Call for Participation - SPDX DocFest

JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

SPDX DocFest - November 30, 2022 - 7am-11am PST

The SPDX project will be hosting another "DocFest" to bring together the producers and consumers of SPDX documents and walk through the differences between tools for the same images.

The goals of this DocFest is to:
1) come to agreement on how the fields should be populated for a given artifact, with a focus on the new 2.3 fields, but those that generate 2.2 are welcome.
2) identify instances where different use cases might lead to different choices for fields and structures of documents
3) assess how well the NTIA SBOM minimum elements are covered
4) create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.

The organizers (Adolfo, Ivana, Gary, Kate & Nisha) will share a small set of simple targets to those that sign up to participate by Oct 28th.

This event will require "sweat equity" - participants whose tools produce documents are expected to have generated at least one SPDX document from the target set (either source, built from source, built image or container equivalent). Those who have signed up and have submitted at least first draft by Nov 4 will receive a meeting invite to the DocFest. Final due by Nov 11th.

Participants whose tools consume will have until November 18th to share evidence and be invited to participate in the DocFest.

For more information please feel free to contact:

puerco@chainguard.dev, goneall@sourceauditor.com, iyovcheva@vmware.com, kstewart@linuxfoundation.org, nisha@ctlfsh.tech

Name *

Contact Email *

Organization (if applicable)

How do you interact with SPDX SBOM Documents? *

Generate (Producer) SPDX documents

Consume SPDX documents

Generate and Consume SPDX documents

Other:

Do the SPDX SBOMs you interact with for the DocFest refer to *

Created to summarize source code

Created during Build/CI/Packaging/etc.

Created via analysis of a binary artifact

Create via analysis of a container

Created during deployment of an artifact in a system

Created to summarize a system during runtime

Other:

Required

(Optional) For future reference, which software languages do your tools understand?

Assembly

C / C++

Elixir

Erlang

Java

Javascript

Perl

PHP

Python

Ruby

Rust

Other:

What are the names and link to the tool(s) you are using to create the SBOM(s)?

How do you interact with the tool you are interfacing with SBOM(s)?

Code Owner (proprietary)

Maintainer (open source)

Contributor

User

Other:

Do you have an analysis tool you would be willing to run against all the produced SPDX documents? If yes, please let us know if you're willing to assist with the event.

(Optional) Any other questions or concerns?

Submit

Clear form

Never submit passwords through Google Forms.

This form was created inside of The Linux Foundation. Report Abuse

Forms