From 2a9a8f003c4d08d85aff96923e1d717c49d1c033 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 22 Mar 2024 23:56:35 -0500 Subject: [PATCH] Content update --- Attestations/en/0x01-Frontispiece.md | 4 +- CBOM/en/0x01-Frontispiece.md | 8 +- CBOM/en/0x41-Dependencies.md | 6 +- SBOM/en/0x01-Frontispiece.md | 4 +- SBOM/en/0x30-Use_Cases.md | 110 +----------------- SBOM/en/0x45-Cryptographic_Components.md | 2 +- SBOM/en/0x49-Licenses.md | 141 +++++++++++++++++++++++ SBOM/en/0x50-Relationships.md | 19 +++ 8 files changed, 174 insertions(+), 120 deletions(-) create mode 100644 SBOM/en/0x49-Licenses.md diff --git a/Attestations/en/0x01-Frontispiece.md b/Attestations/en/0x01-Frontispiece.md index 836bbe4..54455cd 100644 --- a/Attestations/en/0x01-Frontispiece.md +++ b/Attestations/en/0x01-Frontispiece.md @@ -20,7 +20,7 @@ Copyright © 2024 The OWASP Foundation. This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/). For any reuse or distribution, you must make clear to others the license terms of this work. -First Edition, 26 March 2024 +First Edition, 02 April 2024
\emptyparagraph @@ -28,7 +28,7 @@ First Edition, 26 March 2024 | Version | Changes | Updated On | Updated By | |---------------|-----------------|------------|-------------------------------------------------| -| First Edition | Initial Release | 2024-03-26 | CycloneDX Feature Working Group on Attestations | +| First Edition | Initial Release | 2024-04-02 | CycloneDX Feature Working Group on Attestations |
\newpage diff --git a/CBOM/en/0x01-Frontispiece.md b/CBOM/en/0x01-Frontispiece.md index 9bb2fca..6748a36 100644 --- a/CBOM/en/0x01-Frontispiece.md +++ b/CBOM/en/0x01-Frontispiece.md @@ -11,8 +11,6 @@ supply chain security field. This guide would not be possible without valuable f Working Group (IWG), the CycloneDX Core Working Group (CWG), the many CycloneDX Feature Working Groups (FWG), Ecma International Technical Committee 54, and a global network of contributors and supporters. -Portions of this guide were contributed by IBM under the Apache License Version 2.0. - ## Copyright and License ![license](../../images/license.svg) @@ -22,7 +20,9 @@ Copyright © 2024 The OWASP Foundation. This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/). For any reuse or distribution, you must make clear to others the license terms of this work. -First Edition, 26 March 2024 +Portions of this guide were contributed by IBM under the Apache License Version 2.0. + +First Edition, 02 April 2024
\emptyparagraph @@ -30,7 +30,7 @@ First Edition, 26 March 2024 | Version | Changes | Updated On | Updated By | |---------------|-----------------|------------|-------------------------------------------------| -| First Edition | Initial Release | 2024-03-26 | CycloneDX Feature Working Group on Cryptography | +| First Edition | Initial Release | 2024-04-02 | CycloneDX Feature Working Group on Cryptography |
\newpage diff --git a/CBOM/en/0x41-Dependencies.md b/CBOM/en/0x41-Dependencies.md index 5164ce1..a9c526b 100644 --- a/CBOM/en/0x41-Dependencies.md +++ b/CBOM/en/0x41-Dependencies.md @@ -10,9 +10,9 @@ In the context of cryptographic dependencies, CycloneDX provides some additional there are two types of dependencies: dependsOn and provides. | Dependency Type | Description | -| --------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| dependsOn | The bom-ref identifiers of the components or services that are dependencies of this dependency object. | -| provides | The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. For example, a cryptographic library that implements a cryptographic algorithm. A component that implements another component does not imply that the implementation is in use. | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| dependsOn | The bom-ref identifiers of the components or services that are dependencies of this dependency object. | +| provides | The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. For example, a cryptographic library that implements a cryptographic algorithm. A component that implements another component does not imply that the implementation is in use. | The dependency type, dependsOn, is leveraged by classic SBOMs to define a complete graph of direct and transitive diff --git a/SBOM/en/0x01-Frontispiece.md b/SBOM/en/0x01-Frontispiece.md index a4b9b36..6fe93b7 100644 --- a/SBOM/en/0x01-Frontispiece.md +++ b/SBOM/en/0x01-Frontispiece.md @@ -20,7 +20,7 @@ Copyright © 2024 The OWASP Foundation. This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/). For any reuse or distribution, you must make clear to others the license terms of this work. -Second Edition, 26 March 2024 +Second Edition, 02 April 2024
\emptyparagraph @@ -28,7 +28,7 @@ Second Edition, 26 March 2024 | Version | Changes | Updated On | Updated By | |----------------|----------------------------|------------|------------------------------| -| Second Edition | Updated for CycloneDX v1.6 | 2024-03-26 | CycloneDX Core Working Group | +| Second Edition | Updated for CycloneDX v1.6 | 2024-04-02 | CycloneDX Core Working Group | | First Edition | Initial Release | 2023-06-25 | CycloneDX Core Working Group |
diff --git a/SBOM/en/0x30-Use_Cases.md b/SBOM/en/0x30-Use_Cases.md index 3a268a1..768c8ff 100644 --- a/SBOM/en/0x30-Use_Cases.md +++ b/SBOM/en/0x30-Use_Cases.md @@ -256,122 +256,16 @@ The following example illustrates the use of enveloped signing using JSF. ``` ## License Compliance -CycloneDX can be used for open-source and commercial license compliance. By leveraging the licensing capabilities of +CycloneDX is ideal for both open-source and commercial license compliance. By leveraging the licensing capabilities of CycloneDX, organizations can identify any licenses that may be incompatible or require specific compliance obligations, -such as attribution or sharing of source code. +such as attribution or sharing of source code. CycloneDX supports declared, observed, and concluded licenses. -### Open Source Licensing -The following is an example of a components license. CycloneDX communicates this information using the SPDX license IDs -along with optionally including a Base64 encoded representation of the full license text. - -```json -"licenses": [ - { - "license": { - "id": "Apache-2.0", - "text": { - "contentType": "text/plain", - "encoding": "base64", - "content": "RW5jb2RlZCBsaWNlbnNlIHRleHQgZ29lcyBoZXJlLg==" - }, - "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" - } - } -] -``` - -SPDX license expressions are also fully supported. - -```json -"licenses": [ - { - "expression": "(LGPL-2.1 OR BSD-3-Clause AND MIT)" - } -] -``` - -In addition to asserting the license(s) of a component, CycloneDX also supports evidence of other licenses and copyrights -found in a given component. For example: - -```json -"evidence": { - "licenses": [ - { "license": { "id": "Apache-2.0" } }, - { "license": { "id": "LGPL-2.1-only" } } - ], - "copyright": [ - { "text": "Copyright 2012 Acme Inc. All Rights Reserved." }, - { "text": "Copyright (C) 2004,2005 University of Example" } - ] -} -``` -Refer to the "Evidence" chapter for more information. - -### Commercial Licensing CycloneDX can also help organizations manage their commercial software licenses by providing a clear understanding of what licenses are in use and which ones require renewal or additional purchases, which may impact the operational aspects of applications or systems. By leveraging CycloneDX for commercial license compliance, organizations can reduce the risks associated with license violations, enhance their license management practices, and align their SBOM practice with Software Asset Management (SAM) and IT Asset Management (ITAM) systems for enterprise visibility. -The following example illustrates a commercial license for a given component. - -```json -"licenses": [ - { - "license": { - "name": "Acme Commercial License", - "licensing": { - "licensor": { - "organization": { - "name": "Acme Inc", - } - }, - "licensee": { - "organization": { - "name": "Example Co." - } - }, - "purchaser": { - "individual": { - "name": "Samantha Wright", - "email": "samantha.wright@gmail.com", - "phone": "800-555-1212" - } - }, - "purchaseOrder": "PO-12345", - "licenseTypes": [ "appliance" ], - "lastRenewal": "2022-04-13T20:20:39+00:00", - "expiration": "2023-04-13T20:20:39+00:00" - } - } - } -] -``` - -All commercial license fields are optional. The licensor, licensee, and purchaser may be an organization or individual. -Multiple license types may be specified and include: - -| **License Type** | **Description** | -|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| academic | A license that grants use of software solely for the purpose of education or research. | -| appliance | A license covering use of software embedded in a specific piece of hardware. | -| client-access | A Client Access License (CAL) allows client computers to access services provided by server software. | -| concurrent-user | A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. | -| core-points | A license where the core of a computer's processor is assigned a specific number of points. | -| custom-metric | A license for which consumption is measured by non-standard metrics. | -| device | A license that covers a defined number of installations on computers and other types of devices. | -| evaluation | A license that grants permission to install and use software for trial purposes. | -| named-user | A license that grants access to the software to one or more pre-defined users. | -| node-locked | A license that grants access to the software on one or more pre-defined computers or devices. | -| oem | An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. | -| perpetual | A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. | -| processor-points | A license where each installation consumes points per processor. | -| subscription | A license where the licensee pays a fee to use the software or service. | -| user | A license that grants access to the software or service by a specified number of users. | -| other | Another license type. | - - Solutions supporting the Software Development Life Cycle (SDLC) typically involve open-source license compliance or intellectual property use cases. Whereas Software Asset Management (SAM) is primarily concerned with commercial license and procurement use cases. OWASP CycloneDX has extensive support for both and can be applied to any component or service diff --git a/SBOM/en/0x45-Cryptographic_Components.md b/SBOM/en/0x45-Cryptographic_Components.md index b1e4a89..ad6b761 100644 --- a/SBOM/en/0x45-Cryptographic_Components.md +++ b/SBOM/en/0x45-Cryptographic_Components.md @@ -1,4 +1,4 @@ -# Leveraging Cryptographic Components +# Introduction to Cryptographic Components CycloneDX can describe cryptographic assets and their dependencies. Discovering, managing, and reporting on cryptographic assets is necessary as the first step on the migration journey to quantum-safe systems and applications. Cryptography is diff --git a/SBOM/en/0x49-Licenses.md b/SBOM/en/0x49-Licenses.md new file mode 100644 index 0000000..543ccba --- /dev/null +++ b/SBOM/en/0x49-Licenses.md @@ -0,0 +1,141 @@ +# License Compliance +CycloneDX can be used for open-source and commercial license compliance. By leveraging the licensing capabilities of +CycloneDX, organizations can identify any licenses that may be incompatible or require specific compliance obligations, +such as attribution or sharing of source code. + +## Open Source Licensing +The following is an example of a components license. CycloneDX communicates this information using the SPDX license IDs +along with optionally including a Base64 encoded representation of the full license text. + +```json +"licenses": [ + { + "license": { + "id": "Apache-2.0", + "acknowledgement": "declared", + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "RW5jb2RlZCBsaWNlbnNlIHRleHQgZ29lcyBoZXJlLg==" + }, + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + } +] +``` + +SPDX license expressions are also fully supported. + +```json +"licenses": [ + { + "expression": "(LGPL-2.1 OR BSD-3-Clause AND MIT)", + "acknowledgement": "declared" + } +] +``` + +## Declared and Concluded Licenses +Declared licenses and concluded licenses represent two different stages in the licensing process within software +development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms +under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis +of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from +the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, +concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper +compliance and risk management. + +| Acknowledgement | Description | +|-----------------|------------------------------------------------------------------------------------------------------------| +| declared | Declared licenses represent the initial intentions of authors regarding the licensing terms of their code. | +| concluded | Concluded licenses are verified and confirmed. | + + +## Using Evidence To Substantiate Concluded Licenses and Track Copyrights +In addition to asserting the declared or concluded license(s) of a component, CycloneDX also supports evidence of other +licenses and copyrights found in a given component. These licenses are "observed" in the course of analyzing a +software project and form the necessary evidence to substantiate a "concluded" license. For example: + +```json +"evidence": { + "licenses": [ + { "license": { "id": "Apache-2.0" } }, + { "license": { "id": "LGPL-2.1-only" } } + ], + "copyright": [ + { "text": "Copyright 2012 Acme Inc. All Rights Reserved." }, + { "text": "Copyright (C) 2004,2005 University of Example" } + ] +} +``` +Refer to the "Evidence" chapter for more information. + + +## Commercial Licensing +CycloneDX can also help organizations manage their commercial software licenses by providing a clear understanding of +what licenses are in use and which ones require renewal or additional purchases, which may impact the operational aspects +of applications or systems. By leveraging CycloneDX for commercial license compliance, organizations can reduce the risks +associated with license violations, enhance their license management practices, and align their SBOM practice with +Software Asset Management (SAM) and IT Asset Management (ITAM) systems for enterprise visibility. + +The following example illustrates a commercial license for a given component. + +```json +"licenses": [ + { + "license": { + "name": "Acme Commercial License", + "licensing": { + "licensor": { + "organization": { "name": "Acme Inc" } + }, + "licensee": { + "organization": { "name": "Example Co." } + }, + "purchaser": { + "individual": { + "name": "Samantha Wright", + "email": "samantha.wright@gmail.com", + "phone": "800-555-1212" + } + }, + "purchaseOrder": "PO-12345", + "licenseTypes": [ "appliance" ], + "lastRenewal": "2022-04-13T20:20:39+00:00", + "expiration": "2023-04-13T20:20:39+00:00" + } + } + } +] +``` + +All commercial license fields are optional. The licensor, licensee, and purchaser may be an organization or individual. +Multiple license types may be specified and include: + +| **License Type** | **Description** | +|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| academic | A license that grants use of software solely for the purpose of education or research. | +| appliance | A license covering use of software embedded in a specific piece of hardware. | +| client-access | A Client Access License (CAL) allows client computers to access services provided by server software. | +| concurrent-user | A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. | +| core-points | A license where the core of a computer's processor is assigned a specific number of points. | +| custom-metric | A license for which consumption is measured by non-standard metrics. | +| device | A license that covers a defined number of installations on computers and other types of devices. | +| evaluation | A license that grants permission to install and use software for trial purposes. | +| named-user | A license that grants access to the software to one or more pre-defined users. | +| node-locked | A license that grants access to the software on one or more pre-defined computers or devices. | +| oem | An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. | +| perpetual | A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. | +| processor-points | A license where each installation consumes points per processor. | +| subscription | A license where the licensee pays a fee to use the software or service. | +| user | A license that grants access to the software or service by a specified number of users. | +| other | Another license type. | + + +Solutions supporting the Software Development Life Cycle (SDLC) typically involve open-source license compliance or +intellectual property use cases. Whereas Software Asset Management (SAM) is primarily concerned with commercial license +and procurement use cases. OWASP CycloneDX has extensive support for both and can be applied to any component or service +within a BOM. + +
+\newpage +
diff --git a/SBOM/en/0x50-Relationships.md b/SBOM/en/0x50-Relationships.md index 727906b..5e536c2 100644 --- a/SBOM/en/0x50-Relationships.md +++ b/SBOM/en/0x50-Relationships.md @@ -108,6 +108,25 @@ The dependency graph above can be codified with the following: > represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this > to be opaque and not an indicator of a component being dependency-free. +As of CycloneDX v1.6, there are two types of dependencies: dependsOn and provides. + +| Dependency Type | Description | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| dependsOn | The bom-ref identifiers of the components or services that are dependencies of this dependency object. | +| provides | The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. For example, a cryptographic library that implements a cryptographic algorithm. A component that implements another component does not imply that the implementation is in use. | + +The dependency type, dependsOn, is leveraged by classic SBOMs to define a complete graph of direct and transitive +dependencies. However, for cryptographic and similar assets, "provides" allows for many additional use cases. + +![Dependencies](../../CBOM/en/images/dependencies.svg) + +The example shows an application (nginx) that uses the libssl cryptographic library. This library implements the +TLSv1.2 protocol. The relationship between the application, the library and the protocol can be expressed by using the +dependencies properties of the SBOM standard. + +Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging +CycloneDX for cryptographic use cases. +
\newpage