Imagine your boss comes to you and says “I need you to collect attestation letters and SBOM’s for each of our software products in use.” Two artifacts doesn’t seem like a lot, until you consider that some computing environments have thousands of products from lots of vendors. This turns out to be a big problem – so what do you do?
You could send out an email to each of your vendors saying “Give me your SBOM and self-attestation for each of your products that I have installed.” And then you receive 100 responses from your 100 vendors containing SBOM’s and self-attestations for each of the 10 products you have installed, resulting in 100x10x2 separate artifacts = 2000 artifacts. But what happens if those 2000 artifacts are all different and you have to decipher each one to determine if it meets “expectations”. You should expect to see lots of different responses, if no explicit and precise guidance is given upfront on the specific details describing what vendors should provide, including specific formats, and how to provide them, i.e., email, http download, etc. This can be a daunting task.
Are you ready to quit yet? I’ve heard quiet quitting is quite popular these days.
There must be a better way, and there is.
You can make your life much easier by sending that email to your vendors along with a template of the information you are expecting them to return to you that contains “links” to each of the required artifacts in the format you specify, such as the open source, free to use Vendor Response File format. This would ensure that each vendor provides you with the same information in a common, machine readable format for each of their product SBOM’s and self-attestations. This “template” is machine readable so you can run it through a program that automatically retrieves and catalogs each of the various artifacts, which now follow a consistent format, making it much easier to retrieve and analyze the information. This would eliminate some of the challenges associated with giving your boss the report on all of your software products, reducing or eliminating the need to interpret differently formatted SBOM’s and self-attestation letters, because you gave explicit directions for each vendor to follow. No doubt there will be some rogue responses, but hopefully your vendors are understanding of your challenges and complies with your request to provide common formats for SBOM’s and self-attestations and the means to acquire each of these artifacts using automated tools.
Additional information describing the open-source Vendor Response File is available here.