SBOMS and supply chains
What is new in SPDX 3.1 which is now a Living Knowledge Graph
<p>SPDX 3.1 is transforming from a flat bill of material scheme to a knowledge graph” that now covers hardware, supply-chain security and safety tests, and the 130+ crypto algorithms that are used on your data. The AI/Dataset profile added three must-have lines for every smart assistant—AI Agent, Prompt, and RAG so you can see exactly how your AI system (Basiic AI, GenAI and Agentic AI) was created </p>
<p>SPDX has also added a SPDX crypto lalgorithm list which is similar to the methodology and process that was used for the SPDX License list. There are over 130 algorithms that have been reviewed by the SPDX Working group</p>
<p>Demonstrate some newly available SPDX SBOM tools that can automate creating SBOM for existing AI system. </p>
<p>In this talk we will:
1. Show the ontology and how a single spdx:Element can simultaneously be:
hw:Chip (Hardware )
da:Requirement (Design-Assurance)
crypto:Algorithm (Cryptology)
sc:TransportEvent (Supply-Chain)
2. Show how to query the knowledge graph to:
“Return every AI model that was trained on dataset x deployed on a hardware y whose root-of-trust implements one of the 130 curated cryptographic algorithms, and that passed a functional-safety test required by CRA.”
3. Show how the new classes in AI/Dataset profile and relationship can document an Agentic AI system<br />
4. Demonstrate how for CRA, ISO 42001, and FDA : where each regulation asks a different question, but all questions can be seen as graph walk(s).</p>
Weitere Infos
| Live Stream | https://live.fosdem.org/watch/ud2208 |
|---|---|
| Format | devroom |
| Sprache | Englisch |
Weitere Sessions
| 01.02.26 |
<p>Welcome to another year of the SBOM devroom, now also including more general Supply Chain topics!</p> <p>The organizers will introduction the topics and the structure of the devroom.</p>
|
| 01.02.26 |
<p>The growing use of Software Bill of Materials (SBOMs) has introduced a new challenge with six different types exist (Design, Source, Build, Analysed, Deployed, and Runtime). As each type captures component information at a unique point in the development lifecycle, it is no longer sufficient to say that you want an SBOM' you need the right one which meets your use case. So how do you determine which SBOM type is the right fit for your specific use case?</p> <p>This session attempts to provide ...
|
| 01.02.26 |
<p>Modern embedded products are no longer single-processor devices. A typical architecture combines a Linux-based main system, one or more microcontrollers running RTOS workloads, and cloud-side processing also running on Linux. Each of these components produces its own SBOM - often using different formats, tooling, and levels of detail.</p> <p>But what happens when you need to use all of them together for vulnerability management?</p> <p>This talk shares a real-world journey of attempting to ...
|
| 01.02.26 |
<p>Various tools producing SBOMs for pre-built artifacts, such as container images, usually provide only a flat list of components - packages, libraries, RPMs, and binaries - without explaining where any of them originated. But why does this origin information matter, and how can we obtain it?</p> <p>To simply introduce the concept, imagine your build ecosystem as a bakery: the built container is the loaf of bread, and your SBOM is the ingredient label on the package. While customers only see a ...
|
| 01.02.26 |
<p>When a new CVE surfaces in an open-source dependency, teams face an immediate question: Do we really need to update? Is the vulnerability <strong>eploitable</strong>? In practice, nearly 90% of reported issues never affect the consuming application, but identifying the critical 10% is far from trivial. Reachability analysis offers a path forward by tracing vulnerable functions from the upstream component through multi-hop call graphs to determine whether the affected code is ever invoked ...
|
| 01.02.26 |
<p>The modern software supply chain is no longer suffering from a lack of data. Between SBOMs, SLSA provenance, and vulnerability scans, DevOps teams are drowning in attestations. However, a critical gap remains: the ability to aggregate this diverse evidence and enforce consistent, automated security decisions. Simply having an SBOM does not secure your pipeline; verifying its content against a trusted policy does.</p> <p>In this talk, we introduce <strong>Conforma</strong>, an open-source tool ...
|
| 01.02.26 |
<p>As one of the co-leaders of the CISA working group on <a href="https://github.com/SBOM-Community/SBOM-Generation">SBOM Generation</a> and a contributor to its accompanying <a href="https://github.com/SBOM-Community/SBOM-Generation/blob/main/whitepaper/Draft-SBOM-Generation-White-Paper-Feb-25-2025.pdf">whitepaper</a>, I’ve spent the last few years deep in the trenches of SBOM creation. With the EU’s Cyber Resilience Act (CRA) raising the bar for software transparency and lifecycle ...
|
