Skip to content

Commit

Permalink
Fixed evidence identity. Updated test cases (#359)
Browse files Browse the repository at this point in the history 
Fixed issue with evidence identity that restricted identity to only a
single object. The defect was found in JSON and XML schemas but was
correct in protobuf. Updated JSON and XML schemas in a way where they
are backward compatible. Updated test cases in v1.6 that support BOTH
methods (single object and array of objects) of specifying identity
evidence.

Closes #272
  • Loading branch information
@stevespringett
stevespringett authored Jan 16, 2024
2 parents b2ae699 + 1e6ea08 commit 63e48c4
Show file tree
Hide file tree
Showing 7 changed files with 319 additions and 176 deletions.
6 changes: 5 additions & 1 deletion docgen/json/templates/cyclonedx/tabbed_section.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ <h2 class="handle">
<a class="nav-link {% if loop.index == 1 -%}active {% endif -%} {{ operator }}-option"
id="{{ node.html_id }}" data-toggle="tab" href="#tab-pane_{{ node.html_id }}" role="tab"
onclick="setAnchor('#{{ node.html_id }}')"
>{{ node.definition_name or tab_label ~ " " ~ loop.index }}</a>
>{{ node.definition_name or tab_label ~ " " ~ loop.index }}
{%- if node is deprecated -%}
{{ " " }}<span class="badge deprecated-property">Deprecated</span>
{%- endif -%}
</a>
</li>
{%- endfor -%}
</ul>
Expand Down
188 changes: 96 additions & 92 deletions schema/bom-1.6.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1982,101 +1982,20 @@
"additionalProperties": false,
"properties": {
"identity": {
"type": "object",
"description": "Evidence that substantiates the identity of a component.",
"required": [ "field" ],
"additionalProperties": false,
"properties": {
"field": {
"type": "string",
"enum": [
"group", "name", "version", "purl", "cpe", "swid", "hash"
],
"title": "Field",
"description": "The identity field of the component which the evidence describes."
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"title": "Confidence",
"description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."
},
"methods": {
"description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.",
"oneOf" : [
{
"type": "array",
"title": "Methods",
"description": "The methods used to extract and/or analyze the evidence.",
"items": {
"type": "object",
"required": [
"technique" ,
"confidence"
],
"additionalProperties": false,
"properties": {
"technique": {
"title": "Technique",
"description": "The technique used in this method of analysis.",
"type": "string",
"enum": [
"source-code-analysis",
"binary-analysis",
"manifest-analysis",
"ast-fingerprint",
"hash-comparison",
"instrumentation",
"dynamic-analysis",
"filename",
"attestation",
"other"
],
"meta:enum": {
"source-code-analysis": "Examines the source code without executing it.",
"binary-analysis": "Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal.",
"manifest-analysis": "Examines a package management system such as those used for building software or installing software.",
"ast-fingerprint": "Examines the Abstract Syntax Tree (AST) of source code or a compiled binary.",
"hash-comparison": "Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software.",
"instrumentation": "Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application.",
"dynamic-analysis": "Evaluates a running application.",
"filename": "Evaluates file name of a component against a set of known file names of identified software.",
"attestation": "A testimony to the accuracy of the identify of a component made by an individual or entity.",
"other": "Any other technique."
}
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"title": "Confidence",
"description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."
},
"value": {
"type": "string",
"title": "Value",
"description": "The value or contents of the evidence."
}
}
}
"title": "Array of Identity Objects",
"items": { "$ref": "#/definitions/componentIdentityEvidence" }
},
"tools": {
"type": "array",
"uniqueItems": true,
"items": {
"anyOf": [
{
"title": "Ref",
"$ref": "#/definitions/refLinkType"
},
{
"title": "BOM-Link Element",
"$ref": "#/definitions/bomLinkElementType"
}
]
},
"title": "BOM References",
"description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."
{
"title": "A Single Identity Object",
"description": "[Deprecated]",
"$ref": "#/definitions/componentIdentityEvidence",
"deprecated": true
}
}
]
},
"occurrences": {
"type": "array",
Expand Down Expand Up @@ -4409,6 +4328,91 @@
}
}
},
"componentIdentityEvidence": {
"type": "object",
"description": "Evidence that substantiates the identity of a component.",
"required": [ "field" ],
"additionalProperties": false,
"properties": {
"field": {
"type": "string",
"enum": [
"group", "name", "version", "purl", "cpe", "swid", "hash"
],
"title": "Field",
"description": "The identity field of the component which the evidence describes."
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"title": "Confidence",
"description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."
},
"methods": {
"type": "array",
"title": "Methods",
"description": "The methods used to extract and/or analyze the evidence.",
"items": {
"type": "object",
"required": [
"technique" ,
"confidence"
],
"additionalProperties": false,
"properties": {
"technique": {
"title": "Technique",
"description": "The technique used in this method of analysis.",
"type": "string",
"enum": [
"source-code-analysis",
"binary-analysis",
"manifest-analysis",
"ast-fingerprint",
"hash-comparison",
"instrumentation",
"dynamic-analysis",
"filename",
"attestation",
"other"
]
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"title": "Confidence",
"description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."
},
"value": {
"type": "string",
"title": "Value",
"description": "The value or contents of the evidence."
}
}
}
},
"tools": {
"type": "array",
"uniqueItems": true,
"items": {
"anyOf": [
{
"title": "Ref",
"$ref": "#/definitions/refLinkType"
},
{
"title": "BOM-Link Element",
"$ref": "#/definitions/bomLinkElementType"
}
]
},
"title": "BOM References",
"description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."
}
}
},
"standard": {
"type": "object",
"title": "Standard",
Expand Down
7 changes: 5 additions & 2 deletions schema/bom-1.6.xsd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2248,9 +2248,12 @@ limitations under the License.

<xs:complexType name="componentEvidenceType">
<xs:sequence>
<xs:element name="identity" minOccurs="0" maxOccurs="1">
<xs:element name="identity" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Evidence that substantiates the identity of a component.</xs:documentation>
<xs:documentation>Evidence that substantiates the identity of a component. The identify may be an
object or an array of identity objects. Support for specifying identify as a single object was
introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is RECOMMENDED that all
implementations are aware of "unbounded".</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
Expand Down
1 change: 1 addition & 0 deletions tools/src/test/js/json-schema-lint-tests.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ function getAjv(strict) {
validateFormats: true,
allowMatchingProperties: true,
addUsedSchema: false,
allowUnionTypes: false,
keywords: ["meta:enum"],
schemas: {
'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema,
Expand Down
44 changes: 44 additions & 0 deletions tools/src/test/resources/1.6/valid-evidence-1.6.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,50 @@
}
]
}
},
{
"type": "application",
"group": "com.example",
"name": "example-project",
"version": "1.0.0",
"purl": "pkg:maven/com.example/[email protected]",
"evidence": {
"identity": [
{
"field": "group",
"confidence": 0.1,
"methods": [
{
"technique": "filename",
"confidence": 0.1,
"value": "example-project-1.0.0.jar"
}
]
},
{
"field": "name",
"confidence": 0.1,
"methods": [
{
"technique": "filename",
"confidence": 0.1,
"value": "example-project-1.0.0.jar"
}
]
},
{
"field": "version",
"confidence": 0.1,
"methods": [
{
"technique": "filename",
"confidence": 0.1,
"value": "example-project-1.0.0.jar"
}
]
}
]
}
}
]
}
Loading

0 comments on commit 63e48c4

Please sign in to comment.