1、Framing Software Component Transparency:Establishing a Common Software Bill of Materials(SBOM)Third Edition Tooling and Implementation Working Group hosted by the Cybersecurity and Infrastructure Security Agency(CISA)September 3,2024 Photo by Luke van Zyl on Unsplash Third Edition 2 Table of Content

2、s Table of Contents 2 About This Document 4 1 Problem Statement 5 1.1 Goals 5 2 What is an SBOM?7 2.1 SBOM Elements 8 2.2 Baseline Attributes 9 2.2.1 SBOM Meta-Information 9 2.2.1.1 Author Name 9 2.2.1.2 Timestamp 10 2.2.1.3 Type 10 2.2.1.4 Primary Component(or Root of Dependencies)10 2.2.2 Componen

3、t Attributes 10 2.2.2.1 Component Name 11 2.2.2.2 Version 12 2.2.2.3 Supplier Name 12 2.2.2.4 Unique Identifier 13 2.2.2.5 Cryptographic Hash 14 2.2.2.6 Relationship 15 2.2.2.6.1 Primary Relationship 16 2.2.2.6.2“Included In”Relationship 16 2.2.2.6.3 Heritage or Pedigree Relationship 16 2.2.2.6.4 Re

4、lationship Completeness 16 2.2.2.7 License 17 2.2.2.8 Copyright Notice 18 2.3 Undeclared SBOM Data 18 2.3.1 Unknown Component Attributes 19 2.3.2 Redacted Components 20 2.3.3 Unknown Dependencies 20 2.4 Supplemental Information to Support Use Cases 21 2.5 Mapping to Existing Formats 22 2.6 SBOM Exam

5、ples 23 3 SBOM Processes 26 3.1 SBOM Creation:How 26 3.2 SBOM Creation:When 27 3.3 SBOM Exchange 27 3.4 Software Supply Chain Rules 28 3.5 Roles and Perspectives 30 Third Edition 3 3.5.1 Perspectives 30 3.5.1.1 Produce 30 3.5.1.2 Choose 30 3.5.1.3 Operate 30 3.6 SBOM Use Cases 31 3.6.1 Vulnerability

6、 Management and Vulnerability Exploitability eXchange(VEX)31 3.6.2 Intellectual Property(IP)32 3.6.3 Secure Supply Chain Software Assurance 32 3.7 Tool Support 32 4 Conclusion 33 Appendix A Edition Changes 34 Appendix B Terminology 35 Appendix C Third Edition Acknowledgements 39 Third Edition 4 Abou