Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] SBOM Dashboard for GUAC #1483

Open
lumjjb opened this issue Nov 10, 2023 · 0 comments
Open

[feature] SBOM Dashboard for GUAC #1483

lumjjb opened this issue Nov 10, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@lumjjb
Copy link
Contributor

lumjjb commented Nov 10, 2023
edited by pxp928
Loading

Is your feature request related to a problem? Please describe.

With the new experimental REST interfaces being proposed, and based on some discussion around being able to get value out of GUAC while waiting for ingestion to complete (due to the lack of data from users, or that the process of ingestion of large amounts of data taking a while), we want to enable some use cases which will provide value to users that will provide instant value upon setup of GUAC and iteratively get better when more and more data gets ingested.

We discussed several options including:

  • Do i have an SBOM, If so where does that SBOM live?
  • What is my most widely used dependency
  • Top level package “Scorecard” (for ossf scorecards, licenses, etc.)

This issue describes the first option.

Describe the solution you'd like

  • Do i have an SBOM, If so where does that SBOM live?

In the case of the Whitehouse Executive Order (EO) 14028, organizations are required to be able to provide SBOMs to federal agencies upon request. The feature would be to provide a convenient UX to being able to respond to this, and similarly, the ability to make SBOMs available via self-service request.

A user should be able to:

  • Identify if a piece of software has an SBOM
  • Identify if a certain class of software has an SBOM
  • Be able to retrieve identified softwares' SBOM by downloading it

Through lessons of implementing SBOM response to the EO:

  • Sometimes it is difficult to find SBOMs, people refer to software by product names, or names, this often does not match up with the name used in software. In some cases, it is uncertain what the PURL to query is, and some sort of search functionality is required.
  • Another concept that is useful is a labeling functionality. If it is possible to link an SBOM to a product
  • Sometimes an SBOM may not be attached to the top level package, i.e. a JAR is packaged into a container or VM image, we need to include binary SBOMs that are associated as well.
  • Being able to note which SBOMs are available for public access or ready for federal access may be required (i.e. privacy requirements, or artifacts that may be dev or staging)

Some ideas:

  • Could use things like the findSoftware graphQL type interface to search for SBOMs
  • Could add labels in annotations in SBOMs that may then be attached as HasMetadata, and allow filtering based on those labels
  • Add annotations of whether things are BINARY or APPLICATION within an SBOM to make more sense when traversing dependencies transitively (i.e. to prevent issues arising such as Dependency false positives from deps.dev collector  #1357)

Describe alternatives you've considered

Other alternatives to have issues opened up for:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lumjjb