Skip to content

Commit

Permalink
squash! Add predicate specification for CycloneDX
Browse files Browse the repository at this point in the history
Update to try to follow ITE-9 requirements for the specification
format.

Signed-off-by: Daniel Bevenius <[email protected]>
  • Loading branch information
danbev committed Feb 6, 2023
1 parent b8fc0b6 commit e358e30
Showing 1 changed file with 24 additions and 7 deletions.
31 changes: 24 additions & 7 deletions spec/predicates/cyclonedx.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,29 @@ Version: 1.0.0

A Software Bill of Materials type following the [CycloneDX standard].

This allows representing an "exportable" or "published" software artifacts,
This allows representing "exportable", or "published" software artifacts,
services, vulnerability information, and more. For a complete list of
capabilities see [CycloneDX Capabilities]. It can also be used as an entry point
for other types of in-toto attestations when performing policy decisions.
capabilities see [CycloneDX Capabilities].

## Prerequisites
The in-toto [attestation] framework.

## Model
This is a predicate type that fits within the larger [Attestation] framework.

## Schema
The schema of this predicate type is documented in the
[CycloneDX Specification].

### Parsing Rules
The parsing rules for this predicate type are documented in the
[CycloneDX Specification].

### Fields
The fields that make up this predicate type are documented in the
[CycloneDX Specification].

## Example
```jsonc
{
// Standard attestation fields:
Expand All @@ -39,16 +55,17 @@ for other types of in-toto attestations when performing policy decisions.
}
}
```

_(Note: This is a Predicate type that fits within the larger
[Attestation](../README.md) framework.)_

The `predicate` contains a JSON-encoded CycloneDX BOM. The CycloneDX format has
a mandatory `specVersion` field, so we may choose to omit the version number
from the predicateType URI to avoid confusion.

The `subject` contains whatever software artifacts are to be associated with
this CycloneDX BOM document.

## Changelog and Migrations
Not applicable for this initial version.

[Attestation]: ../README.md
[CycloneDX standard]: https://cyclonedx.org/specification/overview
[CycloneDX Capabilities]: https://cyclonedx.org/capabilities/
[CycloneDX Specification]: https://github.com/CycloneDX/specification/tree/1.4/schema

0 comments on commit e358e30

Please sign in to comment.