Page MenuHomePhabricator
Create Task
Maniphest T361943

Decide on a Software Bill of Materials (SBOM) format for MediaWiki
Closed, ResolvedPublic
Actions

Description

To start adopting SBOMs, specially to replace foreign-resources files, we should decide on a format first. There are two widely adopted formats:

This is as close as possible to a "tabs vs. spaces" situation. They are not really different and most tools work with both. But we need to pick one, otherwise we end up with a mess.

Some links:

Notes:

  • We already use SPDX license headers in puppet
  • Generating CDX SBOMs from composer.lock files is easier (the tooling is lacking for SPDX)
  • There are tools to convert one to another, so it shouldn't be hard to change it in the future.

I'd say let's vote for it and call it a day?

Related Objects
Search...

Event Timeline

Ladsgroup created this task.Apr 5 2024, 2:06 PM
Jdforrester-WMF added a comment.Apr 5 2024, 2:19 PM

We also enforce SPDX-sourced licence tags in all our PHP code, via LicenseCommentSniff.

sbassett added a comment.EditedApr 5 2024, 3:50 PM

From a mostly AppSec perspective, I'd vote for CycloneDX. It's supported by the org I'm most familiar with (OWASP) and the tooling is far more robust, at least for now. Would it be a big deal for AppSec interests if we went with SPDX? Probably not, so I'd definitely qualify this as more of a light preference.

Mstyles subscribed.Apr 5 2024, 6:29 PM

It looks like it's not too bad to convert from CycloneDX to SPDX, so even if we decide to go with CycloneDX we can still get the SPDX data if we want it. CycloneDX seems to have more tooling and also provides a license scanner to look at the licenses @Jdforrester-WMF was referencing.

sbassett moved this task from Incoming to Watching on the Security-Team board.Apr 8 2024, 4:09 PM
sbassett added a project: SecTeam-Processed.
mmartorana subscribed.Apr 9 2024, 3:43 PM

I lean towards CycloneDX because of its broader approach, it prioritizes the management of software components and dependencies rather than license/legal compliance, which is the primary focus of SPDX.

bd808 renamed this task from Decide on a SBOM format for MediaWiki to Decide on a Software Bill of Materials (SBOM) format for MediaWiki.Apr 15 2024, 4:51 PM
Ladsgroup closed this task as Resolved.Wed, Apr 17, 9:26 PM
Ladsgroup claimed this task.

No comment for over a week after some outreach work as well. CycloneDX it is.

Ladsgroup mentioned this in T363589: Migrate foreign-resources files to CDX SBOM format.Fri, Apr 26, 4:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL