Skip to content

Commit

Permalink
Content update
Browse files Browse the repository at this point in the history
  • Loading branch information
@stevespringett
stevespringett committed Mar 23, 2024
1 parent a89bdeb commit 2a9a8f0
Show file tree
Hide file tree
Showing 8 changed files with 174 additions and 120 deletions.
4 changes: 2 additions & 2 deletions Attestations/en/0x01-Frontispiece.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,15 @@ Copyright © 2024 The OWASP Foundation.
This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/).
For any reuse or distribution, you must make clear to others the license terms of this work.

First Edition, 26 March 2024
First Edition, 02 April 2024

<div style="page-break-after: always; visibility: hidden">
\emptyparagraph
</div>

| Version | Changes | Updated On | Updated By |
|---------------|-----------------|------------|-------------------------------------------------|
| First Edition | Initial Release | 2024-03-26 | CycloneDX Feature Working Group on Attestations |
| First Edition | Initial Release | 2024-04-02 | CycloneDX Feature Working Group on Attestations |

<div style="page-break-after: always; visibility: hidden">
\newpage
Expand Down
8 changes: 4 additions & 4 deletions CBOM/en/0x01-Frontispiece.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@ supply chain security field. This guide would not be possible without valuable f
Working Group (IWG), the CycloneDX Core Working Group (CWG), the many CycloneDX Feature Working Groups (FWG),
Ecma International Technical Committee 54, and a global network of contributors and supporters.

Portions of this guide were contributed by IBM under the Apache License Version 2.0.

## Copyright and License

![license](../../images/license.svg)
Expand All @@ -22,15 +20,17 @@ Copyright © 2024 The OWASP Foundation.
This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/).
For any reuse or distribution, you must make clear to others the license terms of this work.

First Edition, 26 March 2024
Portions of this guide were contributed by IBM under the Apache License Version 2.0.

First Edition, 02 April 2024

<div style="page-break-after: always; visibility: hidden">
\emptyparagraph
</div>

| Version | Changes | Updated On | Updated By |
|---------------|-----------------|------------|-------------------------------------------------|
| First Edition | Initial Release | 2024-03-26 | CycloneDX Feature Working Group on Cryptography |
| First Edition | Initial Release | 2024-04-02 | CycloneDX Feature Working Group on Cryptography |

<div style="page-break-after: always; visibility: hidden">
\newpage
Expand Down
6 changes: 3 additions & 3 deletions CBOM/en/0x41-Dependencies.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ In the context of cryptographic dependencies, CycloneDX provides some additional
there are two types of dependencies: dependsOn and provides.

| Dependency Type | Description |
| --------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| dependsOn | The bom-ref identifiers of the components or services that are dependencies of this dependency object. |
| provides | The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. For example, a cryptographic library that implements a cryptographic algorithm. A component that implements another component does not imply that the implementation is in use. |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| dependsOn | The bom-ref identifiers of the components or services that are dependencies of this dependency object. |
| provides | The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. For example, a cryptographic library that implements a cryptographic algorithm. A component that implements another component does not imply that the implementation is in use. |


The dependency type, dependsOn, is leveraged by classic SBOMs to define a complete graph of direct and transitive
Expand Down
4 changes: 2 additions & 2 deletions SBOM/en/0x01-Frontispiece.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,15 @@ Copyright © 2024 The OWASP Foundation.
This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/).
For any reuse or distribution, you must make clear to others the license terms of this work.

Second Edition, 26 March 2024
Second Edition, 02 April 2024

<div style="page-break-after: always; visibility: hidden">
\emptyparagraph
</div>

| Version | Changes | Updated On | Updated By |
|----------------|----------------------------|------------|------------------------------|
| Second Edition | Updated for CycloneDX v1.6 | 2024-03-26 | CycloneDX Core Working Group |
| Second Edition | Updated for CycloneDX v1.6 | 2024-04-02 | CycloneDX Core Working Group |
| First Edition | Initial Release | 2023-06-25 | CycloneDX Core Working Group |

<div style="page-break-after: always; visibility: hidden">
Expand Down
110 changes: 2 additions & 108 deletions SBOM/en/0x30-Use_Cases.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,122 +256,16 @@ The following example illustrates the use of enveloped signing using JSF.
```

## License Compliance
CycloneDX can be used for open-source and commercial license compliance. By leveraging the licensing capabilities of
CycloneDX is ideal for both open-source and commercial license compliance. By leveraging the licensing capabilities of
CycloneDX, organizations can identify any licenses that may be incompatible or require specific compliance obligations,
such as attribution or sharing of source code.
such as attribution or sharing of source code. CycloneDX supports declared, observed, and concluded licenses.

### Open Source Licensing
The following is an example of a components license. CycloneDX communicates this information using the SPDX license IDs
along with optionally including a Base64 encoded representation of the full license text.

```json
"licenses": [
{
"license": {
"id": "Apache-2.0",
"text": {
"contentType": "text/plain",
"encoding": "base64",
"content": "RW5jb2RlZCBsaWNlbnNlIHRleHQgZ29lcyBoZXJlLg=="
},
"url": "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
]
```

SPDX license expressions are also fully supported.

```json
"licenses": [
{
"expression": "(LGPL-2.1 OR BSD-3-Clause AND MIT)"
}
]
```

In addition to asserting the license(s) of a component, CycloneDX also supports evidence of other licenses and copyrights
found in a given component. For example:

```json
"evidence": {
"licenses": [
{ "license": { "id": "Apache-2.0" } },
{ "license": { "id": "LGPL-2.1-only" } }
],
"copyright": [
{ "text": "Copyright 2012 Acme Inc. All Rights Reserved." },
{ "text": "Copyright (C) 2004,2005 University of Example" }
]
}
```
Refer to the "Evidence" chapter for more information.

### Commercial Licensing
CycloneDX can also help organizations manage their commercial software licenses by providing a clear understanding of
what licenses are in use and which ones require renewal or additional purchases, which may impact the operational aspects
of applications or systems. By leveraging CycloneDX for commercial license compliance, organizations can reduce the risks
associated with license violations, enhance their license management practices, and align their SBOM practice with
Software Asset Management (SAM) and IT Asset Management (ITAM) systems for enterprise visibility.

The following example illustrates a commercial license for a given component.

```json
"licenses": [
{
"license": {
"name": "Acme Commercial License",
"licensing": {
"licensor": {
"organization": {
"name": "Acme Inc",
}
},
"licensee": {
"organization": {
"name": "Example Co."
}
},
"purchaser": {
"individual": {
"name": "Samantha Wright",
"email": "[email protected]",
"phone": "800-555-1212"
}
},
"purchaseOrder": "PO-12345",
"licenseTypes": [ "appliance" ],
"lastRenewal": "2022-04-13T20:20:39+00:00",
"expiration": "2023-04-13T20:20:39+00:00"
}
}
}
]
```

All commercial license fields are optional. The licensor, licensee, and purchaser may be an organization or individual.
Multiple license types may be specified and include:

| **License Type** | **Description** |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| academic | A license that grants use of software solely for the purpose of education or research. |
| appliance | A license covering use of software embedded in a specific piece of hardware. |
| client-access | A Client Access License (CAL) allows client computers to access services provided by server software. |
| concurrent-user | A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. |
| core-points | A license where the core of a computer's processor is assigned a specific number of points. |
| custom-metric | A license for which consumption is measured by non-standard metrics. |
| device | A license that covers a defined number of installations on computers and other types of devices. |
| evaluation | A license that grants permission to install and use software for trial purposes. |
| named-user | A license that grants access to the software to one or more pre-defined users. |
| node-locked | A license that grants access to the software on one or more pre-defined computers or devices. |
| oem | An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. |
| perpetual | A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. |
| processor-points | A license where each installation consumes points per processor. |
| subscription | A license where the licensee pays a fee to use the software or service. |
| user | A license that grants access to the software or service by a specified number of users. |
| other | Another license type. |


Solutions supporting the Software Development Life Cycle (SDLC) typically involve open-source license compliance or
intellectual property use cases. Whereas Software Asset Management (SAM) is primarily concerned with commercial license
and procurement use cases. OWASP CycloneDX has extensive support for both and can be applied to any component or service
Expand Down
2 changes: 1 addition & 1 deletion SBOM/en/0x45-Cryptographic_Components.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Leveraging Cryptographic Components
# Introduction to Cryptographic Components

CycloneDX can describe cryptographic assets and their dependencies. Discovering, managing, and reporting on cryptographic
assets is necessary as the first step on the migration journey to quantum-safe systems and applications. Cryptography is
Expand Down
Loading

0 comments on commit 2a9a8f0

Please sign in to comment.