SBOM for mainframe applications Working Group #848
Description
Describe the purpose of the group in no more that 4-5 sentences
To refine and adapt industry standard SBOMs to cater to traditional z/OS applications primarily - COBOL, PL/I, HLASM and mixed language applications. The scope of this charter will target creation of SBOMs for z/OS applications and Application products delivered by Vendors i.e. code that is invoked during runtime of a z/OS Application
Goals of the working group
- Review existing industry standard SBOM definitions and formats (including SPDX implementation at Telco)
- Work with SPDX and CycloneDX to identify attributes and fields pertaining to z/OS Applications. Work with the communities to add them to the appropriate profiles. .
- Identify SBOM attributes and specifications for Build and Deploy of traditional z/OS applications that follow an incremental build and deploy processes – with the ability to extend to full application builds and deploy for packaged application products
- Validate and review identified standards across at least 10 different mainframe enterprises
Non-goals of the working group
- This workgroup will only define the formats and if necessary, validation libraries for the formats. It will not include tooling to create SBOMs
- Prioritization of individual SBOM delivery timelines across vendors
- SBOMs for pure-java, python, NodeJS applications running on z/OS. There exists tooling frameworks and libraries for these technologies. This workgroup will align and ensure consistency across applications
Deliverables
- Published Github pages with
- Introduction to SBOMs for z/OS applications
- Guidelines on generating SBOMs from build and deploy
- Identified attributes as necessary for z/OS applications
- Packages for validating SBOMs