 okay everyone the last one for the whole conference brave guys thank you for coming here so what we are supposed to talk about s-bombs everyone talked about s-bombs theirs so i'm not talking about s-bombs no no joking this is a not for theirs but i will talk kindly about the s-bombs but nothing about what you're listening to so what we actually we have in the components included in s-bombs this is mostly related to data but then say where i come so software technology is lead at karyad karyad is a small software company in the middle of the whole software group from fox wagon we just run four companies automotive companies they are just a small thing and co-chair of drop and chain specification group so the next security specification and open chain that's coming from us ibeen os lead os domain in bmw before the later before the move into karyad fox wagon there and i'm called maintainer for sw 360 and long time kd developer long time is more than 22 years but yeah i'm old basically we're talking about the agenda that's several topics about telling there are things that are getting more complex if you have s-bombs understand the formats determine this is mostly everyone talk about that if you go in any talk related this in this conference someone talk part of this so we're going just relate some things about relating this once there we go for the first thing things got more complex there it's everything is used like lego why you say that so this is one thing that everyone get wrong mostly in this confidence there s-bombs is nothing to do about the product that you release here creating this and this is become a magic no it's not s-bombs is just a final contract of the whole process of gaiting that the processing that getting everything agglutinated and you get the result there s-bombs could be anything we are using s-bombs since ever before it's called as s-bombs we always have definitions and specifications for something we always have resulting so you are just creating now a name and making this a product that actually is not because if you produce bad data doesn't matter we should call it s-bombs it worth nothing and then 10 times more complex than a few years ago that's true and untrue because all this complexity exists in forever it's always existed the difference is that we didn't have this things format we never saw this complex things we still have millions of codes of data of lines of codes of applications in the past there and why it's so different from today today is because we have packaging managers we can have modules we can separate these things so the complexity is visible right now it's not because it's more complex that's the thing and then when you discover that's visible it becomes more complex to us that's the thing so then we got complex stocks with multiple technologies and languages yeah okay matter yeah so we before we have one or two languages right no we always had those ones but now ever is easy to everyone create a new language new stock all the things and hide the things okay let's let's use in the same thing that everyone did in the past can Thompson no yes people did it oh left pad oh people already talk at this conference there's okay let's not talk about that but there we go everyone talks about the same things there's in the conference there so then you have deep dependency trees it's exactly what they have in the past there and bugs and vulnerabilities yes so 10 years ago all the software was perfect 30 years ago all the software is perfect we just now we haven't problem vulnerabilities yeah we didn't have internet but the hackers it comes comes before the internet so we can even have a possibilities that histories of hacks that using hard drive ships to actually make a persistent hacking the one that people thinks oh heartbleeds this is pretty new you can put in everything on the bias directly in and pass the directly the ship set no it is existing for a long time ago it's nothing new it's just because we are seeing now and then complex software supply chains across actors yeah this has never existed before let's imagine that okay sometimes let's go to Nokia that's SDKs will not the Android SDKs 1.0 there it's way beyond like 20 years ago there yeah so there you go this is ready new no it's not so that way you can see right now basically on these things there that really is nothing new and S-bombs itself is just a declaration that what is happening no long time and we're starting to seeing things magically because why because we are having a faster intelligence we're in processing things we have in a very understanding knowledge about how you're doing things even this complex pipelines that we're going with things like GitHub or GitLab that's we have actions pipelines we have a very advanced SDKs and let's say the very bad word for today AI okay so now we have AI that's a software everything of this thing says no it's not but we are just again there so S-bombs to the rescue this is that's exactly this is the thing so so you got an S-bomb that's easy let's see exactly like this what is written here all the tools there's a capacity to encourage some S-bombs nowadays pay attention now exactly what they say all the tools have some capacity to create S-bombs there's do the tools do exactly the same thing that someone answer me no of course not so if anyone here and this conference or any state or say I say to you that my tool provides the best S-bomb ever so what actually he's saying why you're buying this thing because it only provides what the tool provides to you so let's speak in the famous open source area there we have tools that do software catalog we have tools that do scanning we have tools that do software editage we have tools that actually look for vulnerabilities do the tools do the same thing no it's a completely different things do actually the S-bombs generating for these tools are wrong no they are they are complete no so your application can produce S-bombs yes perfect there but your application produce everything no it's not happens to anyone someone says to you that we provide the perfect S-bomb for your company they are lying and pure lie and that's no one can do that even us that you work in an open source understand that one and you say that we are not there if you're trying to do everything something we will do it wrong and never do it right so this is one thing that's important to understand there so what's next we have validations for formats check the content identifiers this is obvious things we need to do it there's next so then we've then we've come to a component list trust but verify there we go then how verify that audition license is exactly what we are doing today because it's what we have and then today I listen in about several talks on S-bombs and talk okay blockchain turn off this is possible there with being there on that Steve talking about a long time it's about hyper ledger we try it was too early at the time we are right on this time but we are too early and then people forgot about and then it's to be coming back again like a new thing that nobody tried so it's was there there's logic there so applying policies on top what's your policies your policies which are the policies this is people are talking a lot about this this is one way to secure there companies of different policies it means that the result in S-bombs that's valid to you is not the same result in S-bombs that's valid to other ones tools doesn't extend and don't understand this part tools basically get there get the resulting data for somewhere and do it so it means that the policy need to be before the S-bomb and the policy comes from your company so in the end the S-bomb generator is different from the other one for the company means that S-bombs is just a contractor interface related to the data that comes before how we produce the data that's important the S-bomb is exactly representation of what we have done well before and proof to that so understanding the S-bomb formats let's play the game now what's the big fight today okay we have second the x no but when produce spdx no we want to produce whatever format there it's tiresome this is someone comment gary comment today let's get again back to vhs the beta max S-bomb version no no this is exactly the things if you think about okay do you really care about the format that goes there unless they represent properly what you want to be represented and where this the data comes from the format do second on the x make better data from me than spdx or they are actually the same data in a different way that's basically the same date again so it's something that you already wrote an i-lite paper that is completely stupid even for the point of view of us producing all open source applications that we have several applications that do different things are generating S-bombs in some way from the same source code why you do have four different resulting things for the same source code and that is exactly the point that it's the S-bombs today is just a representation of information that we can generate again and then this is not the same for everyone so the question that's how we can consolidate this information so so see no S-bomb creation tool could create the same S-bomb from the same software and that's exactly the truth doesn't matter if pay millions for a company doesn't matter if you go to the github download compilers or coders it's the same thing exactly the same thing so there you go to your receiving end expect significance validation S-bomb any format the validation is nothing to do about S-bomb the S-bomb can produce the contract of the data but the validation comes for some way that companies or universities or entities actually will validate the data from there we have some minimum information that you want from S-bomb but this is logical companies demand more than the minimum information so again doesn't matter the format if you're looking about there's people talking formats that's not about the specific there's but go for formats literally formats written there like yamo json and tag value and even saw discussions in companies about with lawyers and technicians there at the same time discussing about that because the lawyer says no tag value is better because I can see better and the technician says no we cannot use tag value because it's completely hard to do it technically it's tiresome really this is it's a mostly logical thing that we do it the S-bomb need to provide the information that comes from a single source what do you want to see please pick the data properly and generate for you but don't try to make from the generated data something this is something this is wrong yeah so there you go the month that's S-bomb formats that works for you okay did it work there oh okay json agyamo rdf xml tag value too many formats and at some point there are people who ask me that can you create something that AI understand that and make a binary format make it faster no this doesn't make sense so we need to minimize some of these things we have too many formats you know what you need the information inside that is be correct so for example there packages demand package you else before we don't have any team related theirs and it was what's looks like really really simple for for the mind of a developer we never had any way to identify origin of the package properly and becomes absurd in the terms that we have several several types of background package managers and languages it was simply didn't have any way to actually access this i cannot tell if the before that the package come from maven or come from sonotype or coming from people other things was with was just the name of the something there they even didn't fight so this is less creative might flip them done from xb this package where l becomes some de facto things finally we have a description of what they can see there this is the minimal information this is actually something that it goes to miss bomb and actually is valuable information right now so this is the same there we go it's now like the original the cpa cpa cpa is yes it was great for security other parts but was really old classification on the times that the situation modern situation did exist is nothing wrong about the cpes or software id it's just it was from the past we go up we need something better there so there which components so there we go this is the concept about packages and components this is again the discussion about cyclone dx and spdx this is the same that the package component theirs is exactly the same and this is actually create a lot of confusion for everyone because the understanding of a component and package goes a little bit beyond then this concept there so if you think about let's go again for the main consumer for s bombs it's companies this is not an open source guy that loves to work at home with with s bombs and be happy at your home no this is something that goes to lawyers and persons inside companies companies don't actually deal with components companies do with projects projects contain some sub projects and components inside the projects and this basically transient dependence is a part of their project we today have minimal way to represent an s-bombs the project itself we can actually use it for example as external references components for projects and you can treat maybe the project as a package or component the project itself becomes that's why for example the representation s pdx always has the the document and from every document there's one package that actually is the document itself so it's pointer itself it's a very interesting decision to take this but then it fails in the simple thing we don't have an abnormal identification for the project itself so how to do that this is not solved yet and this is exactly what happens at the point that the moment that people pass by exactly what they're doing now this famous s bombs everywhere and it creates s bombs when you're starting to appears in the end parts we will fail and then you need this so the same way that usually package URL we will end up with needed funds kind kind of a normal identification for projects or the treat about how to do it or even separate these things in a very very way that you can connect in external references this because projects talked about other projects inside company and then there we go there's one single word that they didn't talk about on these ones let's say what is leads inside the company what is missing on this this part can you one guess this is something that about the s-bomb in a project itself connected to what is missing on the on everything so it's hard to guess because nobody noticed the traceability we don't have it we don't have traceability we have traceability for the component we have for the super components we don't have for the project we don't have for your son that the s-bomb pointed for the software doesn't point for your internal internal requirements document doesn't point us we can add it as external reference yes for the 3.0 we will have this one yeah yeah yeah okay but it's not few completely this time so this is we are still lacking the traceability and all of the tools using today generate any kind of traceability for this even my project that is basically controlling projects with there is failing to that so it's shame on me as well there so there you go so you can see that that's we need some days and package URL is basically a single identifier for doing this kind of things you can see that it's it's an ingenious idea but it's simple and then you can adapt for other things you can see that package now is represented in the way that you can see the origin the package the version and you can add the extension that the variant because what people usually don't know and never comment that the package itself sometimes even the software is little modified or compiled in different way that's actually is not the same software that you get an upstream so the software that you're using inside their company and legally bounded sometimes it's a little bit different because the way you compile it good example open ssl open ssl is not the same software released in on china and released at the only us you have a sports control problem so there we go son libraries java php for everything for package URL and this is exactly the way that is a comparison to this to the below the cps and there's cps is a really hard because it's very filled with things that people don't know about what is disaster risks people don't know about this everything is possible to extend the information in the way that no ones feel no software properly feel this the the rest of information of this and that's what you fail to get so simplify is the good thing we get the origin of the software itself it's improved it it goes there's and you can add it extend things and connect to the parts there so how to trust and verify this is complex it's not simple we can we can get some some let's say tips looking for license that you can connect about every single legal situation association for there you can actually looking for databases for vulnerability that's a lot of databases for everyone so they technically they should send say the same results but it's bad or diff or right that's always complex to say let's say github has the largest information about open source software and vulnerabilities yes but github is 90% only is 9% is a big number yes but we still have 10% of the entire internet that is not part of the github security so we need to come from the elsewhere where you get the elsewhere let's say to you for example the kind of information is not in the github security so we need to get information for more parts so this is complete different parts that you get theirs so we need to validate in on one or two or three or four different places it's hard so there we go so if you're thinking that you're at the end your s bomb is validated it's because before you run a lot of tools to get the resulting data that's just one simple thing that people think this the validation is not coming put in a stump in the very german way stump on your file and there we go it's your file is good no sorry if your data is bad your s bomb will be bad as well so with package URL we get this possibly related information there and dependency checks dependency track and other parts we can use in this information as a standard for everyone and then this is becoming standard so it's the beginning it's a small thing it's just a really small thing yes it's a big small thing but this is actually to represent that is possible using very simple things to fill the gaps that we have today on this ones so store the s bombs that's complex this is this question pop it up and every s bomb talk and this conference every single one and there you go so let's say that we store the s bombs say you have a very good way that you have your art factory or you decided to use geeks to actually have an s there's that's a single problem there you are talking about the s bomb as the end document is the resulting of your project there and then somehow and then one point of the of the whole process something happens you need to change your software there and you need other new dependency because you have whatever the problem that's in the software so the resulting s bombs differs theirs oh it's fine we just generate another one there and then put in the geeks put in the factory but wait your product is already being released this one is on the market how actually you tell to the people that bought the product are using this one was very well is it oh please come back to me and pick the new one because the one that you have is invalid no we can't because you don't even know where this part by we don't even know which lawyer office are using theirs you don't know which third party persons doing something you have now two versions or more of the valid information what is where is the true of that this is a problematic part of that so we will simply have software evolve we change in things on the time so the things is like for example also lot is trying to do this kind of way you have a peer review it this is the most simple way that we can find today to actually this peer reviewed s bombs that we can actually keep for logical components it's not but then this is not solved exactly what we have for again our main cost customer companies there or even government in this case how we guarantee that is as you get the s bomb properly there so the idea is that the data before this bomb need to be exists not the s bomb be the final results we need to have the data in somewhere at the point that you can collect everything so when someone asked to you I want to see the view of materials of your software it's not we have get the file directly a text file anything but we generate dynamically from the data that you actually have properly curated there in some pool so a very good data lake that has a single source of true you can provide dynamically that's bomb the way you want and then you ask it oh but I want the format x or y is the same source same data lake is dynamically created we can provide to everyone the format that you want we don't need to fight anymore because I just store format this way is use this discussion provide data that provides dynamically these things so this kind of projects it works in the way so beyond the spawns that's the interesting thing because no one thinks about there so this s bomb data let's say how you use the s bomb data this is the first question there's what do you do with the s bomb this is please answer me what do you do with an s bomb let's say I generated the best s bomb ever like companies are saying what do you do with that for what it serves to you can you answer to me yeah you can make it perfect yeah great well yes you can monitor vulnerabilities but it's a static file it's not live so if vulnerability appears for the component you need to generate a new s bomb for your product yes if you have the version of software correct let's okay there we go you got exactly the point this is the perfect word but companies are requesting to get the information of the vulnerability on the s bomb and then it's completely bonkers there we go see yeah I won't sorry I'll not excuse with the lawyers this is I this is it is something that you cannot do it so the thing is that the company has different different ways to deal with the result in s bombs they want external references for things that actually will change it during the time so there we go that's something that is very difficult to get because it's becoming validated but let's say forget about let's say that s bomb is a perfect text file with perfect information and never will change it can you use it for anything else oh yes so let's go to you want to see things on your the managers want to see everything on your screen like like in excel or the managers want to see things as the graphs beautiful things there's so what do we actually we do create another two to parsing spdx or or cyclone dx read tons of the files create models again to put in there on the graph or actually convert everything to excel so again the resulting s bomb is becoming a problem in the end if you're thinking about as a format to use to everything is the final document is not supposed to become used in a data format is not so again back into this is all about data if you have the same data in a single single part you can actually do all these things without recreating tools we can have one single generator of s bombs that read from the data that don't need to be coded again and again and again and every single tool we can actually have exactly point out the data live in a dashboard changing in real time without again reading text file creating creating a parser put in a conversion there see it's tiresome but we can do it in this way so s bombs is the contract so end document is the end of the end to end when you reach that point is because the data comes perfect to get this is the one that you show to the people but if you want to manipulate and using this data the s bomb is not the result so s bombs is something that is good because you store and then you can see from the desk but if you need to really complete the access to the end to end you need those parts so the credits of this thing so i changed it a little bit flip here that made some of the slides i changed the part there but the credits and the links are here there karyad moves to me and why are talking about this once years just to say yeah it's people are talking too much about the s bombs most of the people are not talking exactly about the the whole things that they needed about this bombs and we are creating for war formats right now that's at that point is completely hard because this format wars is really not what we want right now is not needed we need to actually work in a what provide the good data so you if you want to you're really your good as bomb provides tools that actually provide the data to do it not provide the s bomb the s bomb will be the very perfect specification made by spdx or cyclin dx or sift or whatever people decided to use but then a good as bomb is the one that provides for in a good data there you go so that's exactly what i want to say questions yeah go ahead kate who decides what to do it exactly this is a good question actually is the lawyers is always the lawyers because in the end is the guys the ones that actually do the clean bill for the product so this is an idea that you can actually provide a good amount of data and provide everything right and you say that's everything that is there it's correct your supplier can come to you to that with a bill of materials that you put in there and say that's right so in the end you cannot tell that actually it's perfect or not because we need to trust theirs the trust chain there's a problem so in the end will be the lawyers because they they do the last verification there and they even they will ask us about some details and they try to trust us to say that this is correct what you're saying so this is so this is simple thing we cannot yeah yeah um so there's a group that's meeting every thursday um that is i guess would be very late in the evening for europe unfortunately and what they're doing is they're basically trying to explore as a group what should be filled in for each field of the minimum elements not for these formats but what the s-bomb definition calls for for minimum elements and we have various fields in that definition like supplier that people can rathole on for forever and you're not addressing here however what is the pragmatic way to fill this field in and i think that's the definitions we need to go to so i'm agreeing with your premise it's a data let's get it right let's get a common agreement what the data is and then it can go to whatever format but we need to sort of understand what we think good is and brailed up consensus about good and i don't think we've got a path for that yet other than this common from spdx you know very well that the evenness is happening before when the great spdx lights because it's people thinking about the minimum thing inside there so yeah this is what the very difficult thing to say but i think that the minimum the minimal thing that appears on this once will be ruled by the guys from security parts like say like people from this open ssf is because they are has the most urgent uh matters of this and they understand about which kind of information there's then after this once it comes from minimal what the lawyers asking about the product so we're going from secure the c-sales now to the lawyers yeah okay yeah we were we are just i think but i think like i say i think each of these definitions of the fields yeah is ambiguous okay that's correct yeah so what we need to do is build up an industry consensus of this is the sort of thing you should put in it and if you don't put that in net maybe you want to understand what you're talking about the major difficulty on this one is even that for example let's pick in the big players european union on side and american government on the other side and they have completely different things about what is minimal needed there and the discussion and the point is there so how we balance this kind of things it's it's difficult so yeah and i learned i learned this week that the FDA has a different set of minimal too yeah yeah well we're not going even on the medical part yeah yeah okay so any other questions yes the people with people is leaping today yes let's let's talk yeah you know oh god it's not just me so i just wanted to go back i just following on the topic about the uh you know s bomb uh fields being ambiguous and that i'll just say there are i from you mentioned earlier the uh doc fest that we have and all the documents are different even in fields that are extremely clearly and precisely defined and i don't think anybody disagrees with that they come out all different and what i what i mean is like the file name you think file name oh that's the name of the file well is it like dot slash or is it does it start at the root of the tar ball that you're including or does it start at the root of wherever i did the analysis it's like four different s bombs had four different uh formats for the exact same file name by the way because it's from the exact same tar ball and the spec is extremely clear that it's dot slash relative to the tar ball but only one of the four follow the format so it's not just the ambiguity of the fields but it's getting the tools and and the point that i wanted to make is there is an online validator for spdx anybody who thinks they have a valid spdx should run it and make sure it comes back and says yes it's a good you know because i can't tell you how many uh spdx documents i get that won't pass that yeah it's just just a small dog food part even you're doing passing for the spdx test in the java maybe you failed the official spdx in python or vice versa so the same one that is official one is really there that's right yeah i know i know you just i'm going there so this we have this is already funding the good part there is an i'm a really developer i'm not actually a guy for the specification things yeah and then for example when the ocelot project was there and was running by osado osado is a legal entity more running by lawyers for open source there they decided of course of tag value are being the one of the repository and only tag value can you imagine that in the right moment every single developer start to cry and says why are you using tag value again cannot use in processing theirs at least we come with some kind of middle wire that's we created a code that every time a committed code inside the ocelot goes to tag value automatically generate all the other values for the spdx so and then you have the five ones but really this is tiresome it's it's just because we are developers who could foresee this coming and it was fast to do it but in this case this you're right you can have the validators for everything but we can have it even two different test bombs just pass on tests with the same source that if they have more than the minimum with the different data see it's thing but but do run the validator yeah yeah this is obvious yeah but understand that this is supposed to be technicians they should understand that this should validate it yeah and that this is a completely whole story and completely whole different talk about how to educate people about this yeah is hard it's a style ever i i doubt that anyone here doesn't have a time that need to teach people inside your company about how the things is working about states there we all need to do this in all the time this happens couldn't we do something like you know how back in the early days for html you had the html validator and the css validator on the website put something like that or make something like that it's sort of a program like that i can tell to you that's that's tools for example even the legals are used and let's remember the name one one tool call it brighter it's basically a no code too that's very oriented to the legal ones that actually make things easier they create a tool that you can push there and teach to them how to actually validate some files this could exactly this could be done but still you are missing one important point in the middle and people that do in that don't understand why they do in that or whatever their parts this is actually crucial if you get something that you don't understand past the validates and they okay everything is fine it's a dangerous thing so that's we need some kind of education for this okay i think no more questions thank you guys to survive until the last talk of the week