The discussion revolved around how to effectively manage Software Bill of Materials (SBOMs) in the automotive and embedded software industries, which are complex and critical. The core challenge is that without automated SBOMs, managing risks across many software parts is extremely difficult, especially given regulatory requirements and complex supply chains.
A key focus was on leveraging existing open-source tools and frameworks to streamline this process. Automotive Grade Linux (AGL), a non-profit open-source Linux project for automotive systems, was highlighted as a strong starting point. By combining AGL with Yocto (a build toolchain), the presenters proposed a robust foundation for embedded SBOM operations. During the session it was also mentioned that no certification is required for AGL even for production used which is huge advantage.
The main idea was to build an automated system for assessing SBOMs, called AGL Assessment Automation (AAA). Its purpose is to create a reference system and share best practices for SBOMs in these industries. This involves:
- Validating policy-based assessment automation within the AGL Continuous Integration (CI) system.
- Adopting cybersecurity best practices from organizations like OpenSSF and CNCF, covering aspects like SBOM lifecycles and SLSA (Supply-chain Levels for Software Artifacts).
- Targeting SPDX 3.0 JSON as the preferred SBOM format (which is Yocto-compatible).
- Collaborating with various open-source communities like Yocto, OpenSSF, OpenChain, and SPDX.
- Utilizing open-source, reusable toolchains.
The presentation showed a best-case implementation flow for SBOMs, involving steps like generating, verifying, analyzing, enriching, and sharing SBOMs, with a continuous focus on risk management and vulnerability monitoring. A crucial pipeline example demonstrated building an SBOM from AGL, verifying it, analyzing risks, enriching it with more data, attesting its validity, and finally publishing it.
For risk analysis, the proposed system would normalize SBOM data from various sources (like Yocto environments generating SPDX 2 or 3) and then use a policy engine, such as OPA (Open Policy Agent), to perform policy-based risk analysis against defined policies.
Initial proof-of-concept work showed promising results, particularly in validating Yocto SPDX 3 SBOMs generated from AGL. While tools for SPDX 3.0 validation are still emerging, a simple validator was implemented as a proof-of-concept.
Looking ahead, the next steps include exploring different policy engines like OPA or OSS Review Toolkit (ORT), enhancing CVE/VEX operations within the Yocto ecosystem, and further integrating SLSA for improved software supply chain security.
