TranslateProject/sources/talk/20200730 Role Of SPDX In Open Source Software Supply Chain.md

85 lines
13 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Role Of SPDX In Open Source Software Supply Chain)
[#]: via: (https://www.linux.com/audience/developers/role-of-spdx-in-open-source-software-supply-chain/)
[#]: author: (Swapnil Bhartiya https://www.linux.com/author/swapnil/)
Role Of SPDX In Open Source Software Supply Chain
======
Kate Stewart is a Senior Director of Strategic Programs, responsible for the Open Compliance program at the Linux Foundation encompassing SPDX, OpenChain, Automating Compliance Tooling related projects. In this interview, we talk about the latest release and the role its playing in the open source software supply chain.
*Here is a transcript of our interview. *
Swapnil Bhartiya: Hi, this is Swapnil Bhartiya, and today we have with us, once again, Kate Stewart, Senior Director of Strategic Programs at Linux Foundation. So lets start with SPDX. Tell us, whats new going on in there in this specification?
Kate Stewart: Well, the SPDX specification just a month ago released auto 2.2 and what weve been doing with that is adding in a lot more features that people have been wanting for their use cases, more relationships, and then weve been working with the Japanese automotive-made people whove been wanting to have a light version. So theres lots of really new technology sitting in the SPDX 2.2 spec. And I think were at a stage right now where its good enough that theres enough people using it, we want to probably take it to ISO. So weve been re-formatting the document and well be starting to submit it into ISO so it can become an international specification. And thats happening.
Swapnil Bhartiya: Can you talk a bit about if there is anything additional that was added to the 2.2 specification. Also, I would like to talk about some of the use cases since you mentioned the automaker. But before that, I just want to talk about anything new in the specification itself.
Kate Stewart: So in the 2.2 specifications, weve got a lot more relationships. People wanted to be able to handle some of the use cases that have come up from containers now. And so they wanted to be able to start to be able to express that and specify it. Weve also been working with the NTIA. Basically they have a software bill of materials or SBoM working groups, and SPDX is one of the formats thats been adopted. And their framing group has wanted to see certain features so that we can specify known unknowns. So thats been added into the specification as well.
And then there are, how you can actually capture notices since thats something that people want to use. The license has called for it and we didnt have a clean way of doing it and so some of our tool vendors basically asked for this. Not the vendors, I guess there are partners, there are open source projects that wanted to be able to capture this stuff. And so we needed to give them a way to help.
Were very much focused right now on making sure that SPDX can be useful in tools and that we can get the automation happening in the whole ecosystem. You know, be it when you build a binary to ship to someone or to test, you want to have your SBoM. When youve downloaded something from the internet, you want to have your SBoM. When you ship it out to your customer, you want to be able to be very explicit and clear about whats there because you need to have that level of detail so that you can track any vulnerabilities.
Because right now about, I guess, 19… I think there was a stat from earlier in the year from one of the surveys. And I can dig it up for you if youd like, but I think 99% of all the code that was scanned by Synopsys last year had open source in it. And of which it was 70% of that whole build materials was open source. Open source is everywhere. And what we need to do is, be able to work with it and be able to adhere to the licenses, and transparency on the licenses is important as is being able to actually know what you have, so you can remediate any vulnerabilities.
Swapnil Bhartiya: You mentioned a couple of things there. One was, you mentioned tooling. So Im kind of curious, what sort of tooling that is already there? Whether its open source or open source be it basically commercialization that worked with the SPDX documents.
Kate Stewart: Actually, Ive got a document that basically lists all of these tools that weve been able to find and more are popping up as the day goes by. Weve got common tools. Like, some of the Linux Foundation projects are certainly working with it. Like FOSSology, for instance, is able to both consume and generate SPDX. So if youve got an SPDX document and you want to pull it in and cross check it against your sources to make sure its matching and no ones tampered with it, the FOSSology tool can let you do that pretty easily and codes out there that can generate FOSSology.
Free Software Foundation Europe has a Lindt tool in their REUSE project that will basically generate an SPDX document if youre using the IDs. I guess theres actually a whole bunch more. So like I say, Ive got a document with a list of about 30 to 40, and obviously the SPDX tools are there. Weve got a free online, a validator. So if someone gives you an SPDX document, you can paste it into this validator, and itll tell you if its a valid SPDX document or not. And were looking to it.
Im finding also some tools that are emerging, one of which is decodering, which well be bringing into the Act umbrella soon, which is looking at transforming between SPDX and SWID tags, which is another format thats commonly in use. And so we have tooling emerging and making sure that what weve got with SPDX is usable for tool developers and that weve got libraries right now for SPDX to help them in Java, Python and Go. So hopefully well see more tools come in and theyll be generating SPDX documents and people will be able to share this stuff and make it automatic, which is what we need.
Another good tool, I cant forget this one, is Tern. And actually Tern, and so what Tern does is, its another tool that basically will sit there and it will decompose a container and it will let you know the bill of materials inside that container. So you can do there. And another one thats emerging that well hopefully see more soon is something called OSS Review Toolkit that goes into your bill flow. And so it goes in when you work with it in your system. And then as youre doing bills, youre generating your SBoMs and youre having accurate information recorded as you go.
As I said, all of this sort of thing should be in the background, it should not be a manual time-intensive effort. When we started this project 10 years ago, it was, and we wanted to get it automated. And I think were finally getting to the stage where its going to be… Theres enough tooling out there and theres enough of an ecosystem building that well get this automation to happen.
This is why getting it to ISO and getting the specification to ISO means itll make it easier for people in procurement to specify that they want to see the input as an SPDX document to compliment the product that theyre being given so that they can ingest it, manage it and so forth. But by it being able to say its an ISO standard, it makes the things a lot easier in the procurement departments.
OpenChain recognized that we needed to do this and so they went through and… OpenChain is actually the first specification were taking through to ISO. But for SPDX, were taking it through as well, because once they say you need to follow the process, you also need some for a format. And so its very logical to make it easy for people to work with this information.
Swapnil Bhartiya: And as youve worked with different players, different of the ecosystem, what are some of the pressing needs? Like improve automation is one of those. What are some of the other pressing needs that you think that the community has to work on?
Kate Stewart: So some of the other pressing needs that we need to be working on is more playbooks, more instructions, showing people how they can do things. You know, we figured it out, okay, heres how we can model it, heres how you can represent all these cases. This is all sort of known in certain peoples heads, but we have not done a good job of expressing to people so that its approachable for them and they can do it.
One of the things thats kind of exciting right now is the NTIA is having this working group on these software bill of materials. Its coming from the security side, but theres various proof of concepts that are going on with it. One of which is a healthcare proof of concept. And so theres a group of about five to six device manufacturers, medical device manufacturers that are generating SBoMs in SPDX and then there are handing them into hospitals to go and be able to make sure they can ingest them in.
And this level of bringing people up to this level where they feel like they can do these things, its been really eye-opening to me. You know, how much we need to improve our handholding and improve the infrastructure to make it approachable. And this obviously motivates more people to be getting involved. From the vendors and commercial side, as well as the open source, but it wouldnt have happened, I think, to a large extent for SPDX without this open source and without the projects that have adopted it already.
Swapnil Bhartiya: Now, just from the educational awareness point of view, like if theres an open source project, how can they easily create SBoM documents that uses the SPDX specification with their releases and keep it synced?
Kate Stewart: Thats exactly what wed love to see. Wed love to see the upstream projects basically generate SPDX documents as theyre going forward. So the first step is to use the SPDX license identifiers to make sure you understand what the licensing should be in each file, and ideally you can document with eTags. But then theres three or four tools out there that actually scan them and will generate an SPDX document for you.
If youre working at the command line, the REUSE Lindt tool that I was mentioning from Free Software Foundation Europe will work very fast and quickly with what youve got. And itll also help you make sure youve got all your files tagged properly.
If you havent done all the tagging exercising and you wonder [inaudible 00:09:40] what you got, a scan code works at the command line, and itll give you that information as well. And then if you want to start working in a larger system and you want to store results and looking things over time, and have some state behind it all so like therell different versions of things over time, FOSSology will remember from one version to another and will help you create these [inaudible 00:10:01] off of bill materials.
Swapnil Bhartiya: Can you talk about some of the new use cases that youre seeing now, which maybe you did not expect earlier and which also shows how the whole community is actually growing?
Kate Stewart: Oh yeah. Well, when we started the project 10 years ago, we didnt understand containers. They werent even not on the raw mindset of people. And theres a lot of information sitting in containers. Weve had some really good talks over the last couple of years that illustrate the problems. There was a report that was put out from the Linux Foundation by Armijn Hemel, that goes into the details of whats going on in containers and some of the concerns.
So being able to get on top of automating, whats going on with concern inside a container and what youre shipping and knowing youre not shipping more than you need to, figuring out how we can improve these sorts of things is certainly an area that was not initially thought about.
Weve also seen a tremendous interest in whats going on in IOT space. And so that you need to really understand whats going on in your devices when theyre being deployed in the field and to know whether or not, effectively is vulnerability going to break it, or can you recover? Things like that. The last 10 years weve seen tremendous spectrum of things we just didnt anticipate. And the nice thing about SPDX is, youve got a use case that were not able to represent. If we cant tell you how to do it, just open an issue, and well start trying to figure it out and start to figure if we need to add fields in for you or things like that.
Swapnil Bhartiya:  Kate, thank you so much for taking your time out and talking to me today about this project.
--------------------------------------------------------------------------------
via: https://www.linux.com/audience/developers/role-of-spdx-in-open-source-software-supply-chain/
作者:[Swapnil Bhartiya][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.linux.com/author/swapnil/
[b]: https://github.com/lujun9972