Overview
We should explore generating a Software Bill of Materials (SBOM) to describe ITK components and dependencies at build time. This could extend or replace the existing NOTICE file to describe third party dependencies / supply chain components and their respective licenses.
Background
An SBOM is a human- and machine-readable description of component dependencies that can be used for software supply chain tracking, allowing customers to identify licenses and vulnerabilities in software components. Industry support for SBOM standards has grown following the related 2021 “Executive Order on Improving the Nation’s Cybersecurity.”
Supply chain discovery, i.e. the ability to trace through third party dependencies and their components, is important for several scenarios:
- Research partners and commercial entities want to be able to trace through licenses involved with a given ITK distribution and understand potential impact on downstream licensing and distribution (i.e. copyleft, closed source)
- Not all components will be included with every build. For instance, standard ITK distributions are not built with FFTW since it is licensed under GPL (copyleft), but developers may create custom ITK builds with FFTW that would in turn be subject to copyleft licensing.
- In the event that a vulnerability is discovered in an upstream dependency, developers should be able to backtrace and understand what ITK distributions are affected.
Existing Efforts
ITK's NOTICE document serves as a legal notice of all of ITK's third party dependencies and their licensing. While this is a good start and likely sufficient from a legal perspective, there are several pain points for supply chain discovery:
- Not generated at build time: no document exists that exactly describes the configuration of a given build (i.e. if FFTW is turned on, etc)
- Not machine readable: no existing SBOM tools can parse the ITK NOTICE for supply chain review.
- No versioning information: developers must manually trace through ITK (specifically CMake) to understand what dependency versions are retrieved, and the information is not packaged with a build distribution.
Proposed Efforts
We should pursue efforts to align with an existing SBOM standard. VTK has recently adopted SPDX. For maintainability it would be reasonable for ITK to follow suit.
A migration plan could follow a structure similar to the following:
- First, replace
NOTICE with an sbom.json document reflective of third party dependencies and their licenses that could possibly be built with a fully configured ITK distribution.
- Then, explore adding SPDX headers to ITK source files to describe licensing on build generation.
- Then, implement config/build integration with a CMake-configurable
sbom-build.json.in such that building ITK generates sbom-build.json descriptive of ITK dependencies. sbom-build.json must include a) each dependency component that is enabled at build time, b) the version of the component, and c) the license of the component.
This migration is unlikely to happen overnight, but is in the best interest of long term ITK adoption as SBOM documentation continues to gain traction in supply chain security.
Additional Information
It is unclear how building ITK with remote modules may impact SBOM validity. It would be good to explore that effort and possibly introduce CMake mechanisms to allow remote modules to extend SBOM components description before sbom-build.json is generated in the ITK build.
Overview
We should explore generating a Software Bill of Materials (SBOM) to describe ITK components and dependencies at build time. This could extend or replace the existing
NOTICEfile to describe third party dependencies / supply chain components and their respective licenses.Background
An SBOM is a human- and machine-readable description of component dependencies that can be used for software supply chain tracking, allowing customers to identify licenses and vulnerabilities in software components. Industry support for SBOM standards has grown following the related 2021 “Executive Order on Improving the Nation’s Cybersecurity.”
Supply chain discovery, i.e. the ability to trace through third party dependencies and their components, is important for several scenarios:
Existing Efforts
ITK's NOTICE document serves as a legal notice of all of ITK's third party dependencies and their licensing. While this is a good start and likely sufficient from a legal perspective, there are several pain points for supply chain discovery:
Proposed Efforts
We should pursue efforts to align with an existing SBOM standard. VTK has recently adopted SPDX. For maintainability it would be reasonable for ITK to follow suit.
A migration plan could follow a structure similar to the following:
NOTICEwith ansbom.jsondocument reflective of third party dependencies and their licenses that could possibly be built with a fully configured ITK distribution.sbom-build.json.insuch that building ITK generatessbom-build.jsondescriptive of ITK dependencies.sbom-build.jsonmust include a) each dependency component that is enabled at build time, b) the version of the component, and c) the license of the component.This migration is unlikely to happen overnight, but is in the best interest of long term ITK adoption as SBOM documentation continues to gain traction in supply chain security.
Additional Information
It is unclear how building ITK with remote modules may impact SBOM validity. It would be good to explore that effort and possibly introduce CMake mechanisms to allow remote modules to extend SBOM components description before
sbom-build.jsonis generated in the ITK build.