-
-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for attestations #192
Comments
cc @planetlevel |
Related: in-toto/attestation#165 We're exploring alignment across in-toto, DIDs, and Verifiable Credentials as well. Would be great if verification of in-toto and CycloneDX style attestations could be consumed by the Verifiable Credentials ecosystem as well. Curious to see the POC mentioned :) Ping @marcelamelara |
What are next steps here? OMB-22-18, PCI, OWASP ASVS, CSF, and many other standards/frameworks could be represented in this manner, including custom assurance cases. Can we convene a working group to make sure we have all the use cases identified? |
A dedicated workgroup for CycloneDX Attestations has been initiated and added to the OWASP Software Supply Chain calendar. The invite for the Attestations WG is here: Additionally, a dedicated Slack channel was created as well. |
Awesome to see! Some of the in-toto maintainers are starting a new project called SBOMit with the intent of tracking attestations for components to support cyclonedx/spdx sboms. It would be worthwhile to comparing notes. |
Have you seen the in-toto Attestation Framework project? https://github.com/in-toto/attestation This project currently has maintainers from Google, VMWare, Intel, TestifySec, and Kusari. Would it make sense to combine efforts? Figuring out how to include or reference in-toto attestation from a cycloneDX document would be my goal from the collaboration. I'll add your meeting to my calendar. |
I definitely think the in-toto attestations maintainers have incorporated what's described here. We also support cyclonedx documents already as a type of attestation and include semantics for attestations to point out to other ones and so on. cc in-toto/attestation-maintainers (@TomHennen @marcelamelara @pxp928 @joshuagl @mikhailswift)
+1! |
I've been following along silently so far. I'd like to understand the requirements here and see how in-toto attestations might support/interoperate this. I don't think I can attend the meeting unfortunately, but am available to discuss offline. |
I can attend the meeting. I am curious to hear the motivations and use cases around this and how we can help. |
@colek42 regarding referencing in-Toto attestations, I completely agree that CDX should be able to reference them if available. In fact, CDX v1.5 has nearly doubled the types of external references (relationships) it supports, and one of the new types is Most of the new reference types are #189 In general, I see CDX and in-Toto attestations complimenting each other quite well. They both try to solve different things and together could be a powerful combo. Would love to get your feedback on viability of this approach. |
At a glance, this is a near perfect match for what we're trying to do in the SBOMit project, by building on in-toto attestations. To avoid unnecessary NIH-based competition, would it make sense to have someone from your group meet with SBOMit maintainers to discuss the use cases and goals? This way both sides can either walk away with a better understanding of what makes their efforts unique or we can figure out how to combine efforts to avoid needless duplication... |
@JustinCappos the readme for SBOMit doesn't state the project goals and the term SBOM in the spec is severely limiting. I really dont know what the project is attempting to do. But our aim has nothing to do with SBOM but since CDX isn't an SBOM standard, rather a BOM standard, it makes sense to support bill of attestation use cases. Does SBOMit have clearly articulated goals? |
We're in the process of moving everything over from a Google Doc we've been collectively working on to the github repos, etc. So, we have them and they will transition over relatively soon. From what you're saying about BOM vs SBOM, then it seems more likely that in-toto attestation framework more closely meets your needs (as other have stated). I am curious to understand more about how BOM vs SBOM really changes things for your use cases. |
The working groups have made a ton of progress over the past few months. The idea is to create a dedicated schema specific to attestations. It will all fall under the CycloneDX umbrella, but will initially not be part of the CycloneDX BOM standard. The goal is to have an independent CycloneDX Attestation standard with support in existing CycloneDX tooling to support it. We may incorporate the attestation standard into the BOM standard in a future release. TBD. Therefore, moving this out from v1.5 and into its own milestone. |
fixes #192 task list for spec enhacement - [x] schema: JSON - [x] schema: XML - [x] schema: protobuff - [x] examples/test cases
The attestation implementation in #348 has been approved by TC54. Thank you everyone for your contributions. |
## Added * Core enhancement: Attestation ([#192](#192) via [#348](#348)) * Core enhancement: Cryptography Bill of Materials — CBOM ([#171](#171), [#291](#291) via [#347](#347)) * Feature to express the URL to source distribution ([#98](#98) via [#269](#269)) * Feature to express the URL to RFC 9116 compliant documents ([#380](#380) via [#381](#381)) * Feature to express tags/keywords for services and components (via [#383](#383)) * Feature to express details for component authors ([#335](#335) via [#379](#379)) * Feature to express details for component and BOM manufacturer ([#346](#346) via [#379](#379)) * Feature to express communicate concluded values from observed evidences ([#411](#411) via [#412](#412)) * Features to express license acknowledgement ([#407](#407) via [#408](#408)) * Feature to express environmental consideration information for model cards ([#396](#396) via [#395](#395)) * Feature to express the address of organizational entities (via [#395](#395)) * Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs ([#413](#413) via [#414](#414)) ## Fixed * Allow multiple evidence identities by XML/JSON schema ([#272](#272) via [#359](#359)) This was already correct via ProtoBuff schema. * Prevent empty `license` entities by XML schema ([#288](#288) via [#292](#292)) This was already correct in JSON/ProtoBuff schema. * Prevent empty or malformed `property` entities by JSON schema ([#371](#371) via [#375](#375)) This was already correct in XML/ProtoBuff schema. * Allow multiple `licenses` in `Metadata` by ProtoBuff schema ([#264](#264) via [#401](#401)) This was already correct in XML/JSON schema. ## Changed * Allow arbitrary `$schema` values by JSON schema ([#402](#402) via [#403](#403)) * Increased max length of `versionRange` (via [`3e01ce6`](3e01ce6)) * Harmonized length of `version` (via [#417](#417)) ## Deprecated * Data model "Component"'s field `author` was deprecated. (via [#379](#379)) Use field `authors` or field `manufacturer` instead. * Data model "Metadata"'s field `manufacture` was deprecated. ([#346](#346) via [#379](#379)) Use "Metadata"'s field `component`'s field `manufacturer` instead. - for XML: `/bom/metadata/component/manufacturer` - for JSON: `$.metadata.component.manufacturer` - for ProtoBuf: `Bom:metadata.component.manufacturer` ## Documentation * Centralize version and version-range (via [#322](#322)) * Streamlined SPDX expression related descriptions (via [#327](#327)) * Enhanced descriptions of `bom-ref`/`refType` ([#336](#336) via [#344](#344)) * Enhanced readability of enum documentation in JSON schema ([#361](#361) via [#362](#362)) * Fixed typo "compliment" -> "complement" (via [#369](#369)) * Added documentation for enum "ComponentScope"'s values in JSON schema ([#293](#293) via [`d92e58e`](d92e58e)) Texts were a taken from the existing ones in XML/ProtoBuff schema. * Added documentation for enum "TaskType"'s values ([#245](#245) via [#377](#377)) * Improve documentation for data model "Metadata"'s field `licenses` ([#273](#273) via [#378](#378)) * Added documentation for enum "MachineLearningApproachType"'s values ([#351](#351) via [#416](#416)) * Rephrased some texts here and there. ## Test data * Added test data for newly added use cases * Added quality assurance for our ProtoBuf schemas ([#384](#384) via [#385](#385))
Myself and others in the OWASP community have been thinking about the need for a general purpose attestation format. Many of us have searched for existing format, without much success. Several industry-specific formats, many human readable formats, both no general purpose machine readable formats seem to exist. Having a standardized attestation format is crucial to scale many of the U.S. and world government efforts around SBOM and secure development and operational practices. Fortunately for us, someone in our very own community has started work on this very thing. It's simple, flexible, and prescriptive, just like CycloneDX is.
This ticket is an enhancement request to add BoA (Bill of Attestations) support to the core spec.
CycloneDX v1.5 has already added support for an
attestation
external reference, so externalizing BoA from the SBOM would already be possible with v1.5. So it should fit in nicely.The text was updated successfully, but these errors were encountered: