New Actuator Profile for SBoM

[duncan sfractal.com <duncan@sfractal.com>]

Background:

During the plugfest preparations, the DoD has advocated for a âcomply to connectâ usecase calling for a software inventory. sFractal has advocated for a âcomply to connectâ usecase calling for a software bill of materials (SBoM). At the language SC today we discussed at length and I was chartered with coming up with some black ink â which I did and it is in https://github.com/oasis-tcs/openc2-usecases/blob/master/Cybercom-Plugfest/sbom-github.md. The LSC is debating the changed needed to the language spec to accommodate SBoM queries.

 

Proposed AP-SC Agenda Item:

I would like to propose an actuator profile (one destined to become a specification, not just a CAP) for SBoM functionality. It will be similar to the query feature for actuator profile but it will be an optional capability â therefore I think it rates itâs own AP specification so that those that can do it reply with sbom in their AP list. We could conceivably just add it as an option to the query feature profile section of the Language Specification but I advocate it have itâs own AP. Recall I am from the âmany smaller profileâ camp as opposed to the âfewer, larger profiles with optionsâ.

 

Shameless plug for the good of mankind:

Please read the documents at ntia.gov/sbom. I think they are very important for our industry independent of OpenC2. However I also think SBoM is a killer app for OpenC2 and if we get this right, it should introduce OpenC2 into lots of places. I plan to bring the results of the plugfest back to the ntia sbom multistakeholder group as they are right now debating the âtransport protocolâ for requesting SBoMs.

 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/