Interlynk

Photo by Diana den Held on Unsplash

‍

Software Bill of Materials (SBOM) enable organizations to identify vulnerabilities, track open-source usage, and ensure compliance with obligations.

‍

However, each industry and their software production and consumption habits can have its own industry specific requirements.

‍

The telecom industry realized this and OpenChain Telco workgroup was created in May 2021 to address industry's unique SBOM requirements.

Powered by participation from industry giants - Ericsson, Nokia, Huawei, KDDI Corporation, Fujitsu, Toshiba, Sony, Bosch among others - the working group aimed to recommend specific SBOM data-format, identify key fields in the format and criteria for distributing SBOM.

‍

The OpenChain working group has released SBOM Guide Version 1.0 aimed at creating consensus for a quality Software Bill of Materials (SBOM).

‍

Requirements

Specifications

SPDX 2.2 (verified against SPDX 2.2.1)
SPDX 2.3

File Formats

Tag:Value
JSON

Required Elements

Document creation information

SPDXVersion: mandatory in SPDX
DataLicense: mandatory in SPDX
SPDXID: mandatory in SPDX
DocumentName: mandatory in SPDX
DocumentNamespace: mandatory in SPDX
Creator: mandatory in SPDX (See SBOM Build Information below)
Created: mandatory in SPDX
CreatorComment: to be able to put SBOM Build information (See below)

SBOM Build Information

The Creator field must contain an Organization value
The Creator field must contain a Tool name and its version
The CreatorComment field must contain SBOMType information as defined by CISA

Package information

PackageName: mandatory in SPDX
SPDXID: mandatory in SPDX
PackageVersion: needed by “NTIA SBOM Minimum elements”
PackageSupplier: needed by “NTIA SBOM Minimum elements”
PackageDownloadLocation: mandatory in SPDX
FilesAnalyzed
PackageChecksum: recommended by “NTIA SBOM Minimum elements”
PackageLicenseConcluded: mandatory in SPDX
PackageLicenseDeclared: mandatory in SPDX
PackageCopyrightText: mandatory in SPDX
ExternalRef: to be able to put the Package URL

Scope information

Must include all open-source components including transitive components
Should include all commercial components
Must include all "known unknown" components

Relationships Information

Relationships: at DESCRIBES and CONTAINS, needed by “NTIA SBOM Minimum elements”

‍

Timining of SBOM Delivery

The SBOM SHALL be delivered no later than at the time of the delivery of the software (in either binary or source form).

Method of SBOM delivery

Embed in the software package (if feasible) OR
Web-hosted version available to copy and store for at least 18-months (if not feasible)

SBOM Verification

Recommended to include a digital signature of the SBOM in order to ensure integrity of the SBOM

SBOM Merger

A conformant SBOM can be built using sever SBOM files using SPDX relationships

Interlynk for OpenChain Telco SBOM Conformance

Interlynk has open source multi-spec utility sbomqs that is widely used for SBOM's quality and conformity against NTIA-Minimum Elements and BSI TR-03183-2.

We expanded the capability to report on OpenChain Telco compliance as well.

sbomqs can now create a basic or detailed report with table and JSON formats.

Basic Report

sbomqs compliance -t -b ~/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json
OpenChain Telco Report
Score:4.0 RequiredScore:4.0 OptionalScore:0.0 for /Users/interlynk/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json

Table Report

OpenChain Telco Report
Compliance score by Interlynk Score:4.0 RequiredScore:4.0 OptionalScore:0.0 for /Users/interlynk/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json
* indicates optional fields
+--------------------------------------------------------+---------+------------------------------+---------------------------------------------------------------------------+-------+
|                       ELEMENTID                        | SECTION |          DATAFIELD           |                              ELEMENT RESULT                               | SCORE |
+--------------------------------------------------------+---------+------------------------------+---------------------------------------------------------------------------+-------+
| SBOM Format                                            |     3.1 | SBOM data format             | spdx                                                                      |  10.0 |
+--------------------------------------------------------+---------+------------------------------+---------------------------------------------------------------------------+-------+
| SPDX Elements                                          |     3.2 | Spec version                 | SPDX-2.3                                                                  |  10.0 |
+                                                        +---------+------------------------------+---------------------------------------------------------------------------+-------+
|                                                        |     3.2 | Spec spdxid                  | DOCUMENT                                                                  |  10.0 |
+                                                        +---------+------------------------------+---------------------------------------------------------------------------+-------+
|                                                        |     3.2 | SBOM creator comment         |                                                                           |   0.0 |

JSON Report

sbomqs compliance -t -j ~/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json
{
  "report_name": "Open Chain Telco Report",
  "subtitle": "Part 2: Software Bill of Materials (SBOM)",
  "revision": "",
  "run": {
    "id": "0822860e-c4e3-4833-9dc1-7c367339e5c9",
    "generated_at": "2024-07-03T18:58:39Z",
    "file_name": "/Users/interlynk/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json",
    "compliance_engine_version": "1"
  },
  ....

OpenChain Telco SBOM Guide