forked from in-toto/attestation
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add predicate specification for CycloneDX
This commit adds a predicate specification for CycloneDX using the example specification from issue in-toto#82. The motivation for doing this is only to offer help with getting this into in-toto, in case the original author currently does not have time. Co-authored-by: samj1912 <[email protected]> Resolves: in-toto#82 Signed-off-by: Daniel Bevenius <[email protected]>
- Loading branch information
Showing
1 changed file
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# Predicate type: CycloneDX | ||
|
||
Type URI: (tentative) https://cyclonedx.org/bom | ||
|
||
Version: 1.0.0 | ||
|
||
## Purpose | ||
|
||
A Software Bill of Materials type following the [CycloneDX standard]. | ||
|
||
This allows representing an "exportable" or "published" software artifacts, | ||
services, vulnerability information, and more. For a complete list of | ||
capabilities see [CycloneDX Capabilities]. It can also be used as an entry point | ||
for other types of in-toto attestations when performing policy decisions. | ||
|
||
## Schema | ||
|
||
```jsonc | ||
{ | ||
// Standard attestation fields: | ||
"_type": "https://in-toto.io/Statement/v0.1", | ||
"subject": [{ ... }], | ||
|
||
// Predicate: | ||
"predicateType": "https://cyclonedx.org/BOM", | ||
"predicate": { | ||
"bomFormat": "CycloneDX", | ||
"specVersion": "1.4", | ||
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", | ||
"version": 1, | ||
"components": [ | ||
{ | ||
"type": "library", | ||
"name": "acme-library", | ||
"version": "1.0.0" | ||
} | ||
] | ||
... | ||
} | ||
} | ||
``` | ||
|
||
_(Note: This is a Predicate type that fits within the larger | ||
[Attestation](../README.md) framework.)_ | ||
|
||
The `predicate` contains a JSON-encoded CycloneDX BOM. The CycloneDX format has | ||
a mandatory `specVersion` field, so we may choose to omit the version number | ||
from the predicateType URI to avoid confusion. | ||
|
||
The `subject` contains whatever software artifacts are to be associated with | ||
this CycloneDX BOM document. | ||
|
||
[CycloneDX standard]: https://cyclonedx.org/specification/overview | ||
[CycloneDX Capabilities]: https://cyclonedx.org/capabilities/ |