Question about SLSA

[Vincent Zhen]

Hi,

My name is Vincent and I work in MongoDB's information security engineering team. Our CISO recently talked about SLSA as a possible avenue for looking at SBOMs. I had a couple questions that didn't seem to be answered easily from your website.

1. What is the difference between SLSA and SPDX? Are they completely different schemas for SBOMs?

2. Do you currently have or plan to have a SLSA SBOM generator where you can have an input repository and the result is an SLSA SBOM?

Thank you in advance for any assistance!

Regards,

Vincent

[Tom Hennen]

+Brandon Lum has been thinking about this and is working on a blog post about it!

--
You received this message because you are subscribed to the Google Groups "slsa-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to slsa-discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/4b3380f9-35c1-4836-82af-a534a86f914fn%40googlegroups.com.

[Brandon Lum]

Blog post is in the works! Hope to get it released in the next week or so! But here's a few short answers for now:

>1. What is the difference between SLSA and SPDX? Are they completely different schemas for SBOMs?

SPDX is an SBOM schema but SLSA is not. A part of SLSA is the SLSA provenance document which is a build attestation. These 2 documents hold overlapping set of fields. However, it is not a 1:1 mapping. They have varied use cases but are functionally overlapping quite a bit.

>2. Do you currently have or plan to have a SLSA SBOM generator where you can have an input repository and the result is an SLSA SBOM?

Not right now, but in the blogpost, I suggest that SLSA documents can potentially generate SBOM documents (or perhaps be used by). This is something that needs to be explored further. Currently SPDX Build Profile working group is discussing the ideation and data model of this.

Cheers

Brandon

[Mark Lodato]

Hi Vincent!

On Thu, Apr 14, 2022 at 2:10 PM 'Vincent Zhen' via slsa-discussion <slsa-di...@googlegroups.com> wrote:

1. What is the difference between SLSA and SPDX? Are they completely different schemas for SBOMs?

Right now this difference is confusing, and we hope to address it in the coming months (issue #276, +Brandon Lum). I'll give it a shot, though I expect further revision to make the answer more clear. Also, I'm not an expert on SBOM or SPDX so I may be partially incorrect.

First, SLSA is a larger framework for ensuring supply chain integrity, meaning protection against tampering. Among other things, it requires "provenance" metadata.

SBOM and Provenance are both standards for software metadata that overlap heavily:

- Both SBOM and Provenance describe what sources and dependencies went into a piece of software.

- Provenance is primarily intended as evidence of integrity. Unlike SBOM, provenance describes how the software was built and who/what system built it, as well as requiring authenticity (signing) of the provenance itself.

- SBOM is primarily intended to enable licensing and vulnerability management. Unlike provenance, SBOM requires identification of the software (name and version ID) and the author/supplier (not necessarily what system built it).

In terms of concrete formats to express provenance and SBOM:

- slsa.dev/provenance is the recommended format for expressing SLSA provenance.

- SPDX, CycloneDX, and SWID are the recommended formats for satisfying SBOM.

 

2. Do you currently have or plan to have a SLSA SBOM generator where you can have an input repository and the result is an SLSA SBOM?

Not exactly, but we have been discussing having build tools that generate both SLSA provenance and SBOM at the same time. There have also been discussions of generating an SBOM from provenance, though right now provenance is not a quite a superset of SBOM.

[Brandon Lum]

We just launched a blogpost about SBOM + SLSA: https://slsa.dev/blog/2022/05/slsa-sbom