Set supplier instead of author to Conan #143
Conversation
|
|
|
Hello @fschoenm, setting the supplier to Conan would not be correct for company internal packages. Do you know https://github.com/Festo-se/cyclonedx-editor-validator ? We use this tool to "fix" the SBOM to our needs. Maybe this would also solve your problem. |
|
@dkoerner-festo That's true. But what would be your proposal? Setting the supplier is mandatory in our organization and (apparently) also for the US government, while the author is an optional field and additionally set to a misleading value by the current implementation. |
|
Just as an extra hint, this is an |
|
@memsharded I'm aware of that but keeping our own version as close as possible to the "source" version here makes integrating upstream changes much easier. Not sure why no one is commenting on the intent of this PR though. Shouldn't this extension at least meet the requirements of the linked PDF, or do you have a different goal in mind? |
I'm not a SBOM expert, but as far as I know, setting the author also fulfills the NTIA requirements. |
|
@fschoenm And we also have our own version of the extension ;) |
@dkoerner-festo I could use the def create_component(node) -> Component:
extension_properties = getattr(node.conanfile, "extension_properties", {})
purl = package_url(node)
component = Component(
type=package_type_to_component_type(node.conanfile.package_type),
name=node.name or f'UNKNOWN.{id(node)}',
author=node.conanfile.author if node.conanfile.author else None,
supplier=OrganizationalEntity(name=extension_properties["supplier"] if "supplier" in extension_properties else "Conan"),
version=node.conanfile.version,
licenses=licenses(node.conanfile.license),
bom_ref=purl.to_string() if purl else None,
purl=purl,
description=node.conanfile.description
)
if node.conanfile.homepage:
component.external_references.add(ExternalReference(
type=ExternalReferenceType.WEBSITE,
url=XsUri(node.conanfile.homepage),
))
return componentThen it would be possible to set it like this in a conanfile: |
The truth is that the large majority of users don't use packages from ConanCenter directly in production, but they build their own binaries from source, due to compliance, regulatory or other industry constraints. We are happy with this, and we even created the |
@memsharded Wouldn't it make even less sense to set "Conan" as the author of a component then? |
Yes, I think you are right, but I am not SBOM expert, so probably contributor @hedtke and cyclonedx @jkowalleck could give some advice here. |
"Author of SBOM Data" could be done in either one of those:
Both, authors and manufacturer, are legal entities. Not tools nor machines. Tools used for generating the SBOM go to "Supplier Name" for components would be
Please be aware, that a component's supplier is a legal entity. The only one who is able to tell who that supplier is, is the one who is supplied by them - which is you, @fschoenm. @fschoenm, please be aware, that SBOM generators are just one part of the tooling you may use for legally binding SBOM generation. They help you to gather some facts and evidences. They are not intended to provide a ready-to-use all-purpose SBOM. |
|
@jkowalleck I'm aware of these facts but they're not particularly helpful in determining the outcome of this PR, so I have some questions:
|
Disagree. conan is a tool, not a legal entity.
Disagree. conan is a tool, not a legal entity. again: YOU or YOUR ORGANIZATION are the author/manufacturer of the SBOM, some tool you use in the process. |
|
@jkowalleck Nothing in this whole PR is about |
you must be joking, right? it was you how told that they were looking for a solution for "Author of SBOM Data" according to NTIA compliance. and the answer is: I am not here for your wrong implementation, but to teach you SBOM in general :-) |
| @@ -102,7 +102,8 @@ def create_component(node) -> Component: | |||
| component = Component( | |||
| type=package_type_to_component_type(node.conanfile.package_type), | |||
| name=node.name or f'UNKNOWN.{id(node)}', | |||
| author=node.conanfile.author if node.conanfile.author else "Conan", | |||
There was a problem hiding this comment.
this was wrong in the first place: "Conan" is a tool, not a legal entity, and may not be an author nor supplier.
I did not. This whole PR is about how to set |
|
I am on sick leave. Will be able to look into it in some weeks |
|
In my opinion, the extension should not add any data that is not directly derived from the package metadata. The current solution of setting the author to Conan is not correct. We also have our own fork of the extension. We set the copyright for our own packages, but that's not a generic solution either. I like @fschoenm idea of setting some fields based on extension_properties. @memsharded how about adding the commonly used SBOM fields as Conan package metadata? (e.g. copyright, supplier) |
This seems it could be a down the rabbit hole issue, with more and more requests to further add a new field of the many that can be found in https://cyclonedx.org/capabilities/sbom. And adding fields in Then I would advice to probably use the generic |
|
The specs state that manufacturer could be used when using automated processes:
So when conan generates a BOM, it should probably set
So assuming I would create a some application and included this very extension in it. Who would be the supplier for this extension? I always understood it that I/my Org is the supplier when we deliver it to customers. Or would @memsharded be the supplier without knowing that he supplied me? Additionally, as I pointed out in #146, I am unsure conan's definition of "author" does match the SBOM definition, I think they do not match. In conan, "author" is the recipe author or maintainer (see https://docs.conan.io/1/reference/conanfile/attributes.html#author and https://docs.conan.io/2/reference/conanfile/attributes.html#author), not necessarily the author of what we package with that recipe. In SBOM the metadata.author would be the SBOM author, and $.component.author the author of what we package, not the recipe – unless it's the conanfile.py we package. |
We would like to use Conan's SBOM generation in our organization but there are still a few obstacles. For one, our organization requires the supplier to be set (while the author is optional).
This seems to match the description about "minimum elements" in https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf, which requires the "Supplier Name" for components and the "Author of SBOM Data". I believe the interpretation in the original PR (#80) was mistaken.
From the CycloneDX spec:
In our interpretation, the author is the developer of the component, while the supplier is Conan/Conan Center in this case. (There's a separate field for the author(s) of the SBOM itself.) Both fields are optional from a spec point of view, which is why I set the author to
None.Please let me know what you think in case you disagree.
cc/ @danimtb