Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to new edition of minimum elements (2024) #214

Open
bact opened this issue Nov 3, 2024 · 22 comments · May be fixed by #224
Open

Update to new edition of minimum elements (2024) #214

bact opened this issue Nov 3, 2024 · 22 comments · May be fixed by #224
Assignees
Labels
enhancement New feature or request

Comments

@bact
Copy link
Contributor

bact commented Nov 3, 2024

@jspeed-meyers jspeed-meyers added enhancement New feature or request question Further information is requested labels Nov 4, 2024
@jspeed-meyers
Copy link
Collaborator

Thank you for pointing this out, @bact! I defer to @goneall and @kestewart. Do you want this tool to reflect the revised criteria in the new document cited above?

If so, that could be a good project for a Google Summer of Code intern.

@bact
Copy link
Contributor Author

bact commented Nov 4, 2024

Yes, I think that will be useful and help adoption of SPDX.
Although I'm not certain about the scope of SPDX versions we would like to support.

Currently, ntia-conformance-checker supports SPDX 2.3.
To have the support for the Third edition of minimum elements in SPDX 2.3 is one thing.
To have the support for the Third edition of minimum elements also in SPDX 3.0 is another thing.

Considering the experimental support of SPDX 3.0 in spdx-tools dependency, an SPDX 2.3 is probably more feasible in the near term. Although the additional SPDX 3.0 support will do more favour for 3.0 adoption.

--

There is also a similar document from the German Federal Office for Information Security (BSI) that we could consider together:

(and the Summer of Code is interesting)

@jspeed-meyers
Copy link
Collaborator

jspeed-meyers commented Nov 4, 2024

To be clear, I support updating the ntia-conformance-checker to implement the new edition of the minimum elements:

  • if (A) Gary and Kate support it
  • if (B) there is someone or some group of people that can make the necessary changes to the code while ensuring the test suite is also updated properly.

I can't currently justify B personally (at least as a volunteer maintainer), though I would be glad to supervise a GSOC intern or outside contributor to do it, reviewing PRs as necessary and providing advice.

@bact
Copy link
Contributor Author

bact commented Nov 4, 2024

Thank you. Having played around a bit with tools-python SPDX model, I'm happy to look into this.

Let's see how Gary and Kate think about this.

@goneall
Copy link
Member

goneall commented Nov 4, 2024

I personally support updating the minimum elements. For compatibility, I would suggest that we have a command line option to select which version of the minimum elements is used - the original NTIA or the 3rd edition of the framing document.

@jspeed-meyers
Copy link
Collaborator

jspeed-meyers commented Nov 4, 2024

@bact or others: I'm glad to advise on how to implement this change. I suggest creating a design document first (perhaps a comment-only Google document or something similar) since there is potentially a lot to unpack and then arriving at a rough consensus before sending any PRs in.

@bact
Copy link
Contributor Author

bact commented Nov 5, 2024

Thanks. I will try to come up with the design doc, maybe next week.

@jspeed-meyers
Copy link
Collaborator

Sounds good, @bact. And LMK if you want to brainstorm or if I can help in any way.

@bact
Copy link
Contributor Author

bact commented Nov 12, 2024

@jspeed-meyers I have put some notes here: https://docs.google.com/document/d/1pueRxlxoM9n1eG9g6AihjLvybEBTd77m22mRYBQltpg/edit?usp=sharing

Note that sbomqs already supports FSCT v3 on SPDX 2.x, so may need to see what is still missing.

@jspeed-meyers
Copy link
Collaborator

@bact: Nice document.

IIUC, you are proposing to expand this tool's mandate from checking the conformance of an SPDX SBOM with the NTIA minimum elements to checking SPDX SBOM conformance with a range of frameworks. Do I understand your intention correctly?

In general, I want this tool be broadly useful. So I support this motion in the abstract.

I do have two concerns. First, would any users besides yourself find this useful? I worry about expanding the mandate of the tool without clear and strong evidence that MANY users would find this helpful. Second, who will do the creation and maintenance of such a tool? I have become a co-maintainer of this tool (and the company where I work USED to use this tool internally), but there are no longer clear incentives for me to do anything other than basic maintenance. I worry about adding lots of functionality, which will inevitably have bugs, and there being no set of maintainers able to debug and propose fixes.

Anyways, nice document! I support the idea in general.

For me, the most important opinions are those of @goneall and @kestewart. I defer to them.

@bact
Copy link
Contributor Author

bact commented Nov 12, 2024

Thank you. Very useful comments.

  1. On the demand side

Frankly I don't know. I believe there will be an increasing demand due to regulations and business needs, counting on the existence of a tool like sbomqs.

But of course, as currently sbomqs support more standards and formats (SPDX 2 and CycloneDX), there's no good reason to switch to the tool in this repo.

Unless there's a featue that other tools don't have yet (and that feature is essential enough, which I don't know what it is).

Personally, I want to use this tool to check the conformance of an SBOM against requirements in EU AI Act. This will link to the supply side, the creation and maintenance in the next point.

  1. On the supply side

I am willing to create some of these features.

My idea is to start somewhere with less moving parts, to understand how things work, so standard documents like NTIA and FSCTv3 came to my mind. They are quite established and I don't have to worry much about interpretation.

After I understand how to technically check SBOM conformance, I will then continue to apply it with EU AI Act requirements.

I have an incentive for the creation because it will help with my study at university. But of course, one can question the maintenance in the long run after I left university (which personally I hope happens soon).

Maybe to ease the concern, each addition of standard support should be developed in a way that detached from the main program. A feature should be removed easily when required (the feature is no longer maintained and has bug/dependencies that will affect the main program, or the standard document is deprecated/revoked).

@jspeed-meyers
Copy link
Collaborator

But of course, as currently sbomqs support more standards and formats (SPDX 2 and CycloneDX), there's no good reason to switch to the tool in this repo.

Yeah, I think sbomqs is a perfectly good tool. The advantage, IMO, of this tool, ntia-conformance-checker, is not technical but organizational: it is housed within the spdx GitHub organization as an officially-supported implementation of NTIA conformance checking for SPDX SBOM documents. But if a user prefers sbomqs, then go for it!

Maybe to ease the concern, each addition of standard support should be developed in a way that detached from the main program.

I do think this would ease my concerns.

And, again, I'm glad to review PRs.

I still have the broader question though of: should this tool include SBOM quality standards beyond the NTIA minimum elements? I'm open to it. But I really do see this as a Gary and Kate question.

Also, I too originally got interested in this tool because of research (see here), so I understand your situation :)

@goneall
Copy link
Member

goneall commented Nov 12, 2024

I have a couple of opinions on this topic:

  • This tool is quite valuable in that it is available through the online tools making it quite easy for those in the SPDX community to check conformance.
  • I foresee a lot of demand for the 3rd edition framing document conformance checking at the minimum level - the other standards suggested would be nice to have as well, but I have a feeling most people will just be checking for the minimum
  • To keep the scope reasonable, I would focus on only well specified published standard (which the proposal seems to do). Implementing a more general "quality" analysis would be quite a bit of work and seems to be well covered by the sbomqs work.

@jspeed-meyers
Copy link
Collaborator

@bact: Given @goneall's support, I would suggest, at least in the short term, a PR that focuses on the 3rd edition framing document conformance checking at the minimum level, implemented via a new option like the design document above. If you aren't totally opposed to more design document work, I would suggest sketching out what new functions need to be added to implement the 3rd edition framing document conformance checking. Once you and I have a rough consensus there, you can send in a PR.

And everything else can wait until a later day.

Does that satisfy your immediate research needs?

@bact
Copy link
Contributor Author

bact commented Nov 13, 2024

@goneall @jspeed-meyers Thank you. Yes, I think it it sound to start from the "Minimum Expected" level of the FSCT v3.

Will sketching what needs to be added first as John suggested.

@bact
Copy link
Contributor Author

bact commented Nov 19, 2024

@jspeed-meyers I have updated the sketch. Please look at the "Current design" and "New design proposals" sections. Thanks.

@jspeed-meyers
Copy link
Collaborator

I appreciate the sketch. I'm starting to understand the architecture. I asked some questions. I can tell you've thought about this more than I have. I admire your ability to create architectural options and describe them. Please review my questions at your convenience. Once you've answered them--and I suspect we're close to consensus--then I welcome a PR. Nice job.

@bact
Copy link
Contributor Author

bact commented Nov 21, 2024

@jspeed-meyers Thanks a lot. Those questions made me think more. I have answered all (I think) in the Google Docs, some as comments, some as the "Example of Approach" sections. Please see if there's anything we can have more details.

@jspeed-meyers
Copy link
Collaborator

@bact: I think this design document answers all of my questions and explains your intent. Please proceed!

One note: I will be on paternity leave from the Wednesday of this week until January 6, 2025. I am afraid I will hardly be at my computer. @goneall can, of course, review PRs too, as his time allows. Anyways, I wanted you to know so that you didn't think I was avoiding any PRs. But when I return, I'm glad to help with PR reviews too.

@bact
Copy link
Contributor Author

bact commented Nov 25, 2024

Oh. Don't worry. Spend the most out of your important break. Take care + congrats 🎉

@bact bact linked a pull request Nov 25, 2024 that will close this issue
@bact
Copy link
Contributor Author

bact commented Nov 25, 2024

#224 is ready for initial (re)structural review before I will proceed into the compliance check implementation in more details.

@jspeed-meyers
Copy link
Collaborator

Looking good to me so far! Nice!

@jspeed-meyers jspeed-meyers removed the question Further information is requested label Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants