3.0 KiB
3.0 KiB
Here’s a quick, concrete proposal to lock in a stable SBOM model for Stella Ops: use SPDX 3.0.1 as your canonical persistence schema and CycloneDX 1.6 as the interchange “view,” bridged by a deterministic transform.
Why this pairing
- SPDX 3.0.1 gives you a rigorous, profile‑based data model (Core/Security/AI/Build, etc.) with explicit Relationship semantics—ideal for long‑lived storage and graph queries. (SPDX)
- CycloneDX 1.6 excels at exchange: widely adopted, supports services/SaaSBOM, attestations (CDXA), CBOM (crypto inventory), MLBOM, and more—perfect for producing portable BOMs for customers and regulators. (CycloneDX)
Target architecture (minimal)
- Persistence: Store SBOMs as SPDX 3.0.1 (JSON‑LD/RDF), normalized into your Mongo event‑sourced graph; keep Relationship edges first‑class. (SPDX)
- Interchange: On export, render CycloneDX 1.6 (JSON/XML) including
components,services,dependencies,vulnerabilities, and optional CBOM/CDXA blocks. (SBOM Observer) - Deterministic transform: Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byte‑for‑byte reproducibility across offline sites.
Quick win mapping examples
- SPDX
Element+RelationshipType→ CycloneDXdependenciesgraph. (SPDX) - SPDX Security profile findings → CycloneDX
vulnerabilitiesentries. (SPDX) - SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). (SPDX)
- Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX CBOM on export for policy checks (CNSA/NIST). (CycloneDX)
Governance & standards signal
- SPDX 3.0.x is actively aligned with OMG/ISO submissions (good long‑term bet for storage). (SPDX Lists)
- CycloneDX 1.6 is the current, actively enhanced interchange standard used across vendors and tooling. (GitHub)
If you want, I’ll draft the exact field‑by‑field mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter.