-Q4-ST-WG.md @@ -64,4 +64,4 @@ Co-Chair: Juan Antonio Osorio ## Fuzzing Collaboration Chair: Jonathan Metzman -The OSS Fuzzing SIG (Fuzzing Collaboration) continues it's work of supporting open source developers with their fuzzing needs. There's been no significant changes in this group but they continue to help open source developers to onboard solutions such as OSS-Fuzz into their environments. +The OSS Fuzzing SIG (Fuzzing Collaboration) continues its work of supporting open source developers with their fuzzing needs. There's been no significant changes in this group but they continue to help open source developers to onboard solutions such as OSS-Fuzz into their environments.