lvl 2 and lvl 3 is impossible due to requiring both reproducability and non-reproducability of SBOMs #31
Comments
|
SCVS does not reference the reproducible builds project as that project is counter to some of the requirements in SCVS. It is not the intent of Properly created SBOMs are not compatible with reproducible builds because of the use of timestamps, detailed provenance information (which is nearly impossible to be reproducible), and, depending on the format, serial numbers. As stated recently by NTIA:
and
https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf I think |
|
Thanks for the reply. I find that repeatable here is just another word for reproducible. It's just reproducible excluding the timestamp again, if that's the position I think just saying that is the best option. I'd be interested to hear some details on how the timestamp supports the origin of the data. I don't quite understand "help identify updated versions of the SBOM". I might be misunderstanding the goal of that statement but is there not a schema version that helps with this? I'll try make a proper writeup around timestamps at some point |
|
If we have to include timestamps in the SBOM itself and not as some sort of attestation where the SBOM is reference materials, it will make it hard to content address and validate SBOMs by hash when we are trying to check stuff like reproducible builds. |
I am genuinely interested how provenance information is nearly impossible to reproduce. Do you have an example? |
One example may be DNS resolution to a repository which is supplying open source components. There's no guarantee you'll be fetching components from the same mirror every time a build happens. An adversary, may simply use a mirror they control for recon while still providing artifacts that have the same checksums. Reproducible? Yes, But provenance has changed outside of the build. |
Mmh. Assuming a secure hash was used as a checksum is the exact server really relevant or important as provenance information? |
Provenance = origin. Relevant, yes. As important may be a point of discussion for every organization. There are many security, legal, and regulatory use cases where provenance matters. |
|
I guess I have too weak of an understanding of provenance for some contexts, especially legal, but I’d rather see “this was provided by a project of the Apache Foundation” as provenance rather than “this was delivered by a server with ip x.x.x.x via routers a, b and c”. I.e. I’d see the artifacts hash as the way to guarantee the known origin, rather than the download location. Actually, I guess a signature would be even preferable. Do you happen to have a link to a definition of provenance that could improve my understanding? Thanks a lot for your time and patience. |
|
Happy to help @loewenstein The OWASP, MITRE, and NIST definition of provenance are in alignment and can be decomposed to the English language definition as well. The OWASP definition of provenance can be found at: https://owasp.org/www-community/Component_Analysis which currently reads:
NOTE: If you're coming from the SLSA world, their definition of provenance is not aligned to the rest of the industry, so may be confusing at first. |
|
So is OWASP/CycloneDX's approach to consider SBOM and Provenance as the same thing & your SBOMs will record the IP addresses queried during the generation? You can have a BOM that describes you want a screw that meets X requirements but any manufacturer works, or you want Y specific screw from a manufacturer but where you get it doesn't matter. Then via policy and gathering detailed provenance for that screw you could accept screws from company A or even specifically their factory B, but not from company C For the vast majority of work cases people only want to validate "this came from GH" or "this came from npm" by validating https certs. The threat of "do I know this specific IP from their CDN" is pretty extreme and I'd be interested in hearing:
The difference between software and a screw is you may trust company A or have even tested their screws hold up to spec & quality control. But for company C you'd have to check again & establish some trust in their quality control etc. I could ramble a bunch more of my initial thoughts, but without an end to end example/scenario it's very hard to discuss what the threats actually are & how we'd solve those issues the word mirror is pretty loaded so it's important to clarify there Also is there a better forum for these kinds of discussions? 🙂 |
|
With CycloneDX specifically, for provenance it supports:
For every component and service identified in the BOM along with the component for which the BOM describes. In the case of DNS, that was just one example, however, a more common example would be use of npm.js vs the use of an internal proxy of npm.js such as Sonatype Nexus Repository, jFrog Artifactory, and AWS CodeArtifact. Where something was obtained from is a requirement for most high-assurance environments. The project does have a Slack channel if you'd prefer that. https://owasp.org/slack/invite Once in, navigate to #project-scvs. Going back to reproducibility of SBOMs, the NTIA minimum elements require a timestamp for when the SBOM was generated. |
2.2 SBOM creation is automated and reproduciblemeans the SBOM must be reproducible, a good requirement for lvl2 and lvl3.2.7 SBOM is timestampedrequires a timestamp for every level.Timestamps are the bane of reproducibility.
https://reproducible-builds.org/docs/timestamps/
I can understand the desire for a timestamp but if it's included there needs to be details around the idea of
SOURCE_DATE_EPOCH(a timestamp based on the last modification to any of the source or some other fixed timestamp). It needs to be clearly explained that this is allowed for the timestamp and is in fact required once you require reproducibility for lvl2+.https://reproducible-builds.org/docs/source-date-epoch/
Tangentially related to #9 request for more explanation
The text was updated successfully, but these errors were encountered: