-
-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document canonical CycloneDX intoto predicate types #132
Comments
+1 this is needed |
I personally favor I am not in favor of predicates that define the content of the BOM. For example, a BOM may include software components, hardware components, services, vulnerabilities, and VEX. Future versions will include ML, LCAP, and configuration. So I am not in favor of:
Having a BOM with vulnerabilities also doesn't mean its a VEX. A VEX has a specific definition and structure which most security tools do not support today. It requires vulnerabilities to have an analysis with the required fields populated, and the affected component must be the end product, not individual components of the product. I think CSAF is similar in that its an advisory format and it can optionally include VEX, but that data needs to be validated prior to confirming its actually a VEX. @coderpatros @DarthHater Thoughts? |
What might be interesting is if in-toto would adopt BOM predicates specific to lifecycle, similar to how the rest of the world works. For whatever reason, the software industry is backwards in terminology and lack of lifecycle context. See https://medium.com/@steve_springett/sbom-should-not-exist-long-live-the-sbom-4554d5c31ff9 |
To be clear, the resolution is to use "https://cyclonedx.org/bom". |
Published to website: |
Although in-toto/attestation#82 is still open, meanwhile we can document the canonical intoto predicate types in the cyclonedx website since there is no registration process for predicate types. (per https://github.com/in-toto/attestation/blob/main/spec/README.md#predicate)
This would allow tools like cosign, kyverno, syft, grype etc. to have a single canonical predicate type that they can use to identify cyclonedx BOMs.
The suggestion from in-toto/attestation#82 was to use
https://cyclonedx.org/BOM
orhttps://cyclonedx.org/bom
(we should pick one given that these are case sensitive)Separately, something to think about is how we can uniquely identify VEX from SBOMs for eg if everything is the same predicate type.
Kyverno for eg. allows users to filter on the predicate type https://kyverno.io/docs/writing-policies/verify-images/#verifying-image-attestations
Given that the SBOM would be mainly static and the VEX will be more dynamic, would we want an easy way to filter for one or the other through different predicate types i.e. - use
https://cyclonedx.org/bom
for the generic case where all different kinds of BOMs are present in the same document, but separately allow something likehttps://cyclonedx.org/vex
or
https://cyclonedx.org/sbom
to filter out documents that only have a top levelvulnerabilities
or softwarecomponents
attribute defined?Kyverno is also able to filter out the attestations further down the line using JMESPath expressions https://kyverno.io/docs/writing-policies/jmespath/ but it might be nice to have a top level predicate type filter for different BOM types.
Regardless of the outcome, we should at the very least document the canonical predicate type to be used since the usage for attestations is gaining traction and we should get ahead before there is a lot of disparity in the landscape on which predicate type to use for cyclonedx BOM documents.
More details around the valid values for a predicate type are defined at https://github.com/in-toto/attestation/blob/main/spec/field_types.md#TypeURI
The text was updated successfully, but these errors were encountered: