The CISA SBOM Community SBOM Reference Implementation Tiger Team adheres to the following principles:
- Open: This project is intended for public use and are considered a public good
- Welcoming and respectful: See Code of Conduct
- Patience: Expect to move slower together than fast alone
- Transparent and accessible: Work and collaboration should be done in public. Please create issues and use community channels to discuss contributions before implementation.
- Merit: Ideas and contributions are accepted according to their technical merit and alignment with project goals, scope, design principles, and most importantly stability for existing users.
This project will create example pipelines/workflows in GitHub and GitLab demonstrating how to generate quality SBOMs for various software types:
This activity only covers SBOMs of Type Source or Build as SBOMs of other types are typically not curated by the maintainers of Open Source software but instead by consumers of Open Source software. For Source and Build SBOMs, the contents of the SBOM describing the artifact will only include what is being distributed and will not contain information about prospective uses of the software during or after installation or running of the software. That information is captured in separate SBOM types (ie Deployment, Runtime).
In the context of this document, the “source” is defined as a snapshot of the source code made available to download, such as in a tgz archive. The “build” is the artifacts that are built by the project and released. These could be tgz archives, but also other artifacts such as rpm, deb, or zip.
- Java Application
- Container Image with Python (Django) application
- Go Application
- Container Image with Go application
Stretch Goal: Workflows for creating SBOMs with multiple dependency trees (SBOM nesting)
- "Legacy" C or C++ Application
These examples will function independently on public or private GitHub/GitLab instances and be reusable through GitLab CI/CD or GitHub Actions.
The project will be considered "done" when:
- Each application has a corresponding GitHub and GitLab project.
- Workflows in these projects create SBOMs that:
- Meet and exceed NTIA Minimum Elements.
- Align with relevant Community Tiger Team whitepapers.
- Are stored following OpenSSF guidance (including examples for importing into tools like DependencyTrack).
- A white paper documents:
- Hurdles encountered during development.
- Solutions implemented to achieve consistent messaging.
- Areas for future improvement.
- Public GitHub projects for each application.
- Public GitLab projects for each application.
- White paper outlining project learnings and future directions.
- Functioning GitHub Actions or GitLab CI/CD pipelines generating high-quality SBOMs.
- SBOMs adhering to NTIA Minimum Elements and exceeding expectations.
- SBOMs aligning with Community Tiger Team whitepaper recommendations.
- Documentation of limitations due to immature tooling.
- OpenSSF-compliant SBOM storage with import examples into other Open Source tools like DependencyTrack.
- Open-source tooling within pipelines/workflows (commercially-owned open-source tools allowed).
- Community feedback loop on generated SBOM completeness.
- SBOM generation in multiple formats/tools (JSON preferred, minimum CDX 1.5, minimum SPDX 2.3).
- Prioritization of Open Source and then Open Source with Commercial Backing tools.
- Automation (write-once, repeatable workflows).
- Non-open-source licensed tools.
- Complex systems-of-systems.
- A new open-source project to create GitHub Actions or GitLab Pipelines for others to consume.
- Tool deployments requiring maintenance or cost.
- SBOM signing (future Tiger Team initiative).
This project has an estimated end date of January 14, 2025, and has several intermediate due dates for each phase.
- Phase 1 (duration 6 weeks)
- Expected completion September 10, 2024
- Phase 2 (duration 6 weeks)
- Expected completion October 22, 2024
- Phase 3 (duration 6 weeks)
- Expected completion December 3, 2024
- White Paper Completion (duration 6 weeks)
- Expected completion January 14, 2025