Skip to content

Commit

Permalink
Content update
Browse files Browse the repository at this point in the history
  • Loading branch information
@stevespringett
stevespringett committed Feb 23, 2024
1 parent 8c71517 commit 3ad56b0
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 7 deletions.
8 changes: 4 additions & 4 deletions SBOM/en/0x10-Introduction.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,8 @@ defined in HBOMs, SBOMs, and SaaSBOMs.
### Cryptography Bill of Materials (CBOM)
A Cryptography Bill of Materials (CBOM) describes cryptographic assets and their dependencies. Discovering, managing,
and reporting on cryptographic assets is necessary as the first step on the migration journey to quantum-safe systems
and applications. Cryptography is typically buried deep within components that are used to compose and build systems
and applications. As part of an agile cryptographic approach, organizations should seek to understand what cryptographic
and applications. Cryptography is typically buried deep within components used to compose and build systems and
applications. As part of an agile cryptographic approach, organizations should seek to understand what cryptographic
assets they are using and facilitate the assessment of the risk posture to provide a starting point for mitigation.

### Operations Bill of Materials (OBOM)
Expand Down Expand Up @@ -144,8 +144,8 @@ component. VEX allows software vendors and other parties to communicate the expl
providing clarity on the vulnerabilities that pose a risk and the ones that do not.

### CycloneDX Attestations (CDXA)
CycloneDX Attestations enable organizations to communicate security standards, claims and evidence about security
requirements, and attestations to the veracity and completeness of those claims. CycloneDX Attestations is a way to
CycloneDX Attestations enable organizations to communicate security standards, claims, and evidence about security
requirements, and attestations to the veracity and completeness of those claims. CycloneDX Attestations is a way to
manage "compliance as code."

### Common Release Notes Format
Expand Down
7 changes: 4 additions & 3 deletions SBOM/en/0x30-Use_Cases.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,12 @@ CycloneDX is capable of describing the following types of components:
|------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Application | Component | A software application |
| Container | Component | A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. |
| Cryptographic Asset | Component | A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. |
| Data | Component | A collection of discrete values that convey information. |
| Device | Component | A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. |
| Device Driver | Component | A special type of software that operates or controls a particular type of device. |
| File | Component | A computer file. |
| Firmware | Component | A special type of software that provides low-level control over a device's hardware. |
| Firmware | Component | A special type of software that provides low-level control over a device's hardware. |
| Framework | Component | A software framework |
| Library | Component | A software library. Many third-party and open source reusable components are libraries. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED. |
| Machine Learning Model | Component | A model based on training data that can make predictions or decisions without being explicitly programmed to do so. |
Expand All @@ -86,8 +87,8 @@ CycloneDX is capable of describing the following types of components:
> the inventory of software and constituent parts.

Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods of identity
including:
Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods to assert
identity including:

- Coordinates: The combination of the group, name, and version fields form the coordinates of a component.
- Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located regardless of what vendor, project, or ecosystem the packages belongs to.
Expand Down
8 changes: 8 additions & 0 deletions SBOM/en/0x51-External-References.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ External references provide an extensible and data-rich method of forming relati
| chat | Real-time chat platform |
| documentation | Documentation, guides, or how-to instructions |
| support | Community or commercial support |
| source-distribution | The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type. |
| distribution | Direct or repository download location |
| distribution-intake | The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary |
| license | The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness |
Expand All @@ -31,6 +32,10 @@ External references provide an extensible and data-rich method of forming relati
| release-notes | URL to release notes |
| security-contact | Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT |
| model-card | A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets |
| log | A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. |
| configuration | Parameters or settings that may be used by other components or services. |
| evidence | Information used to substantiate a claim. |
| formulation | Describes how a component or service was manufactured or deployed. |
| attestation | Human or machine-readable statements containing facts, evidence, or testimony |
| threat-model | An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format |
| adversary-model | The defined assumptions, goals, and capabilities of an adversary |
Expand All @@ -49,6 +54,9 @@ External references provide an extensible and data-rich method of forming relati
| evidence | Data collected through various forms of extraction or analysis |
| formulation | The observed or declared formulas for how components or services were manufactured or deployed |
| poam | Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". |
| electronic-signature | An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. |
| digital-signature | A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. |
| rfc-9116 | Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) |
| other | Use this if no other types accurately describe the purpose of the external reference |

The following are example external references applied to a component:
Expand Down

0 comments on commit 3ad56b0

Please sign in to comment.