In April, the OpenChain Telco Work Group completed work on version 1.1 of the OpenChain Telco SBOM Guide. This document helps to define what is a quality Software Bill of Materials in the context of supply chain management. It uses SPDX, the NTIA Requirements and the experience of the Telco industry to provide a clear, simple and easily adjustable approach. Today, with the release of the updated official validator, we are promoting the guide as generally available to the open source community.
Below you can:
- Learn more about the guide
- Get the guide in Chinese (Traditional), English, French and Japanese
- Get the validator
- Learn how to get involved in future development
What is this Guide?
The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs.
Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.
This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”
Want more context? We delivered a presentation at FOSDEM:
Updates from Version 1.0 to Version 1.1 of the Guide:
The following updates were made in version 1.1:
- Both PackageChecksum and PackageVerificationCode are allowed as package hash.
- The package hash is RECOMMENDED instead of MANDATORY.
- ExternalRef is RECOMMENDED instead of MANDATORY.
- FilesAnalyzed is no longer MANDATORY.
- Examples are provided for the CISA SBOM Types.
- A RECOMMENDED syntax is given for CISA SBOM Types.
- sbomasm is a better example of SBOM merge tool.
- Add reference to new CISA document.
An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.
Get the Guide
Do you want to review the original 1.0 version of the guide? You can learn more and get it in multiple languages via the original Telco SBOM Guide version 1.0 launch announcement. You can also learn more about the version 1.0 validator in its original launch announcement.
Get the Validator
Our official validator for the Telco SBOM Quality Guide has been updated for version 1.1 and is available on the OpenChain Telco Work Group GitHub repo.
To install from PyPI, issue:pip3 install openchain-telco-sbom-validator
or pipx install openchain-telco-sbom-validator.
Coming Next:
Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.
The OpenChain Telco Work Group mailing list is here:
The OpenChain Telco Work GitHub (for drafting) is here:
Related News:
Community Credits:
Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.
