Create 2024-10-22.md

tech/2024/2024-10-22.md

@@ -0,0 +1,85 @@
+# SPDX Tech Team Meeting 2024-10-22
+
+## Attendees
+
+- Alfred Strauch
+- Arthit Suriyawongkul
+- Dick Brooks
+- Gary O'Neall
+- Ilans
+- Joshua Watt
+- Karsten Klein
+- Kate Stewart
+- Marc-Etienne Vargenau
+- Peter Monks
+- Steven Carbno
+
+## Agenda
+
+- New minimum SBOM elements from CISA published
+- spdx/using
+  - Add "How to Implement VEX in SPDX" doc
+    https://github.com/spdx/using/pull/6 -- Merged
+- Request for review / help on CISA SBOM Generation Container results for SPDX:
+  https://github.com/CISA-SBOM-Community/SBOM-Generation/actions/runs/11348338576
+- Translation of SPDX 3.0 specification
+- AI BOM white paper
+- spec-parser pending PR
+
+## Notes
+
+### CISA New minimum SBOM elements
+
+- New minimum SBOM elements from CISA was published last week.
+  https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024
+  Contains updated set of recommended minimum elements,
+  as well as better descriptions on how the fields should be filled out.
+- add a PR on the NTIA Conformance Checker to extend
+- add a PR to change name from NTIA Conformance Checker to "SBOM Framing Conformance"
+- NTIA mininimum elements - July 12, 2021
+- CISA SBOM framing - September 3, 2024
+
+### CISA SBOM Generation Container results for SPDX
+
+- CISA Tiger team on SBOM generation.  2 hours before this one.
+  - now generating SPDX; but tools generating SPDX aren't doing a good job (look at "SBOM quality").
+    https://github.com/CISA-SBOM-Community/SBOM-Generation/actions/runs/11348338576
+  - looking for help with analysis and putting in issues to the tools.
+  - ilans willing to help out.
+- Anyone else using the Interlynk tool? https://www.interlynk.io/
+  - Not much, probably issues in the quality tool itself.
+- It's being called a "Quality Score"
+- Not finding things for licensing, checksums, document license, licensing...
+- Probably related to issues to Trivy & Parlay as first tools.
+  - https://github.com/aquasecurity/trivy - Find vulnerabilities, misconfigurations, etc in SBOM
+  - https://github.com/snyk/parlay - Enrich SBOMs with data from third party services
+    - Parlay doesn't support SPDX 3 yet
+- Where the score comes from?
+  - discussion of Application - has NONE for all licenses.  Problem on generation side?  Yes.  CycloneDX & SPDX seeing same result.
+
+### Translation of SPDX 3.0 specification
+
+- Checking if the structure of translation files are as agreed
+  - https://github.com/spdx/meetings/blob/main/tech/2024/2024-05-28.md
+  - https://github.com/spdx/meetings/blob/main/tech/2024/2024-06-06-translation.md
+  - "ja" vs "jp" inconsistencies (ISO 639-1 language code uses "ja")
+- Japanese translation as a work in progress for the Open Source Summit Japan 28-29 Oct
+  See:
+  - https://github.com/spdx/spdx-3-model/pull/898
+  - https://github.com/spdx/spdx-spec/pull/1141
+- Chinese translations are also in progress, targetting the end of the month. 
+
+### AI BOM white paper
+- Kate showed team current draft, in last stages of review.
+- Expecting it to be published shortly.
+
+### Spec parser pending PR
+- URI of SPDX-invalid, looks weird downstream.
+- Discussion: AbstractClass is prefixed with <http://spdx.invalid./>
+  https://github.com/spdx/spdx-spec/issues/1089
+- A PR to use equivalentClass instead of AbstractClass
+  https://github.com/spdx/spec-parser/pull/158
+- The meeting in general like the approach and see the benefits but agreed to discuss more with Alexios
+
+### Next week
+- Follow up on the AbstractClass approach next week.