Skip to content

Commit

Permalink
Add predicate specification for CycloneDX
Browse files Browse the repository at this point in the history
This commit adds a predicate specification for CycloneDX using the
example specification from issue in-toto#82.

The motivation for doing this is only to offer help with getting this
into in-toto, in case the original author currently does not have time.

Co-authored-by: samj1912 <[email protected]>
Resolves: in-toto#82

Signed-off-by: Daniel Bevenius <[email protected]>
  • Loading branch information
danbev committed Feb 2, 2023
1 parent 903f02a commit b8fc0b6
Showing 1 changed file with 54 additions and 0 deletions.
54 changes: 54 additions & 0 deletions spec/predicates/cyclonedx.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Predicate type: CycloneDX

Type URI: (tentative) https://cyclonedx.org/bom

Version: 1.0.0

## Purpose

A Software Bill of Materials type following the [CycloneDX standard].

This allows representing an "exportable" or "published" software artifacts,
services, vulnerability information, and more. For a complete list of
capabilities see [CycloneDX Capabilities]. It can also be used as an entry point
for other types of in-toto attestations when performing policy decisions.

## Schema

```jsonc
{
// Standard attestation fields:
"_type": "https://in-toto.io/Statement/v0.1",
"subject": [{ ... }],

// Predicate:
"predicateType": "https://cyclonedx.org/BOM",
"predicate": {
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"type": "library",
"name": "acme-library",
"version": "1.0.0"
}
]
...
}
}
```

_(Note: This is a Predicate type that fits within the larger
[Attestation](../README.md) framework.)_

The `predicate` contains a JSON-encoded CycloneDX BOM. The CycloneDX format has
a mandatory `specVersion` field, so we may choose to omit the version number
from the predicateType URI to avoid confusion.

The `subject` contains whatever software artifacts are to be associated with
this CycloneDX BOM document.

[CycloneDX standard]: https://cyclonedx.org/specification/overview
[CycloneDX Capabilities]: https://cyclonedx.org/capabilities/

0 comments on commit b8fc0b6

Please sign in to comment.