presentations/lpw2024-metadata-cpan-foss-cra/index.html

<!doctype html>
<html>
	<head>
		<meta charset="utf-8">
		<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

<title>Metadata, CPAN, Supply Chains, and EU's Cyber Resilience Act</title>
		<link rel="stylesheet" href="dist/reset.css">
		<link rel="stylesheet" href="dist/reveal.css">
<link rel="stylesheet" href="dist/theme/solarized.css" id="theme">
		<!-- Theme used for syntax highlighted code -->
<link rel="stylesheet" href="plugin/highlight/zenburn.min.css" id="highlight-theme"></head>
	<body>
		<div class="reveal">
			<div class="slides">
<section data-markdown  ><textarea data-template>
[comment]: # (Compile this presentation with the command below)
[comment]: # (mdslides pts2024-sbom-intro.md --include ../media)
[comment]: # (...or by running the Makefile with "make")
[comment]: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/)


## Metadata, CPAN, Supply Chains, and EU's Cyber Resilience Act

LPW 2024

Salve J. Nilsen

@sjn\@chaos.social

Note:


</textarea></section>
<section data-markdown  ><textarea data-template>

## New laws, new obligations

* Cyber Resilience Act is arriving in the next weeks
* 1st law to affect Open Source projects substantially


Note:

* This talk is more about _the future_ of our community, than the present

</textarea></section>
<section>
<section data-markdown  data-auto-animate><textarea data-template>

## (I am not a lawyer)


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## (I am not a lawyer)

* (Also, I am not an "authority")


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## (I am not a lawyer)

* (Also, I am not an ~"authority"~)
* I'm a _volunteer_


</textarea></section>
</section>
<section>
<section data-markdown  ><textarea data-template>

## EU Cyber Resilience Act

* Approved by the EU Parliament Mar 12th 2024
* Adopted by the EU Commission on **Oct 10th 2024**
* Published in the official EU Journal [soon]
* **Takes effect 36 months after publication**

<div style="font-size: large;">

> * [Council adoption](https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/) announcement – 2024-10-10

</div>

Note:

* Into full effect by the end of 2027
* This talk is to...
    * _help you_ prepare, and
    * for you to _help us_ prepare


</textarea></section>
<section data-markdown  ><textarea data-template>

## What is the goal of the CRA?

* Increase the general Cybersecurity across Europe
* To ensure they are safe before placement on the market

Note:

* Details in the upcoming slides


</textarea></section>
<section data-markdown  ><textarea data-template>

## CRA Applies to...

* All Manufacturers that wish to place "Products with Digital Elements" on the EU market.
  * Connected devices
  * Remote data processing solutions
  * Non-tangible digital products
  * _Related systems and services needed for operation_

<div style="font-size: large;">

> * Background: [Recital 9](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=10)
> * Product with Digital Elements: [Article 3 (1), (4), (6), (7)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=136)
> * Placing on the market: [Article 3 (21)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=140)

</div>

Note:

* Devices, components
* routers, cameras, fridges, toys, etc.
* Anything which has software may be affected!


</textarea></section>
<section data-markdown  ><textarea data-template>

## CRA **does not** apply to...

* Software that is purely _part of a service_
* Software that is covered by other regulation (NIS2, AI Act, Health regulations, etc.)
* Software that is Open Source*

<div style="font-size: large;">

> * [Recital 12](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=13)
> * [Recital 18](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=21)

</div>

</textarea></section>
</section>
<section>
<section data-markdown  data-auto-animate><textarea data-template>

## Six "Roles"

* Manufacturer
* Distributor, Importer and Market Authorities
* Open Source Software Steward
* Open Source Developers


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## Six "Roles"

* Manufacturer
* Distributor, Importer and Market Authorities ❌
* Open Source Software Steward ❌
* Open Source Developers


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## Six "Roles"

* Manufacturer 🔍
* Distributor, Importer and Market Authorities ❌
* Open Source Software Steward ❌
* Open Source Developers

</textarea></section>
<section data-markdown  ><textarea data-template>

## Manufacturer

* A natural or legal person who
    * **develops** or manufactures **products with digital elements**
    * or **has products with digital elements** designed, **developed** or manufactured,
    * and **markets them under its name** or trademark,
    * whether for payment, monetisation or free of charge

<div style="font-size: large;">

> * [Article 3 (12), (13)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=138)

</div>

</textarea></section>
<section data-markdown  ><textarea data-template>

### Obligations of Manufacturers<br> — Conformance

![CE Mark](media/280px-Conformité_Européenne.png)

* Place a CE mark on their products

<div style="font-size: large;">

> * [Article 28](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=218)

</div>


Note:

* "I am following EU Law"


</textarea></section>
<section data-markdown  ><textarea data-template>

### — Support period

* Determine the product support period
    * Default is 5 years, but should reflect expected use time
    * Support period can also set by authorities
* Security fixes must remain available for 10 years after issuing

<div style="font-size: large;">

> * [Article 13 (8)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=165)
> * [Article 13 (9)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=166)

</div>


</textarea></section>
<section data-markdown  ><textarea data-template>

### — Point of Contact

* Set up a single point of contact


<div style="font-size: large;">

> * [Annex II.2](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=303)

</div>

</textarea></section>
<section data-markdown  ><textarea data-template>

### — Unique ID

* Create a unique identification of their product

<div style="font-size: large;">

> * [Annex II (3)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=303)

</div>

</textarea></section>
<section data-markdown  ><textarea data-template>

### — Build & Dependencies

* Be able to identify and document vulnerabilities and components contained in products
* Describe how the product is put together

<div style="font-size: large;">

> * [Annex I, Part II (1)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=297)
> * [Annex VII.2 (a)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=314)

</div>

</textarea></section>
<section data-markdown  ><textarea data-template>

### — Produce SBOMs

* Produce SBOMs upon request by regulators
    * At minimum, top level dependencies

<div style="font-size: large;">

> * [Recital 22](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=26)
> * [Annex I, Part II (1)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=300)

</div>

</textarea></section>
<section data-markdown  ><textarea data-template>

### — No Vulnerabilities

* Product has **no known vulnerabilities**
* Product is **secure by default**, and **secure by design**
* 😍 Exercise due diligence when integrating third party components
* 😍 Report vulnerabilities to the Manufacturer or Open Source maintainer

<div style="font-size: large;">

> * [Article 13.1](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=161)
> * [Annex I, Part I (2 (a))](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=297)
> * [Recital 65](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=73)
> * [Article 13.5](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=163)
> * [Article 13.6](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=164)

</div>

Note:

* Due diligence – to avoid these components compromise security

</textarea></section>
<section data-markdown  ><textarea data-template>

### — Offer timely security updates

* Make security updates available to customers effectively for the duration of the support period
* Ensure vulnerabilities can be addressed through security updates

<div style="font-size: large;">

> * [Article 13.8](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=165)
> * [Annex I part II](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=300)
> * [Annex I, Part I (2 (c))](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=297)
> * [Annex I, Part II (7)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=302)

</div>


Note:

* Address vulnerabilities _in a timely manner_


</textarea></section>
<section data-markdown  ><textarea data-template>

### — Early warning system

* Take part in the EU early warning notification regime
    * **Early warning within 24h** after exploit discovery
    * **Vulnerability notification within 72h**, incl. corrective measures
    * **Final report no later than a 14 days after discovery**
* Incident reports submitted to a common EU reporting platform

<div style="font-size: large;">

> * [Article 13.6](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=164)
> * [Article 14.1](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=176)
> * [Article 14.2 (a)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=177)
> * [Article 14.2 (b)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=177)
> * [Article 14.2 (c)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=178)

</div>


</textarea></section>
</section>
<section>
<section data-markdown  data-auto-animate><textarea data-template>

## Six "Roles"

* Manufacturer 🔍
* Distributor, Importer and Market Authorities ❌
* Open Source Software Steward ❌
* Open Source Developers


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## Six "Roles"

* Manufacturer ✅
* Distributor, Importer and Market Authorities ❌
* Open Source Software Steward ❌
* Open Source Developers 🔍


</textarea></section>
<section data-markdown  ><textarea data-template>

## Open Source Developers

* CRA doesn't really talk about Open Source **Developers**


</textarea></section>
<section data-markdown  ><textarea data-template>

### Obligations to Open Source Developers<br> – Status Quo

* CRA **does not apply** to Developers if...
    * they contribute code to projects they are **not responsible for**
    * they are **not monetising** their product
    * their product is ultimately **not intended for commercial activities**

<div style="font-size: large;">

> * [Recital (18)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=20))
> * [Recital (19)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=22))

</div>


</textarea></section>
<section data-markdown  ><textarea data-template>

### – With a FOSS Steward

* CRA **applies voluntarily** if the Developer decides...
    * their product **is ultimately intended** for commercial activities

<div style="font-size: large;">

> * [Recital (19)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=22)

</div>

</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## Six "Roles"

* Manufacturer ✅
* Distributor, Importer and Market Authorities ❌
* Open Source Software Steward ❌
* Open Source Developers 🔍


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## Six "Roles"

* Manufacturer ✅
* Distributor, Importer and Market Authorities ❌
* Open Source Software Steward ❌
* Open Source Developers ✅


</textarea></section>
</section>
<section>
<section data-markdown  data-auto-animate><textarea data-template>

## What Metadata is being asked for?


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## Metadata

* Open Source ecosystems are _universal_
* Is there a "CPAN philosophy" regarding Metadata? 😅

"Optional, As Much as Possible"


Note:

* It makes sense to look at metadata requirements in general
    * Not just CRA's
* "Optional" isn't really an option any more
    * Some fields are actually _required_


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## Metadata Headaches

* New requirements: "Minimum Elements" or "Baseline Attributes"
  * Some operate with multiple levels of "Requiredness"
  * Minimum, Recommended, Aspirational

<div style="font-size: large;">

> * (NTIA-SBOM) [NTIA Minimum Elements for a Software Bill of Materials (SBOM)](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9), Published 2021-07-12
> * (CISA-2024-10) [CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)](https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf), Third edition, Section 2 and Appendix B; Published 2024-10-15

</div>


Note:

* "Required" attributes come in different forms
  * Keep in mind what the _purpose_ of the metadata is – not just it's "requiredness"


</textarea></section>
<section data-markdown  ><textarea data-template>

## Metadata Headaches

* No common glossary of terms
* Needed: a "Metadata Rosetta Stone"


Note:

* The current landscape is still a mess
  * Which means that well-considered constructive implementations can become a good example for others to consider


</textarea></section>
<section data-markdown  ><textarea data-template>

### Component attributes

<div style="font-size: x-large;">

| Attribute name                      | Required | References                                 |
| :---------------------------------- | :------: | -----------------------------------------: |
| Primary Component Name              | Yes      | NTIA-SBOM, CISA-2024-10, CRA-AV, TR-03183  |
| **Version**  👈                     | Yes      | CISA-2024-10, CRA-AV, TR-03183             |
| Purpose, Intended Use               | Yes      | CRA-AII(4)                                 |
| Supplier Name                       | Yes      | CRA-AII(1), CRA-AV, NTIA-SBOM, CISA-2024-10, TR-03183 |
| Security contact                    | Yes      | CRA-AII(2)                                 |
| Copyright Notice                    | Yes      | CISA-2024-10                               |
| License(s)                          | Yes      | CISA-2024-10, TR-03183                     |

</div>

Note:

* Version:
    * Semantic Versions ("SemVer"), Calendar Versions ("CalVer")
    * On CPAN: Decimal Versions ("DeciVer").
* Reality: Arbitrary Versions formats have to be supported


</textarea></section>
<section data-markdown  ><textarea data-template>

### Dependency Attributes

<div style="font-size: x-large;">

| Attribute name                      | Required | References                                 |
| :---------------------------------- | :------: | -----------------------------------------: |
| **Unique Product ID** 👈            | Yes      | CRA-AII(3), CRA-AV, NTIA-SBOM, CISA-2024-10 |
| Cryptographic Hash                  | Yes      | CISA-2024-10, TR-03183                     |
| Primary Component Filename          | Yes      | TR-03183                                   |
| Dependencies                        | Yes      | CRA-AII(5), NTIA-SBOM, CISA-2024-10, TR-03183 |
| **Relationships**          👈       | Yes      | CISA-2024-10                               |

</div>


Note:

* Unique ID: CPE (Common Platform Enumeration), Package URL, SWID, UUIDs, SWHID (Software Heritage ID), OmniBOR
    * Intrinsic vs. Extrinsic
    * Global uniqueness required
    * This is a mess, and very hard to solve. Best option for OSS today: Package URLs
* Relationships: If a dependency is static, remote, provided, or dynamic
   * "Primary", "Included in", "Heritage or Pedigree"
   * Relationship completeness


</textarea></section>
<section data-markdown  ><textarea data-template>

### Other useful attributes

<div style="font-size: x-large;">

| Attribute name                      | Required | References                                 |
| :---------------------------------- | :------: | -----------------------------------------: |
| Download location                   | No       |                                            |
| Code Commit Revision                | No       |                                            |
| Code Repository                     | No       |                                            |

</div>


Note:

* What else is needed to make it easier to manage vulnerabilities?
    * A list of known vulnerabilities addressed
    * Details on which function/method had a vulnerability fixed
    * When & where the package was downloaded from


</textarea></section>
<section data-markdown  ><textarea data-template>

### The SBOM Document Itself

<div style="font-size: x-large;">

| Attribute name                      | Required | References                                 |
| :---------------------------------- | :------: | -----------------------------------------: |
| SBOM Author                         | Yes      | NTIA-SBOM, CISA-2024-10, TR-03183          |
| SBOM Creation Time-stamp            | Yes      | NTIA-SBOM, CISA-2024-10, TR-03183          |
| SBOM Format                         | Yes      | CycloneDX 1.6, SPDX 2.3                    |
| SBOM Release                        | Yes      | CycloneDX 1.6, SPDX 2.3                    |
| SBOM Serial Number                  | Yes      | CycloneDX 1.6  SPDX 2.3                    |
| **SBOM Location**       👈          | Yes      | CRA-AII(9), TR-03183                       |
| SBOM Type                           | No       | CISA-2023-4, CISA-2024-10                  |
| SBOM Generation Tool                | No       |                                            |

</div>


Note:

* Location: Where to get the most recent SBOM
* Type: "When" in a Supply Chain an SBOM was created


</textarea></section>
<section data-markdown  ><textarea data-template>

### Open Source Stewards

<div style="font-size: x-large;">

| Attribute name                      | Required | References                                 |
| :---------------------------------- | :------: | -----------------------------------------: |
| Intended for Commercial Use         | No       | CRA-Rec-15, CRA-Rec-18                     |
| Open Source Software Steward        | No       | CRA-Rec-19                                 |
| **Security Attestation**  👈        | No       | CRA-Rec-21                                 |

</div>


Note:

* Intended for Commercial Use + Attestations + OSS Steward = Possible funding source


</textarea></section>
<section data-markdown  ><textarea data-template>

### Manufacturers

<div style="font-size: x-large;">

| Attribute name                      | Required | References                                 |
| :---------------------------------- | :------: | -----------------------------------------: |
| CE Conformity Assessment Body       | No       | CRA-Art-47(1), CRA-AV                      |
| CE Declaration of Conformity        | No       | CRA-AII(6), CRA-AV                         |
| CE Support End Date                 | No       | CRA-AII(7)                                 |
| CE Technical Documentation          | No       | CRA-AII(8)                                 |

</div>


Note:

* What's needed for components that are monetized?
  * Maintainer becomes a Manufacturer
  * This needs also to be supported


</textarea></section>
<section data-markdown  data-auto-animate><textarea data-template>

## References


<div style="font-size: large;">

* (CISA-2023-4) [CISA Types of Software Bill of Materials (SBOM)](https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom), published 2023-04-21
* (CISA-2024-10) [CISA Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)](https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf), Third edition, sections 2.2.1.4, 2.2.2 and Appendix B; Published 2024-10-15
* (CRA-AII) [Cyber Resilience Act, Annex II](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=303) Information and Instructions to the User, Dated 2024-03-12
* (CRA-AV) [Cyber Resilience Act, Annex V](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=311) EU Declaration of Conformity, Dated 2024-03-12
* (CRA-AVII) [Cyber Resilience Act, Annex VII](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=314) Contents of the Technical Documentation, Dated 2024-03-12
* (CRA-Art-47) [Cyber Resilience Act, Article 47](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=249) Operational obligations of notified bodies, Dated 2024-03-12
* (CRA-Rec-15) [Cyber Resilience Act, Recital 15](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=17) Economic operators, Dated 2024-03-12
* (CRA-Rec-18) [Cyber Resilience Act, Recital 18](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=20) Open Source Software Contributors, Dated 2024-03-12
* (CRA-Rec-19) [Cyber Resilience Act, Recital 19](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=22) Open Source Software Stewards, Dated 2024-03-12
* (CRA-Rec-21) [Cyber Resilience Act, Recital 21](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=25) Open Source Security Attestation, Dated 2024-03-12
* (TR-03183) German Technical Requirement [TR-03183 Cyber Resilience Requirements for Manufacturers and Products](https://bsi.bund.de/dok/TR-03183), Part 2: Software Bill of Materials (SBOM), Version 2.0.0, published 2024-09-20
* (NTIA-SBOM) [NTIA Minimum Elements for a Software Bill of Materials (SBOM)](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf#page=9), Published 2021-07-12

</div>


</textarea></section>
<section data-markdown  ><textarea data-template>

## Metadata Headaches

* Lots of "opinions" from legislators & gov't orgs
* ⚠️  Inconsistencies in Terms
* ⚠️  Missing: More attributes needed to achieve security goals?


Note:

* This picture is likely to evolve in the coming years
* Ecosystems would do well to prepare a smooth evolution


</textarea></section>
<section data-markdown  ><textarea data-template>

## Conclusions?

* It's a mess
* It's up to us to improve it
* ~"If it ain't broke, don't fix it"~
* Don't be a bystander


Note:

* "Permissionless Innovation"
* "Being a Good Open Source Citizen"
* We already know that being a bystander doesn't work – better to step up instead!


</textarea></section>
</section>
<section data-markdown  ><textarea data-template>

## Questions & Comments


</textarea></section>
<section data-markdown  ><textarea data-template>

## Join the work!

* Pick something you are passionate about
* Let's coordinate on #cpan-security on irc.perl.org! 😍
* [https://security.metacpan.org/](https://security.metacpan.org/)


</textarea></section>
<section data-markdown ><textarea data-template>

# Thanks!

Salve J. Nilsen

@sjn\@chaos.social

🦆🦆🦆🦆
</textarea></section>
			</div>
		</div>

		<script src="dist/reveal.js"></script>
		<script src="plugin/notes/notes.js"></script>
		<script src="plugin/markdown/markdown.js"></script>
		<script src="plugin/highlight/highlight.js"></script>
		<script src="plugin/math/math.js"></script>
		<script>
			// More info about initialization & config:
			// - https://revealjs.com/initialization/
			// - https://revealjs.com/config/
Reveal.initialize({
controls : false,
markdown : {smartypants: true},
minScale : 0.2,
maxScale : 4.0,
controls : true,
width : "960",
height : "700",
help : true,
progress : true,
controlsBackArrows : "true",
				hash: true,
				// Learn about plugins: https://revealjs.com/plugins/
				plugins: [ RevealMarkdown, RevealHighlight, RevealNotes, RevealMath ]
			});
		</script>
	</body>
</html>