Add predicate specification for CycloneDX

This commit adds a predicate specification for CycloneDX using the example specification from issue #82. The motivation for doing this is only to offer help with getting this into in-toto, in case the original author currently does not have time. Co-authored-by: samj1912 <[email protected]> Resolves: #82 Signed-off-by: Daniel Bevenius <[email protected]>
in-toto · Mar 23, 2023 · 71b8301 · 71b8301
1 parent ee16c68
commit 71b8301
Showing 1 changed file with 77 additions and 0 deletions.
diff --git a/spec/predicates/cyclonedx.md b/spec/predicates/cyclonedx.md
@@ -0,0 +1,77 @@
+# Predicate type: CycloneDX
+
+Type URI: (tentative) https://cyclonedx.org/bom
+
+Version: 1.4
+
+## Purpose
+
+A Software Bill of Materials type following the [CycloneDX standard].
+
+This allows representing "exportable", or "published" software artifacts,
+services, vulnerability information, and more. For a complete list of
+capabilities see [CycloneDX Capabilities].
+
+## Prerequisites
+
+The in-toto [attestation] framework and a [CycloneDX BOM generation tool].
+
+## Model
+
+This is a predicate type that fits within the larger [Attestation] framework.
+
+## Schema
+
+The schema of this predicate type is documented in the
+[CycloneDX Specification].
+
+### Parsing Rules
+
+The parsing rules for this predicate type are documented in the
+[CycloneDX Specification].
+
+### Fields
+
+The fields that make up this predicate type are documented in the
+[CycloneDX Specification].
+
+The `predicate` contains a JSON-encoded CycloneDX BOM.
+The `subject` contains whatever software artifacts are to be associated with
+this CycloneDX BOM document.
+
+## Example
+
+```jsonc
+{
+  // Standard attestation fields:
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "subject": [{ ... }],
+
+  // Predicate:
+  "predicateType": "https://cyclonedx.org/bom/v1.4",
+  "predicate": {
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.4",
+    "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+    "version": 1,
+    "components": [
+        {
+        "type": "library",
+        "name": "acme-library",
+        "version": "1.0.0"
+        }
+    ]
+    ...
+  }
+}
+```
+
+## Changelog and Migrations
+
+Not applicable for this initial version.
+
+[Attestation]: ../README.md
+[CycloneDX standard]: https://cyclonedx.org/specification/overview
+[CycloneDX Capabilities]: https://cyclonedx.org/capabilities/
+[CycloneDX Specification]: https://github.com/CycloneDX/specification/tree/1.4/schema
+[CycloneDX BOM generation tool]: https://cyclonedx.org/tool-center