IBM Software Fingerprinting for Supply Chain Security Presentation & Feedback

[mrutkows]

Attached to this issue is the PDF of the presentation given during the Wed. Nov. 2nd meeting (APAC friendly) for review and comment...

OpenSSF Repository WG Presentation.pdf

[mrutkows]

For convenience, I copied the Q&A captured from the 11/2 meeting minutes:

Q: How are you consuming all the software that exists to compute genes?
A: Existing software repos, feeds. Provide a search engine for code, search by hash, go beyond.

Q: Have you considered how the fingerprint relates to dependencies? Connecting/mapping dependencies via a gene.
A: Actually building a large graph behind the scene, including relationships between binaries and dependencies.

Q: What is the granularity? What about reordering positioning?
A: Based on functionality. The hope is that it’s resilient to obfustication. File level could be too coarse, lines could be too fine.

Q: How are you handing obfustication generally? What’s the threat model?
A: (long answer omitted from Jiyong)

Q: This seems to apply to malware, have you explored that?
A: Main focus is SBOM and open source

[naveensrinivasan]

Is this tool planning to be OSS?

[mrutkows]

Recording of the presentation at the 11/2/2022 WG meeting:
https://www.youtube.com/watch?v=LsshIbsD6oY&list=PLVl2hFL_zAh_VfsvGMCrkPSS1z2VFFy-r

[mrutkows]

Demo at LF Member Summit 2022 (keynote) at the 52 minute mark "Code Genome" project by JR Rao:
https://www.youtube.com/watch?v=BltvpGfqz14

[steiza]

Thanks for posting this! I'm going to mark this issue as closed, but we can continue to refer to the content here.