From 4df142989f966447d185286fa125eb0bf29cdafa Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 4 Nov 2024 15:40:51 +0100 Subject: [PATCH 01/13] tests: fix ProtoBuf breaking detection to be wire-only (#532) our spec describes how data models look in data transfers. current protobuf breaking detection adheres this. the protobuf breaking detection also does unnecessary detections, which should not matter for our domain. they are removed, here. ---- changes are based on https://github.com/CycloneDX/specification/pull/530#issuecomment-2453625276 --------- Signed-off-by: Jan Kowalleck --- tools/src/test/proto/buf_breaking-remote.yaml | 3 +-- tools/src/test/proto/buf_breaking-version.yaml | 3 +-- tools/src/test/proto/test.sh | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tools/src/test/proto/buf_breaking-remote.yaml b/tools/src/test/proto/buf_breaking-remote.yaml index 7c3dbf25..a55e156e 100644 --- a/tools/src/test/proto/buf_breaking-remote.yaml +++ b/tools/src/test/proto/buf_breaking-remote.yaml @@ -3,5 +3,4 @@ version: v1 breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking use: # see https://buf.build/docs/breaking/overview#rules-and-categories - - FILE - - WIRE_JSON \ No newline at end of file + - WIRE \ No newline at end of file diff --git a/tools/src/test/proto/buf_breaking-version.yaml b/tools/src/test/proto/buf_breaking-version.yaml index fcc81b05..d86b10e9 100644 --- a/tools/src/test/proto/buf_breaking-version.yaml +++ b/tools/src/test/proto/buf_breaking-version.yaml @@ -3,8 +3,7 @@ version: v1 breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking use: # see https://buf.build/docs/breaking/overview#rules-and-categories - - FILE - - WIRE_JSON + - WIRE except: # scope is to detect changes from one version to the other -> so ignore "FILE_SAME_PACKAGE" - FILE_SAME_PACKAGE \ No newline at end of file diff --git a/tools/src/test/proto/test.sh b/tools/src/test/proto/test.sh index 2d793015..0896d3f5 100755 --- a/tools/src/test/proto/test.sh +++ b/tools/src/test/proto/test.sh @@ -69,7 +69,7 @@ function schema-breaking-version () { } compare '1.6' '1.5' - echo '>> skip compare' '1.5' '1.4' >&2 # <-- had breaking changes, which is acknowledged + compare '1.5' '1.4' compare '1.4' '1.3' echo '>> OK.' >&2 From f2f4c2d9f1e4ec0fbe60ad34a80d34b718f9be66 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 6 Nov 2024 11:47:00 +0100 Subject: [PATCH 02/13] tests: bump docker image from `bufbuild/buf:1.30.1` to `:1.46.0` (#519) see https://github.com/bufbuild/buf/releases ## TASKS - [x] bump version - [x] migrate config see https://buf.build/docs/migration-guides/migrate-v2-config-files - [x] migrate CLI calls --------- Signed-off-by: Jan Kowalleck --- config | 0 tools/src/test/proto/buf_breaking-remote.yaml | 6 ++--- .../src/test/proto/buf_breaking-version.yaml | 6 ++--- tools/src/test/proto/buf_lint.yaml | 18 +++++++++------ tools/src/test/proto/test.sh | 23 ++++++++----------- 5 files changed, 27 insertions(+), 26 deletions(-) create mode 100644 config diff --git a/config b/config new file mode 100644 index 00000000..e69de29b diff --git a/tools/src/test/proto/buf_breaking-remote.yaml b/tools/src/test/proto/buf_breaking-remote.yaml index a55e156e..e3fecdfd 100644 --- a/tools/src/test/proto/buf_breaking-remote.yaml +++ b/tools/src/test/proto/buf_breaking-remote.yaml @@ -1,6 +1,6 @@ # This is the config for "Buf" - a ProtocolBuffer linter/checker/more -# see https://buf.build/docs/configuration/v1/buf-yaml -version: v1 -breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking +# see https://buf.build/docs/configuration/v2/buf-yaml +version: v2 +breaking: # https://buf.build/docs/configuration/v2/buf-yaml#breaking use: # see https://buf.build/docs/breaking/overview#rules-and-categories - WIRE \ No newline at end of file diff --git a/tools/src/test/proto/buf_breaking-version.yaml b/tools/src/test/proto/buf_breaking-version.yaml index d86b10e9..222a4ed4 100644 --- a/tools/src/test/proto/buf_breaking-version.yaml +++ b/tools/src/test/proto/buf_breaking-version.yaml @@ -1,7 +1,7 @@ # This is the config for "Buf" - a ProtocolBuffer linter/checker/more -# see https://buf.build/docs/configuration/v1/buf-yaml -version: v1 -breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking +# see https://buf.build/docs/configuration/v2/buf-yaml +version: v2 +breaking: # https://buf.build/docs/configuration/v2/buf-yaml#breaking use: # see https://buf.build/docs/breaking/overview#rules-and-categories - WIRE except: diff --git a/tools/src/test/proto/buf_lint.yaml b/tools/src/test/proto/buf_lint.yaml index 0b78a3cb..109f5eaa 100644 --- a/tools/src/test/proto/buf_lint.yaml +++ b/tools/src/test/proto/buf_lint.yaml @@ -1,9 +1,10 @@ # This is the config for "Buf" - a ProtocolBuffer linter/checker/more -# see https://buf.build/docs/configuration/v1/buf-yaml -version: v1 -lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint +# see https://buf.build/docs/configuration/v2/buf-yaml +version: v2 +lint: # https://buf.build/docs/configuration/v2/buf-yaml#lint use: # see https://buf.build/docs/lint/rules - - DEFAULT # https://buf.build/docs/lint/rules#default + - STANDARD # https://buf.build/docs/lint/rules/#standard + # - COMMENTS # https://buf.build/docs/lint/rules/#comments except: # directory/file layout does not match the recommendation/framework of the tool - DIRECTORY_SAME_PACKAGE # https://buf.build/docs/lint/rules#directory_same_package @@ -14,9 +15,12 @@ lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint - PACKAGE_VERSION_SUFFIX # https://buf.build/docs/lint/rules#package_version_suffix - FIELD_LOWER_SNAKE_CASE # https://buf.build/docs/lint/rules#field_lower_snake_case ignore_only: - DEFAULT: # https://buf.build/docs/lint/rules#default - # legacy schema files may NOT stick to the rules -- this is acknowledged. + # legacy schema files may NOT stick to the rules -- this is acknowledged. + STANDARD: + - "schema/bom-1.5.proto" + - "schema/bom-1.4.proto" + - "schema/bom-1.3.proto" + COMMENTS: - "schema/bom-1.5.proto" - "schema/bom-1.4.proto" - "schema/bom-1.3.proto" - allow_comment_ignores: true # the so-called "baseline" is done by annotating exceptions diff --git a/tools/src/test/proto/test.sh b/tools/src/test/proto/test.sh index 0896d3f5..a0c1c384 100755 --- a/tools/src/test/proto/test.sh +++ b/tools/src/test/proto/test.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -ue +set -uex THIS_PATH="$(realpath "$(dirname "$0")")" ROOT_PATH="$(realpath "${THIS_PATH}/../../../..")" @@ -10,7 +10,7 @@ TEST_RES_DIR='tools/src/test/resources' REMOTE="https://github.com/${GITHUB_REPOSITORY:-CycloneDX/specification}.git" -BUF_IMAGE_VERSION='1.30.1' +BUF_IMAGE_VERSION='1.46.0' ## ---- @@ -32,7 +32,6 @@ function schema-lint () { --workdir '/workspace' \ bufbuild/buf:"$BUF_IMAGE_VERSION" \ lint --path "$SCHEMA_DIR" \ - --config 'buf.yaml' \ --error-format "$LOG_FORMAT" echo '>> OK.' >&2 @@ -57,14 +56,13 @@ function schema-breaking-version () { echo ">> compare new:${NEW} -VS- old:${OLD}" >&2 # stick with the original path of "$NEW", so the reporting makes sense... docker run --rm \ - --volume "${ROOT_PATH}/${SCHEMA_DIR}/${NEW}:/workspace/${SCHEMA_DIR}/${NEW}:ro" \ - --volume "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}:/workspace/${SCHEMA_DIR_OLD}/${NEW}:ro" \ - --volume "${THIS_PATH}/buf_breaking-version.yaml:/workspace/buf.yaml:ro" \ - --workdir '/workspace' \ + --volume "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}:/workspaces/old/${NEW}:ro" \ + --volume "${ROOT_PATH}/${SCHEMA_DIR}/${NEW}:/workspaces/new/${NEW}:ro" \ + --volume "${THIS_PATH}/buf_breaking-version.yaml:/workspaces/new/buf.yaml:ro" \ + --workdir '/workspaces' \ bufbuild/buf:"$BUF_IMAGE_VERSION" \ - breaking "$SCHEMA_DIR" \ - --against "$SCHEMA_DIR_OLD" \ - --config 'buf.yaml' \ + breaking new \ + --against old \ --error-format "$LOG_FORMAT" } @@ -90,9 +88,8 @@ function schema-breaking-remote () { --volume "${THIS_PATH}/buf_breaking-remote.yaml:/workspace/buf.yaml:ro" \ --workdir '/workspace' \ bufbuild/buf:"$BUF_IMAGE_VERSION" \ - breaking "$SCHEMA_DIR" \ - --against "${REMOTE}#subdir=${SCHEMA_DIR}" \ - --config 'buf.yaml' \ + breaking --path "$SCHEMA_DIR" \ + --against "${REMOTE}" \ --error-format "$LOG_FORMAT" echo '>> OK.' >&2 From 8c607eb7a45bdb7fbbe5cc915fa99232b68ef8f1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 6 Nov 2024 12:41:06 +0100 Subject: [PATCH 03/13] tests: fix BrotoBuf BCcheck on version-level (#536) Signed-off-by: Jan Kowalleck --- .../src/test/proto/buf_breaking-version.yaml | 5 +--- tools/src/test/proto/test.sh | 24 ++++++++++++------- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/tools/src/test/proto/buf_breaking-version.yaml b/tools/src/test/proto/buf_breaking-version.yaml index 222a4ed4..e3fecdfd 100644 --- a/tools/src/test/proto/buf_breaking-version.yaml +++ b/tools/src/test/proto/buf_breaking-version.yaml @@ -3,7 +3,4 @@ version: v2 breaking: # https://buf.build/docs/configuration/v2/buf-yaml#breaking use: # see https://buf.build/docs/breaking/overview#rules-and-categories - - WIRE - except: - # scope is to detect changes from one version to the other -> so ignore "FILE_SAME_PACKAGE" - - FILE_SAME_PACKAGE \ No newline at end of file + - WIRE \ No newline at end of file diff --git a/tools/src/test/proto/test.sh b/tools/src/test/proto/test.sh index a0c1c384..ccbf30bb 100755 --- a/tools/src/test/proto/test.sh +++ b/tools/src/test/proto/test.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -uex +set -ue THIS_PATH="$(realpath "$(dirname "$0")")" ROOT_PATH="$(realpath "${THIS_PATH}/../../../..")" @@ -51,23 +51,29 @@ function schema-breaking-version () { function compare() { NEW="bom-${1}.proto" OLD="bom-${2}.proto" - SCHEMA_DIR_OLD="${SCHEMA_DIR}_old" + + NEW_NP="$(mktemp)" + OLD_NP="$(mktemp)" + + # remove package identifier -> so that the comparisson works as expected + sed 's/^package .*//' "${ROOT_PATH}/${SCHEMA_DIR}/${NEW}" > "$NEW_NP" + sed 's/^package .*//' "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}" > "$OLD_NP" echo ">> compare new:${NEW} -VS- old:${OLD}" >&2 # stick with the original path of "$NEW", so the reporting makes sense... docker run --rm \ - --volume "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}:/workspaces/old/${NEW}:ro" \ - --volume "${ROOT_PATH}/${SCHEMA_DIR}/${NEW}:/workspaces/new/${NEW}:ro" \ + --volume "${OLD_NP}:/workspaces/old/${NEW}:ro" \ + --volume "${NEW_NP}:/workspaces/new/${NEW}:ro" \ --volume "${THIS_PATH}/buf_breaking-version.yaml:/workspaces/new/buf.yaml:ro" \ - --workdir '/workspaces' \ + --workdir '/workspaces/new' \ bufbuild/buf:"$BUF_IMAGE_VERSION" \ - breaking new \ - --against old \ + breaking \ + --against ../old \ --error-format "$LOG_FORMAT" } - compare '1.6' '1.5' - compare '1.5' '1.4' + # compare '1.6' '1.5' # <-- possible breaks are acknowledged + # compare '1.5' '1.4' # <-- possible breaks are acknowledged compare '1.4' '1.3' echo '>> OK.' >&2 From ed2371e10298eb698d9e78b84e32ce686128da5c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 6 Nov 2024 13:01:22 +0100 Subject: [PATCH 04/13] tests: fix BrotoBuf test reports (#537) Signed-off-by: Jan Kowalleck --- tools/src/test/proto/test.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/src/test/proto/test.sh b/tools/src/test/proto/test.sh index ccbf30bb..8d0c72ad 100755 --- a/tools/src/test/proto/test.sh +++ b/tools/src/test/proto/test.sh @@ -19,7 +19,7 @@ BUF_IMAGE_VERSION='1.46.0' function schema-lint () { echo '> lint schema files' >&2 - if [[ -n "${CI:-}" ]] + if [[ -n "${GITHUB_WORKFLOW:-}" ]] then LOG_FORMAT='github-actions' else @@ -60,10 +60,10 @@ function schema-breaking-version () { sed 's/^package .*//' "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}" > "$OLD_NP" echo ">> compare new:${NEW} -VS- old:${OLD}" >&2 - # stick with the original path of "$NEW", so the reporting makes sense... + # stick with the original path and name of "$NEW", so the reporting makes sense... docker run --rm \ - --volume "${OLD_NP}:/workspaces/old/${NEW}:ro" \ - --volume "${NEW_NP}:/workspaces/new/${NEW}:ro" \ + --volume "${OLD_NP}:/workspaces/old/${SCHEMA_DIR}/${NEW}:ro" \ + --volume "${NEW_NP}:/workspaces/new/${SCHEMA_DIR}/${NEW}:ro" \ --volume "${THIS_PATH}/buf_breaking-version.yaml:/workspaces/new/buf.yaml:ro" \ --workdir '/workspaces/new' \ bufbuild/buf:"$BUF_IMAGE_VERSION" \ From ec3e9a2583d2d58a406f0fb211ebcf741f957692 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 7 Nov 2024 15:03:13 +0100 Subject: [PATCH 05/13] fix(ProtoBuf): add ExternalReterence Type `EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES` (#531) fixes #266 --------- Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 + .../1.6/valid-external-reference-1.6.json | 179 ++++++++++++++++++ .../valid-external-reference-1.6.textproto | 177 +++++++++++++++++ .../1.6/valid-external-reference-1.6.xml | 49 +++++ .../1.6/valid-release-notes-1.6.json | 6 + .../1.6/valid-release-notes-1.6.textproto | 4 + .../resources/1.6/valid-release-notes-1.6.xml | 5 + 7 files changed, 422 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 975197f7..b9a629ca 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -297,6 +297,8 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40; // Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41; + // Reference to release notes + EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES = 42; } enum HashAlg { diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.json b/tools/src/test/resources/1.6/valid-external-reference-1.6.json index 80d87d42..f5e24561 100644 --- a/tools/src/test/resources/1.6/valid-external-reference-1.6.json +++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.json @@ -34,6 +34,185 @@ "comment": "Vendor provided documentation for the product" } ] + }, + { + "type": "application", + "name": "dummy", + "description": "this component has all external reference types possible", + "externalReferences": [ + { + "type": "vcs", + "url": "http://example.com/extref/vcs" + }, + { + "type": "issue-tracker", + "url": "http://example.com/extref/issue-tracker" + }, + { + "type": "website", + "url": "http://example.com/extref/website" + }, + { + "type": "advisories", + "url": "http://example.com/extref/advisories" + }, + { + "type": "bom", + "url": "http://example.com/extref/bom" + }, + { + "type": "mailing-list", + "url": "http://example.com/extref/mailing-list" + }, + { + "type": "social", + "url": "http://example.com/extref/social" + }, + { + "type": "chat", + "url": "http://example.com/extref/chat" + }, + { + "type": "documentation", + "url": "http://example.com/extref/documentation" + }, + { + "type": "support", + "url": "http://example.com/extref/support" + }, + { + "type": "source-distribution", + "url": "http://example.com/extref/source-distribution" + }, + { + "type": "distribution", + "url": "http://example.com/extref/distribution" + }, + { + "type": "distribution-intake", + "url": "http://example.com/extref/distribution-intake" + }, + { + "type": "license", + "url": "http://example.com/extref/license" + }, + { + "type": "build-meta", + "url": "http://example.com/extref/build-meta" + }, + { + "type": "build-system", + "url": "http://example.com/extref/build-system" + }, + { + "type": "release-notes", + "url": "http://example.com/extref/release-notes" + }, + { + "type": "security-contact", + "url": "http://example.com/extref/security-contact" + }, + { + "type": "model-card", + "url": "http://example.com/extref/model-card" + }, + { + "type": "log", + "url": "http://example.com/extref/log" + }, + { + "type": "configuration", + "url": "http://example.com/extref/configuration" + }, + { + "type": "evidence", + "url": "http://example.com/extref/evidence" + }, + { + "type": "formulation", + "url": "http://example.com/extref/formulation" + }, + { + "type": "attestation", + "url": "http://example.com/extref/attestation" + }, + { + "type": "threat-model", + "url": "http://example.com/extref/threat-model" + }, + { + "type": "adversary-model", + "url": "http://example.com/extref/adversary-model" + }, + { + "type": "risk-assessment", + "url": "http://example.com/extref/risk-assessment" + }, + { + "type": "vulnerability-assertion", + "url": "http://example.com/extref/vulnerability-assertion" + }, + { + "type": "exploitability-statement", + "url": "http://example.com/extref/exploitability-statement" + }, + { + "type": "pentest-report", + "url": "http://example.com/extref/pentest-report" + }, + { + "type": "static-analysis-report", + "url": "http://example.com/extref/static-analysis-report" + }, + { + "type": "dynamic-analysis-report", + "url": "http://example.com/extref/dynamic-analysis-report" + }, + { + "type": "runtime-analysis-report", + "url": "http://example.com/extref/runtime-analysis-report" + }, + { + "type": "component-analysis-report", + "url": "http://example.com/extref/component-analysis-report" + }, + { + "type": "maturity-report", + "url": "http://example.com/extref/maturity-report" + }, + { + "type": "certification-report", + "url": "http://example.com/extref/certification-report" + }, + { + "type": "quality-metrics", + "url": "http://example.com/extref/quality-metrics" + }, + { + "type": "codified-infrastructure", + "url": "http://example.com/extref/codified-infrastructure" + }, + { + "type": "poam", + "url": "http://example.com/extref/poam" + }, + { + "type": "electronic-signature", + "url": "http://example.com/extref/electronic-signature" + }, + { + "type": "digital-signature", + "url": "http://example.com/extref/digital-signature" + }, + { + "type": "rfc-9116", + "url": "http://example.com/extref/rfc-9116" + }, + { + "type": "other", + "url": "http://example.com/extref/other" + } + ] } ] } diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto b/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto index 0428a8e9..9a8c3df2 100644 --- a/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto @@ -30,3 +30,180 @@ components { comment: "Vendor provided documentation for the product" } } +components { + type: CLASSIFICATION_APPLICATION + name: "dummy" + description: "this component has all external reference types possible" + external_references { + type: EXTERNAL_REFERENCE_TYPE_VCS + url: "http://example.com/extref/vcs" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER + url: "http://example.com/extref/issue-tracker" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_WEBSITE + url: "http://example.com/extref/website" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_ADVISORIES + url: "http://example.com/extref/advisories" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_BOM + url: "http://example.com/extref/bom" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_MAILING_LIST + url: "http://example.com/extref/mailing-list" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_SOCIAL + url: "http://example.com/extref/social" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_CHAT + url: "http://example.com/extref/chat" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "http://example.com/extref/documentation" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_SUPPORT + url: "http://example.com/extref/support" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION + url: "http://example.com/extref/source-distribution" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION + url: "http://example.com/extref/distribution" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE + url: "http://example.com/extref/distribution-intake" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_LICENSE + url: "http://example.com/extref/license" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_BUILD_META + url: "http://example.com/extref/build-meta" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM + url: "http://example.com/extref/build-system" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES + url: "http://example.com/extref/release-notes" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT + url: "http://example.com/extref/security-contact" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_MODEL_CARD + url: "http://example.com/extref/model-card" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_LOG + url: "http://example.com/extref/log" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_CONFIGURATION + url: "http://example.com/extref/configuration" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_EVIDENCE + url: "http://example.com/extref/evidence" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_FORMULATION + url: "http://example.com/extref/formulation" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_ATTESTATION + url: "http://example.com/extref/attestation" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_THREAT_MODEL + url: "http://example.com/extref/threat-model" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL + url: "http://example.com/extref/adversary-model" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT + url: "http://example.com/extref/risk-assessment" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION + url: "http://example.com/extref/vulnerability-assertion" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT + url: "http://example.com/extref/exploitability-statement" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT + url: "http://example.com/extref/pentest-report" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT + url: "http://example.com/extref/static-analysis-report" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT + url: "http://example.com/extref/dynamic-analysis-report" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT + url: "http://example.com/extref/runtime-analysis-report" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT + url: "http://example.com/extref/component-analysis-report" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT + url: "http://example.com/extref/maturity-report" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT + url: "http://example.com/extref/certification-report" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS + url: "http://example.com/extref/quality-metrics" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE + url: "http://example.com/extref/codified-infrastructure" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_POAM + url: "http://example.com/extref/poam" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE + url: "http://example.com/extref/electronic-signature" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE + url: "http://example.com/extref/digital-signature" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_RFC_9116 + url: "http://example.com/extref/rfc-9116" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_OTHER + url: "http://example.com/extref/other" + } +} diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.xml b/tools/src/test/resources/1.6/valid-external-reference-1.6.xml index 21810f3c..f30782f7 100644 --- a/tools/src/test/resources/1.6/valid-external-reference-1.6.xml +++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.xml @@ -23,5 +23,54 @@ + + dummy + this component has all external reference types possible + + http://example.com/extref/vcs + http://example.com/extref/issue-tracker + http://example.com/extref/website + http://example.com/extref/advisories + http://example.com/extref/bom + http://example.com/extref/mailing-list + http://example.com/extref/social + http://example.com/extref/chat + http://example.com/extref/documentation + http://example.com/extref/support + http://example.com/extref/source-distribution + http://example.com/extref/distribution + http://example.com/extref/distribution-intake + http://example.com/extref/license + http://example.com/extref/build-meta + http://example.com/extref/build-system + http://example.com/extref/release-notes + http://example.com/extref/security-contact + http://example.com/extref/model-card + http://example.com/extref/log + http://example.com/extref/configuration + http://example.com/extref/evidence + http://example.com/extref/formulation + http://example.com/extref/attestation + http://example.com/extref/threat-model + http://example.com/extref/adversary-model + http://example.com/extref/risk-assessment + http://example.com/extref/vulnerability-assertion + http://example.com/extref/exploitability-statement + http://example.com/extref/pentest-report + http://example.com/extref/static-analysis-report + http://example.com/extref/dynamic-analysis-report + http://example.com/extref/runtime-analysis-report + http://example.com/extref/component-analysis-report + http://example.com/extref/maturity-report + http://example.com/extref/certification-report + http://example.com/extref/quality-metrics + http://example.com/extref/codified-infrastructure + http://example.com/extref/poam + http://example.com/extref/electronic-signature + http://example.com/extref/digital-signature + http://example.com/extref/rfc-9116 + http://example.com/extref/other + + diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.json b/tools/src/test/resources/1.6/valid-release-notes-1.6.json index 48b1215a..46c5a7c3 100644 --- a/tools/src/test/resources/1.6/valid-release-notes-1.6.json +++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.json @@ -9,6 +9,12 @@ "type": "library", "name": "acme-example", "version": "1.0.0", + "externalReferences": [ + { + "type": "release-notes", + "url": "https://example.com/releases/1.0.0" + } + ], "releaseNotes": { "type": "major", "title": "My new release", diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto b/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto index 2336c299..e39791f9 100644 --- a/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto @@ -8,6 +8,10 @@ components { type: CLASSIFICATION_LIBRARY name: "acme-example" version: "1.0.0" + external_references { + type: EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES + url: "https://example.com/releases/1.0.0" + } releaseNotes: { type: "major" title: "My new release" diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.xml b/tools/src/test/resources/1.6/valid-release-notes-1.6.xml index f7ce16b0..b25986bc 100644 --- a/tools/src/test/resources/1.6/valid-release-notes-1.6.xml +++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.xml @@ -4,6 +4,11 @@ acme-example 1.0.0 + + + https://example.com/releases/1.0.0 + + major My new release From 885868306a056df97c0d2b36d0b10c1e94bdc1f1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 7 Nov 2024 15:03:40 +0100 Subject: [PATCH 06/13] fix(ProtoBuf,XML): component data repeatable (#530) fixes --------- Signed-off-by: Jan Kowalleck Signed-off-by: Jan Kowalleck Co-authored-by: andreas-hilti <69210561+andreas-hilti@users.noreply.github.com> --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.xsd | 2 +- .../1.6/valid-component-data-1.6.json | 30 +++++++++++++++++++ .../1.6/valid-component-data-1.6.textproto | 25 ++++++++++++++++ .../1.6/valid-component-data-1.6.xml | 24 +++++++++++++++ .../1.6/valid-component-types-1.6.json | 5 ++++ .../1.6/valid-component-types-1.6.textproto | 5 ++++ .../1.6/valid-component-types-1.6.xml | 4 +++ 8 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-component-data-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-component-data-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-component-data-1.6.xml diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index b9a629ca..5ef0e285 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -140,7 +140,7 @@ message Component { // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. optional ModelCard modelCard = 25; // This object SHOULD be specified for any component of type `data` and must not be specified for other component types. - optional ComponentData data = 26; + repeated ComponentData data = 26; // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. optional CryptoProperties cryptoProperties = 27; // The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `.authors` instead. diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 085992c4..c0fd703c 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -698,7 +698,7 @@ limitations under the License. type `machine-learning-model` and must not be specified for other component types. - + This object SHOULD be specified for any component of type `data` and must not be specified for other component types. diff --git a/tools/src/test/resources/1.6/valid-component-data-1.6.json b/tools/src/test/resources/1.6/valid-component-data-1.6.json new file mode 100644 index 00000000..f78163f9 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-data-1.6.json @@ -0,0 +1,30 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:1b1bff0e-fdb9-4088-8b9a-1a9f2d9006da", + "version": 1, + "components": [ + { + "type": "data", + "name": "my-configs", + "version": "1337", + "data": [ + { + "type": "configuration", + "name": "app.ini", + "contents": { + "url": "https://example.com/cfg/1337/app.ini" + } + }, + { + "type": "other", + "name": ".env", + "contents": { + "url": "https://example.com/cfg/1337/env" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-component-data-1.6.textproto b/tools/src/test/resources/1.6/valid-component-data-1.6.textproto new file mode 100644 index 00000000..da50b701 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-data-1.6.textproto @@ -0,0 +1,25 @@ +# proto-file: schema/bom-1.6.proto +# proto-message: Bom + +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:1b1bff0e-fdb9-4088-8b9a-1a9f2d9006da" +components { + type: CLASSIFICATION_DATA + name: "my-configs" + version: "1337" + data { + type: COMPONENT_DATA_TYPE_CONFIGURATION + name: "app.data" + contents { + url: "https://example.com/cfg/1337/app.ini" + } + } + data { + type: COMPONENT_DATA_TYPE_OTHER + name: ".env" + contents { + url: "https://example.com/cfg/1337/env" + } + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-component-data-1.6.xml b/tools/src/test/resources/1.6/valid-component-data-1.6.xml new file mode 100644 index 00000000..fe89d803 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-data-1.6.xml @@ -0,0 +1,24 @@ + + + + + my-configs + 1337 + + configuration + app.ini + + https://example.com/cfg/1337/app.ini + + + + other + .env + + https://example.com/cfg/1337/env + + + + + diff --git a/tools/src/test/resources/1.6/valid-component-types-1.6.json b/tools/src/test/resources/1.6/valid-component-types-1.6.json index 241c2ffd..8b1abd7e 100644 --- a/tools/src/test/resources/1.6/valid-component-types-1.6.json +++ b/tools/src/test/resources/1.6/valid-component-types-1.6.json @@ -44,6 +44,11 @@ "type": "file", "name": "file-a", "version": "1.0" + }, + { + "type": "data", + "name": "data-a", + "version": "1.0" } ] } diff --git a/tools/src/test/resources/1.6/valid-component-types-1.6.textproto b/tools/src/test/resources/1.6/valid-component-types-1.6.textproto index d62c94d8..6a5c4311 100644 --- a/tools/src/test/resources/1.6/valid-component-types-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-component-types-1.6.textproto @@ -44,3 +44,8 @@ components { name: "file-a" version: "1.0" } +components { + type: CLASSIFICATION_DATA + name: "data-a" + version: "1.0" +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-component-types-1.6.xml b/tools/src/test/resources/1.6/valid-component-types-1.6.xml index b66c396e..d8c70784 100644 --- a/tools/src/test/resources/1.6/valid-component-types-1.6.xml +++ b/tools/src/test/resources/1.6/valid-component-types-1.6.xml @@ -33,5 +33,9 @@ file-a 1.0 + + data-a + 1.0 + From 026633999fa105db25a0ae1b423a09e2597bc81b Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 7 Nov 2024 15:04:16 +0100 Subject: [PATCH 07/13] fix(ProtoBuf): `Component.evidence` optional (#534) fixes #422 by reverting the unreleased https://github.com/CycloneDX/specification/commit/19a153072690dfb2e8475ea3fa2e09a657d0cef6 & https://github.com/CycloneDX/specification/commit/acc5f3a003f26a6f165d83e5f4f7706546ccc055 as discussed here: https://github.com/CycloneDX/specification/issues/422#issuecomment-2454961082 Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 5ef0e285..84f4b53a 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -133,8 +133,8 @@ message Component { repeated Component components = 21; // Specifies optional, custom, properties repeated Property properties = 22; - // Specifies optional license and copyright evidence. Only the first item in the optional repeated list is to be taken into account; every other item in the list is to be ignored/omitted. - repeated Evidence evidence = 23; + // Specifies optional license and copyright evidence. + optional Evidence evidence = 23; // Specifies optional release notes. optional ReleaseNotes releaseNotes = 24; // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. From 003ab52bb73f8ba9e03ac09a29339f65aee014e7 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 7 Nov 2024 15:04:45 +0100 Subject: [PATCH 08/13] fix(ProtoBuf): add `LicenseExpression.bom_ref` (#529) fixes #515 Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 ++ .../test/resources/1.6/valid-license-expression-1.6.textproto | 1 + 2 files changed, 3 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 84f4b53a..beac6f59 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -375,6 +375,8 @@ message LicenseChoice { } // This field must only be used when "expression" is chosen as the License object has its own acknowledgement. optional LicenseAcknowledgementEnumeration acknowledgement = 3; + // This field must only be used when "expression" is chosen as the License object has its own bom_ref. + optional string bom_ref = 4; } // Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license. diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto index 8ecb3253..a6c451a4 100644 --- a/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto @@ -13,5 +13,6 @@ components { licenses { expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED + bom_ref: "my-license" } } From 30040f7fcaec5416c92efb4dec3e3a59f544aea5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 7 Nov 2024 15:05:41 +0100 Subject: [PATCH 09/13] docs: transfer specdocs to ProtoBuf 1.6 (#539) fixes #538 texts were taken from the human-readable Spec CycloneDX 1.6.0 --------- Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 174 ++++++++++++++++++++++++++++- tools/src/test/proto/buf_lint.yaml | 7 +- 2 files changed, 177 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index beac6f59..aa5e4c17 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -112,6 +112,7 @@ message Component { optional string description = 10; // Specifies the scope of the component. If a scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM optional Scope scope = 11; + // The hashes of the component. repeated Hash hashes = 12; // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) repeated LicenseChoice licenses = 13; @@ -176,14 +177,20 @@ message DataFlow { // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "DATA_FLOW_DIRECTION_" enum DataFlowDirection { + // Default // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` DATA_FLOW_NULL = 0; + // Data that enters a service. DATA_FLOW_INBOUND = 1; + // Data that exits a service. DATA_FLOW_OUTBOUND = 2; + // Data flows in and out of the service. DATA_FLOW_BI_DIRECTIONAL = 3; + // The directional flow of data is not known. DATA_FLOW_UNKNOWN = 4; } +// Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs. message Dependency { // References a component or service by its bom-ref attribute string ref = 1; @@ -193,6 +200,7 @@ message Dependency { repeated string provides = 3; } +// The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff message Diff { // Specifies the optional text of the diff optional AttachedText text = 1; @@ -200,6 +208,7 @@ message Diff { optional string url = 2; } +// External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. message ExternalReference { // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. ExternalReferenceType type = 1; @@ -336,6 +345,7 @@ message IdentifiableAction { } enum IssueClassification { + // Default // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` ISSUE_CLASSIFICATION_NULL = 0; // A fault, flaw, or bug in software @@ -346,6 +356,7 @@ enum IssueClassification { ISSUE_CLASSIFICATION_SECURITY = 3; } +// An individual issue that has been resolved. message Issue { // Specifies the type of issue IssueClassification type = 1; @@ -355,7 +366,9 @@ message Issue { optional string name = 3; // A description of the issue optional string description = 4; + // The source of the issue where it is documented optional Source source = 5; + // A collection of URL's for reference. Multiple URLs are allowed. Example: "https://example.com" repeated string references = 6; } @@ -369,6 +382,7 @@ message Source { message LicenseChoice { oneof choice { + // A license License license = 1; // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements string expression = 2; @@ -430,9 +444,12 @@ message Licensing { optional google.protobuf.Timestamp expiration = 8; } +// EITHER an organization OR an individual message OrganizationalEntityOrContact { oneof choice { + // Organization OrganizationalEntity organization = 1; + // Individual OrganizationalContact individual = 2; } } @@ -553,6 +570,7 @@ message OrganizationalEntity { } enum PatchClassification { + // Default // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` PATCH_CLASSIFICATION_NULL = 0; // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch @@ -565,11 +583,13 @@ enum PatchClassification { PATCH_CLASSIFICATION_CHERRY_PICK = 4; } +// Specifies an individual patch message Patch { // Specifies the purpose for the patch, including the resolution of defects, security issues, or new behavior or functionality PatchClassification type = 1; // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff optional Diff diff = 2; + // A collection of issues the patch resolves repeated Issue resolves = 3; } @@ -613,11 +633,13 @@ message Service { optional string version = 5; // Specifies a description for the service. optional string description = 6; + // The endpoint URIs of the service. Multiple endpoints are allowed. Example: "https://example.com/api/v1/ticker" repeated string endpoints = 7; // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. optional bool authenticated = 8; // A boolean value indicating if the use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. optional bool x_trust_boundary = 9; + // Specifies information about the data including the directional flow of data and the data classification. repeated DataFlow data = 10; // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) repeated LicenseChoice licenses = 11; @@ -635,6 +657,7 @@ message Service { repeated string tags = 17; } +// Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. message Swid { // Maps to the tagId of a SoftwareIdentity. string tag_id = 1; @@ -672,7 +695,9 @@ message Tool { // Specifies a property message Property { + // Name (or key) string name = 1; + // Value optional string value = 2; } @@ -718,17 +743,22 @@ message EvidenceCopyright { string text = 1; } +// Provides the ability to document evidence collected through various forms of extraction or analysis. message Evidence { // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) repeated LicenseChoice licenses = 1; + // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. repeated EvidenceCopyright copyright = 2; + // Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified. repeated EvidenceIdentity identity = 3; + // Evidence of individual instances of a component spread across multiple locations. repeated EvidenceOccurrences occurrences = 4; + // Evidence of the components use through the callstack. optional Callstack callstack = 5; } -// Evidence of the components use through the callstack. message Callstack { + // Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. repeated Frames frames = 1; message Frames { @@ -815,6 +845,7 @@ enum EvidenceTechnique { EVIDENCE_TECHNIQUE_OTHER = 9; } +// A note containing the locale and content. message Note { // The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". optional string locale = 1; @@ -847,6 +878,7 @@ message ReleaseNotes { repeated Property properties = 11; } +// Defines a weakness in a component or service that could be exploited or triggered by a threat source. message Vulnerability { // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; @@ -923,14 +955,22 @@ message VulnerabilityRating { optional string justification = 6; } +// Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately. enum Severity { + // The severity is not known // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` SEVERITY_UNKNOWN = 0; + // Critical severity SEVERITY_CRITICAL = 1; + // High severity SEVERITY_HIGH = 2; + // Medium severity SEVERITY_MEDIUM = 3; + // Low severity SEVERITY_LOW = 4; + // Informational warning. SEVERITY_INFO = 5; + // None SEVERITY_NONE = 6; } @@ -954,6 +994,7 @@ enum ScoreMethod { SCORE_METHOD_SSVC = 7; } +// Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system. message Advisory { // An optional name of the advisory. optional string title = 1; @@ -1029,10 +1070,15 @@ enum VulnerabilityResponse { // unspecified value // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` VULNERABILITY_RESPONSE_NULL = 0; + // Can not fix VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + // Will not fix VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + // Update to a different revision or release VULNERABILITY_RESPONSE_UPDATE = 3; + // Revert to a previous revision or release VULNERABILITY_RESPONSE_ROLLBACK = 4; + // There is a workaround available VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; } @@ -1059,7 +1105,9 @@ enum VulnerabilityAffectedStatus { // It is unknown (or unspecified) whether the given version is affected. // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + // The version is affected by the vulnerability. VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + // The version is not affected by the vulnerability. VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; } @@ -1089,6 +1137,12 @@ message Annotation { string text = 5; } +/** + * A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types. + * + * Comment: + * Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json. + */ message ModelCard { // An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref must be unique within the BOM. optional string bom_ref = 1; @@ -1116,15 +1170,19 @@ message ModelCard { repeated MachineLearningInputOutputParameters outputs = 7; message Approach { + // Learning types describing the learning problem or hybrid learning problem. optional ModelParameterApproachType type = 1; } + message Datasets { oneof choice { + // Inline Data Information ComponentData dataset = 1; // References a data component by the components bom-ref attribute string ref = 2; } } + message MachineLearningInputOutputParameters { // The data format for input/output to the model. Example formats include string, image, time-series optional string format = 1; @@ -1133,6 +1191,7 @@ message ModelCard { message QuantitativeAnalysis { // The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc. repeated PerformanceMetrics performanceMetrics = 1; + // A collection of graphics that represent various measurements. optional GraphicsCollection graphics = 2; message PerformanceMetrics { @@ -1195,6 +1254,7 @@ message ModelCard { message EnergyConsumption { // An activity that is part of a machine learning model development or operational lifecycle. enum ActivityType { + // Default ACTIVITY_TYPE_UNSPECIFIED = 0; // a lifecycle activity type whose description does not match currently defined values (the default type). ACTIVITY_TYPE_OTHER = 1; @@ -1236,6 +1296,7 @@ message ModelCard { // Describes the physical provider of energy used for model development or operations. message EnergyProviderType { enum EnergySourceType { + // Default ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; // energy source: unknown. The energy source is unknown. ENERGY_SOURCE_TYPE_UNKNOWN = 1; @@ -1278,6 +1339,7 @@ message EnergyProviderType { // A measure of energy. message EnergyMeasureType { enum EnergyMeasureUnitType { + //Default ENERGY_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h) (the default unit). ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 1; @@ -1293,6 +1355,7 @@ message EnergyMeasureType { // A measure of carbon dioxide (CO2). message CO2MeasureType { enum CO2MeasureUnitType { + // Default CO2_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; // Tonnes (t) of carbon dioxide (CO2) equivalent (eq) (the default unit). CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 1; @@ -1367,6 +1430,7 @@ message ComponentData { } } +// Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle. message DataGovernance { // Data custodians are responsible for the safe custody, transport, and storage of data. repeated DataGovernanceResponsibleParty custodians = 1; @@ -1377,7 +1441,9 @@ message DataGovernance { message DataGovernanceResponsibleParty { oneof choice { + // The organization that is responsible for specific data governance role(s). OrganizationalEntity organization = 1; + // The individual that is responsible for specific data governance role(s). OrganizationalContact contact = 2; } } @@ -1397,6 +1463,7 @@ enum ComponentDataType { COMPONENT_DATA_TYPE_OTHER = 4; } +// A collection of graphics that represent various measurements. message GraphicsCollection { // A description of this collection of graphics. optional string description = 1; @@ -1683,7 +1750,9 @@ message OutputType { // Type that permits a choice to reference a resource using an iternal bom-ref identifier or an external reference. message ResourceReferenceChoice { oneof choice { + // References an object by its bom-ref attribute string ref = 1; + // Reference to an externally accessible resource ExternalReference externalReference = 2; } } @@ -1738,11 +1807,14 @@ message Parameter { message EnvironmentVars { oneof choice { + // Name-value pair Property property = 1; + // Value string value = 2; } } +// The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. message Declarations { message Assessor { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -1752,8 +1824,13 @@ message Declarations { // The entity issuing the assessment. optional OrganizationalEntity organization = 3; } + + // Attestation message Attestation { + // Map message AttestationMap { + + // Conformance message AttestationConformance { // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. optional double score = 1; @@ -1762,12 +1839,15 @@ message Declarations { // The list of `bom-ref` to the evidence provided describing the mitigation strategies. repeated string mitigationStrategies = 3; } + + // Confidence message AttestationConfidence { // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. optional double score = 1; // The rationale for the confidence score. optional string rationale = 2; } + // The `bom-ref` to the requirement being attested to. optional string requirement = 1; // The list of `bom-ref` to the claims being attested to. @@ -1779,6 +1859,7 @@ message Declarations { // The confidence of the claim meeting the requirement. optional AttestationConfidence confidence = 5; } + // The short description explaining the main points of the attestation. optional string summary = 1; // The `bom-ref` to the assessor asserting the attestation. @@ -1786,6 +1867,7 @@ message Declarations { // The grouping of requirements to claims and the attestors' declared conformance and confidence thereof. repeated AttestationMap map = 3; } + message Claim { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; @@ -1804,6 +1886,7 @@ message Declarations { // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. repeated ExternalReference externalReferences = 8; } + message Evidence { message Data { message Contents { @@ -1812,6 +1895,7 @@ message Declarations { // The URL to where the data can be retrieved. optional string url = 2; } + // The name of the data. optional string name = 1; // The contents or references to the contents of the data being described. @@ -1823,6 +1907,7 @@ message Declarations { // Data Governance optional DataGovernance governance = 5; } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. @@ -1840,6 +1925,7 @@ message Declarations { // The reviewer of the evidence. optional OrganizationalContact reviewer = 8; } + message Targets { // The list of organizations which claims are made against. repeated OrganizationalEntity organizations = 1; @@ -1848,6 +1934,7 @@ message Declarations { // The list of services which claims are made against. repeated Service services = 3; } + message Affirmation { message Signatory { // The signatory's name. @@ -1859,11 +1946,13 @@ message Declarations { // An External reference provides a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. optional ExternalReference externalReference = 4; } - // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. + + // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. Example: "I certify, to the best of my knowledge, that all information is correct." optional string statement = 1; // The list of signatories authorized on behalf of an organization to assert validity of this document. repeated Signatory signatories = 2; } + // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. repeated Assessor assessors = 1; // The list of attestations asserted by an assessor that maps requirements to claims. @@ -1874,11 +1963,12 @@ message Declarations { repeated Evidence evidence = 4; // The list of targets which claims are made against. optional Targets targets = 5; - // affirmation + // A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. optional Affirmation affirmation = 6; } message Definition { + // A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. message Standard { message Requirement { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -1900,6 +1990,7 @@ message Definition { // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. repeated ExternalReference externalReferences = 9; } + message Level { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; @@ -1912,6 +2003,7 @@ message Definition { // The list of requirement `bom-ref`s that comprise the level. repeated string requirements = 5; } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; // The name of the standard. This will often be a shortened, single name of the standard. @@ -1929,19 +2021,30 @@ message Definition { // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. repeated ExternalReference externalReferences = 8; } + + // The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. repeated Standard standards = 1; } +// "Cryptographic Properties message CryptoProperties { + // Asset Type enum CryptoAssetType { // ProtoBuff's default value CRYPTO_ASSET_TYPE_UNSPECIFIED = 0; + // Mathematical function commonly used for data encryption, authentication, and digital signatures. CRYPTO_ASSET_TYPE_ALGORITHM = 1; + // An electronic document that is used to provide the identity or validate a public key. CRYPTO_ASSET_TYPE_CERTIFICATE = 2; + // A set of rules and guidelines that govern the behavior and communication with each other. CRYPTO_ASSET_TYPE_PROTOCOL = 3; + // Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens. CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 4; } + + // Algorithm Propertie message AlgorithmProperties { + // Primitive enum CryptoPrimitive { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_PRIMITIVE_UNSPECIFIED = 0; @@ -1949,20 +2052,35 @@ message CryptoProperties { CRYPTO_PRIMITIVE_UNKNOWN = 1; // Another primitive type - none of the following CRYPTO_PRIMITIVE_OTHER = 2; + // Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important. CRYPTO_PRIMITIVE_DRBG = 3; + // In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message. CRYPTO_PRIMITIVE_MAC = 4; + // A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission. CRYPTO_PRIMITIVE_BLOCK_CIPHER = 5; + // A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). CRYPTO_PRIMITIVE_STREAM_CIPHER = 6; + // In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication. CRYPTO_PRIMITIVE_SIGNATURE = 7; + // A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing. CRYPTO_PRIMITIVE_HASH = 8; + // Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography. CRYPTO_PRIMITIVE_PKE = 9; + // An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF. CRYPTO_PRIMITIVE_XOF = 10; + // A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input. CRYPTO_PRIMITIVE_KDF = 11; + // In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome. CRYPTO_PRIMITIVE_KEY_AGREE = 12; + // A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key. CRYPTO_PRIMITIVE_KEM = 13; + // Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols. CRYPTO_PRIMITIVE_AE = 14; + // A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive. CRYPTO_PRIMITIVE_COMBINER = 15; } + + // Execution Environment enum CryptoExecutionEnvironment { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_EXECUTION_ENVIRONMENT_UNSPECIFIED = 0; @@ -1970,11 +2088,17 @@ message CryptoProperties { CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 1; // Another implementation environment - none of the following CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 2; + // A software implementation running in plain unencrypted RAM. CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 3; + // A software implementation running in encrypted RAM. CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 4; + // A software implementation running in a trusted execution environment. CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 5; + // A hardware implementation. CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 6; } + + // Implementation platform enum CryptoImplementationPlatform { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_IMPLEMENTATION_PLATFORM_UNSPECIFIED = 0; @@ -1995,6 +2119,8 @@ message CryptoProperties { CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 13; CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 14; } + + // Mode enum CryptoAlgorithmMode { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_ALGORITHM_MODE_UNSPECIFIED = 0; @@ -2002,14 +2128,23 @@ message CryptoProperties { CRYPTO_ALGORITHM_MODE_UNKNOWN = 1; // Another mode of operation - none of the following CRYPTO_ALGORITHM_MODE_OTHER = 2; + // Cipher block chaining CRYPTO_ALGORITHM_MODE_CBC = 3; + // Electronic codebook CRYPTO_ALGORITHM_MODE_ECB = 4; + // Counter with cipher block chaining message authentication code CRYPTO_ALGORITHM_MODE_CCM = 5; + // Galois/counter CRYPTO_ALGORITHM_MODE_GCM = 6; + // Cipher feedback CRYPTO_ALGORITHM_MODE_CFB = 7; + // Output feedback CRYPTO_ALGORITHM_MODE_OFB = 8; + // Counter CRYPTO_ALGORITHM_MODE_CTR = 9; } + + // Padding enum CryptoAlgorithmPadding { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_ALGORITHM_PADDING_UNSPECIFIED = 0; @@ -2017,12 +2152,19 @@ message CryptoProperties { CRYPTO_ALGORITHM_PADDING_UNKNOWN = 1; // Another padding scheme - none of the following CRYPTO_ALGORITHM_PADDING_OTHER = 2; + // Public Key Cryptography Standard: Password-Based Cryptography CRYPTO_ALGORITHM_PADDING_PKCS5 = 3; + // Public Key Cryptography Standard: Cryptographic Message Syntax CRYPTO_ALGORITHM_PADDING_PKCS7 = 4; + // Public Key Cryptography Standard: RSA Cryptography v1.5 CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 5; + // Optimal asymmetric encryption padding CRYPTO_ALGORITHM_PADDING_OAEP = 6; + // Raw CRYPTO_ALGORITHM_PADDING_RAW = 7; } + + // Cryptographic functions enum CryptoAlgorithmFunction { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_ALGORITHM_FUNCTION_UNSPECIFIED = 0; @@ -2042,6 +2184,7 @@ message CryptoProperties { CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 12; CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 13; } + // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). optional CryptoPrimitive primitive = 1; // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). @@ -2065,6 +2208,8 @@ message CryptoProperties { // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. optional int32 nistQuantumSecurityLevel = 11; } // end of AlgorithmProperties + + // Certificate Properties message CertificateProperties { // The subject name for the certificate optional string subjectName = 1; @@ -2083,7 +2228,11 @@ message CryptoProperties { // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. optional string certificateExtension = 8; } // end of CertificateProperties + + // Related Cryptographic Material Properties message RelatedCryptoMaterialProperties { + + // relatedCryptoMaterialType enum CryptoRelatedType { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_RELATED_TYPE_UNSPECIFIED = 0; @@ -2109,6 +2258,8 @@ message CryptoProperties { CRYPTO_RELATED_TYPE_CREDENTIAL = 18; CRYPTO_RELATED_TYPE_TOKEN = 19; } + + // State enum CryptoRelatedState { // Default CRYPTO_RELATED_STATE_UNSPECIFIED = 0; @@ -2119,12 +2270,15 @@ message CryptoProperties { CRYPTO_RELATED_STATE_COMPROMISED = 5; CRYPTO_RELATED_STATE_DESTROYED = 6; } + + // Secured By message CryptoRelatedSecuredBy { // Specifies the mechanism by which the cryptographic asset is secured. Examples include HSM, TPM, SGX, Software, and None optional string mechanism = 1; // The bom-ref to the algorithm. optional string algorithmRef = 2; } + // The type for the related cryptographic material optional CryptoRelatedType type = 1; // The optional unique identifier for the related cryptographic material. @@ -2150,6 +2304,8 @@ message CryptoProperties { // The mechanism by which the cryptographic asset is secured. optional CryptoRelatedSecuredBy securedBy = 12; } // end of RelatedCryptoMaterialProperties + + // Protocol Properties message ProtocolProperties { enum CryptoProtocolType { // ProtoBuff's default value -- it differs from "unknown" @@ -2158,13 +2314,21 @@ message CryptoProperties { CRYPTO_PROTOCOL_TYPE_UNKNOWN = 1; // Another protocol type - none of the following CRYPTO_PROTOCOL_TYPE_OTHER = 2; + // Transport Layer Security CRYPTO_PROTOCOL_TYPE_TLS = 3; + // Secure Shell CRYPTO_PROTOCOL_TYPE_SSH = 4; + // Internet Protocol Security CRYPTO_PROTOCOL_TYPE_IPSEC = 5; + // Internet Key Exchange CRYPTO_PROTOCOL_TYPE_IKE = 6; + // Secure Socket Tunneling Protocol CRYPTO_PROTOCOL_TYPE_SSTP = 7; + // Wi-Fi Protected Access CRYPTO_PROTOCOL_TYPE_WPA = 8; } + + // Object representing a cipher suite message CryptoProtocolCipherSuite { // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM optional string name = 1; @@ -2173,6 +2337,8 @@ message CryptoProperties { // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E repeated string identifiers = 3; } + + // IKEv2 Transform Types message Ikev2TransformTypes { // Transform Type 1: encryption algorithms repeated string encr = 1; @@ -2187,6 +2353,7 @@ message CryptoProperties { // IKEv2 Authentication method repeated string auth = 6; } + // The concrete protocol type. optional CryptoProtocolType type = 1; // The version of the protocol. Examples include 1.0, 1.2, and 1.99. @@ -2198,6 +2365,7 @@ message CryptoProperties { // The bom-ref(s) to protocol-related cryptographic assets repeated string cryptoRef = 5; } // end of ProtocolProperties + // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. CryptoAssetType assetType = 1; // Additional properties specific to a cryptographic algorithm. diff --git a/tools/src/test/proto/buf_lint.yaml b/tools/src/test/proto/buf_lint.yaml index 109f5eaa..d4bedb2d 100644 --- a/tools/src/test/proto/buf_lint.yaml +++ b/tools/src/test/proto/buf_lint.yaml @@ -4,7 +4,7 @@ version: v2 lint: # https://buf.build/docs/configuration/v2/buf-yaml#lint use: # see https://buf.build/docs/lint/rules - STANDARD # https://buf.build/docs/lint/rules/#standard - # - COMMENTS # https://buf.build/docs/lint/rules/#comments + - COMMENTS # https://buf.build/docs/lint/rules/#comments except: # directory/file layout does not match the recommendation/framework of the tool - DIRECTORY_SAME_PACKAGE # https://buf.build/docs/lint/rules#directory_same_package @@ -14,6 +14,11 @@ lint: # https://buf.build/docs/configuration/v2/buf-yaml#lint # (shall be fixed with v2.0 of this very schema) - PACKAGE_VERSION_SUFFIX # https://buf.build/docs/lint/rules#package_version_suffix - FIELD_LOWER_SNAKE_CASE # https://buf.build/docs/lint/rules#field_lower_snake_case + # some comments are not required, as they should be self-explanatory from their respective symbol name or the symbol's applied usage + - COMMENT_MESSAGE + - COMMENT_ENUM + - COMMENT_ENUM_VALUE + - COMMENT_ONEOF ignore_only: # legacy schema files may NOT stick to the rules -- this is acknowledged. STANDARD: From 136479a3b0f3153cf1941b369cde9922b5a089df Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 7 Nov 2024 16:02:52 +0100 Subject: [PATCH 10/13] docs: transfer specdocs to XML 1.6 (#540) texts were taken from human-readable spec Signed-off-by: Jan Kowalleck --- schema/bom-1.6.xsd | 171 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 144 insertions(+), 27 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index c0fd703c..9491e20f 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -572,6 +572,9 @@ limitations under the License. + + The hashes of the component. + @@ -1842,6 +1845,12 @@ limitations under the License. + + + A collection of URL's for reference. Multiple URLs are allowed. + Example: "https://example.com" + + @@ -2058,6 +2067,12 @@ limitations under the License. + + + The endpoint URIs of the service. Multiple endpoints are allowed. + Example: "https://example.com/api/v1/ticker" + + @@ -2088,6 +2103,9 @@ limitations under the License. + + Specifies information about the data including the directional flow of data and the data classification. + @@ -2253,10 +2271,28 @@ limitations under the License. states that the direction is not known. - - - - + + + + Data that enters a service. + + + + + + Data that exits a service. + + + + + Data flows in and out of the service. + + + + + The directional flow of data is not known. + + @@ -2562,6 +2598,11 @@ limitations under the License. + + + Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + + @@ -2628,7 +2669,13 @@ limitations under the License. - + + + + opyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + + + @@ -2932,13 +2979,13 @@ limitations under the License. - + A model card describes the intended uses of a machine learning model and potential limitations, including @@ -3014,7 +3061,11 @@ limitations under the License. - + + + Inline Data Information + + @@ -4649,13 +4700,41 @@ limitations under the License. - - - - - - - + + + Critical severity + + + + + High severity + + + + + Medium severity + + + + + Low severity + + + + + Informational warning. + + + + + None + + + + + The severity is not known + + @@ -4852,11 +4931,31 @@ limitations under the License. - - - - - + + + Can not fix + + + + + Will not fix + + + + + Update to a different revision or release + + + + + Revert to a previous revision or release + + + + + There is a workaround available + + @@ -4871,9 +4970,21 @@ limitations under the License. - - - + + + The version is affected by the vulnerability. + + + + + The version is not affected by the vulnerability. + + + + + It is unknown (or unspecified) whether the given version is affected. + + @@ -7834,6 +7945,12 @@ limitations under the License. + + + A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. + It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + + From 8ded79cd2d297605282df467454d0b05d56e1992 Mon Sep 17 00:00:00 2001 From: Hakan Dilek Date: Thu, 7 Nov 2024 16:03:48 +0100 Subject: [PATCH 11/13] fix(xml): requirement descriptions should be unbounded (#533) fixes #528 where occurrences of `definitions.standards.requirements.descriptions` should be unbounded --------- Signed-off-by: Hakan Dilek Co-authored-by: Jan Kowalleck --- schema/bom-1.6.xsd | 2 +- tools/src/test/resources/1.6/valid-standard-1.6.json | 5 +++++ tools/src/test/resources/1.6/valid-standard-1.6.textproto | 5 +++++ tools/src/test/resources/1.6/valid-standard-1.6.xml | 5 +++++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 9491e20f..3b7769ac 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -8144,7 +8144,7 @@ limitations under the License. - + diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json index e6071344..3150227b 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.json +++ b/tools/src/test/resources/1.6/valid-standard-1.6.json @@ -22,6 +22,11 @@ "bom-ref": "requirement-1.1", "identifier": "v1.1", "title": "Title here", + "text": "Text here", + "descriptions": [ + "Requirement is described here", + "and here" + ], "parent": "requirement-1" }, { diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto index 4279ab77..a215f12d 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-standard-1.6.textproto @@ -22,6 +22,11 @@ definitions { bom_ref: "requirement-1.1" identifier: "v1.1" title: "Title here" + text: "Text here" + descriptions: [ + "Requirement is described here" + "and here" + ] parent: "requirement-1" }, { diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml index 7a36430a..cdf5c037 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -15,6 +15,11 @@ v1.1 Title here + Text here + + Requirement is described here + and here + requirement-1 From 497263622ef72d8f20cc00ffaf2b09061d920de1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 7 Nov 2024 16:12:33 +0100 Subject: [PATCH 12/13] chore: prep v1.6.1 (#535) final change of milestone 1.6.1 -- see https://github.com/CycloneDX/specification/milestone/11 --------- Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index aa5e4c17..b2d318ad 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1,5 +1,5 @@ syntax = "proto3"; -package cyclonedx.v1_6; +package cyclonedx.v1_6; // version 1.6.1 import "google/protobuf/timestamp.proto"; // Specifies attributes of the text diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 7a22ab5c..45fd8e20 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -25,7 +25,7 @@ "type": "string", "title": "CycloneDX Specification Version", "description": "The version of the CycloneDX specification the BOM conforms to.", - "examples": ["1.6"] + "examples": ["1.6.1"] }, "serialNumber": { "type": "string", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 3b7769ac..cee94c8a 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -22,7 +22,7 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.6" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.6.0"> + version="1.6.1"> From 8a27bfd1be5be0dcb2c208a34d2f4fa0b6d75bd7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:16:59 +0100 Subject: [PATCH 13/13] chore(deps): bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 in /tools (#509) Bumps org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.commons:commons-lang3&package-manager=maven&previous-version=3.16.0&new-version=3.17.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/pom.xml b/tools/pom.xml index 32f6fad2..2e926318 100644 --- a/tools/pom.xml +++ b/tools/pom.xml @@ -52,7 +52,7 @@ 3.1.0 2.16.1 - 3.16.0 + 3.17.0 1.12.0 1.4.9 9.0.5