Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for attestations #192

Closed
stevespringett opened this issue Mar 16, 2023 · 15 comments · Fixed by #348
Closed

Add support for attestations #192

stevespringett opened this issue Mar 16, 2023 · 15 comments · Fixed by #348
Assignees
Labels
proposed core enhancement tc54 accepted Ecma TC54 has accepted the feature candidate tc54 reviewed Ecma TC54 has reviewed the feature candidate
Milestone

Comments

@stevespringett
Copy link
Member

Myself and others in the OWASP community have been thinking about the need for a general purpose attestation format. Many of us have searched for existing format, without much success. Several industry-specific formats, many human readable formats, both no general purpose machine readable formats seem to exist. Having a standardized attestation format is crucial to scale many of the U.S. and world government efforts around SBOM and secure development and operational practices. Fortunately for us, someone in our very own community has started work on this very thing. It's simple, flexible, and prescriptive, just like CycloneDX is.

This ticket is an enhancement request to add BoA (Bill of Attestations) support to the core spec.

CycloneDX v1.5 has already added support for an attestation external reference, so externalizing BoA from the SBOM would already be possible with v1.5. So it should fit in nicely.

@stevespringett
Copy link
Member Author

cc @planetlevel

@johnandersen777
Copy link

johnandersen777 commented Mar 27, 2023

Related: in-toto/attestation#165

We're exploring alignment across in-toto, DIDs, and Verifiable Credentials as well. Would be great if verification of in-toto and CycloneDX style attestations could be consumed by the Verifiable Credentials ecosystem as well.

Curious to see the POC mentioned :)

Ping @marcelamelara

@planetlevel
Copy link

What are next steps here? OMB-22-18, PCI, OWASP ASVS, CSF, and many other standards/frameworks could be represented in this manner, including custom assurance cases. Can we convene a working group to make sure we have all the use cases identified?

@stevespringett
Copy link
Member Author

@idunbarh
Copy link
Contributor

Awesome to see! Some of the in-toto maintainers are starting a new project called SBOMit with the intent of tracking attestations for components to support cyclonedx/spdx sboms. It would be worthwhile to comparing notes.

@mnm678 @JustinCappos

@colek42
Copy link

colek42 commented Mar 29, 2023

Have you seen the in-toto Attestation Framework project? https://github.com/in-toto/attestation

This project currently has maintainers from Google, VMWare, Intel, TestifySec, and Kusari. Would it make sense to combine efforts? Figuring out how to include or reference in-toto attestation from a cycloneDX document would be my goal from the collaboration.

I'll add your meeting to my calendar.

@adityasaky
Copy link

adityasaky commented Mar 29, 2023

I definitely think the in-toto attestations maintainers have incorporated what's described here. We also support cyclonedx documents already as a type of attestation and include semantics for attestations to point out to other ones and so on. cc in-toto/attestation-maintainers (@TomHennen @marcelamelara @pxp928 @joshuagl @mikhailswift)

Would it make sense to combine efforts? Figuring out how to include or reference in-toto attestation from a cycloneDX document would be my goal from the collaboration.

+1!

@marcelamelara
Copy link

marcelamelara commented Mar 29, 2023

I've been following along silently so far. I'd like to understand the requirements here and see how in-toto attestations might support/interoperate this. I don't think I can attend the meeting unfortunately, but am available to discuss offline.

@pxp928
Copy link

pxp928 commented Mar 29, 2023

I've been following along silently so far. I'd like to understand the requirements here and see how in-toto attestations might support/interoperate this. I don't think I can attend the meeting unfortunately, but am available to discuss offline.

I can attend the meeting. I am curious to hear the motivations and use cases around this and how we can help.

@stevespringett
Copy link
Member Author

@colek42 regarding referencing in-Toto attestations, I completely agree that CDX should be able to reference them if available. In fact, CDX v1.5 has nearly doubled the types of external references (relationships) it supports, and one of the new types is attestation which could refer to externalized CDX attestations or in-toto attestations, or both.

Most of the new reference types are #189

In general, I see CDX and in-Toto attestations complimenting each other quite well. They both try to solve different things and together could be a powerful combo.

Would love to get your feedback on viability of this approach.

@JustinCappos
Copy link

At a glance, this is a near perfect match for what we're trying to do in the SBOMit project, by building on in-toto attestations. To avoid unnecessary NIH-based competition, would it make sense to have someone from your group meet with SBOMit maintainers to discuss the use cases and goals?

This way both sides can either walk away with a better understanding of what makes their efforts unique or we can figure out how to combine efforts to avoid needless duplication...

@stevespringett
Copy link
Member Author

@JustinCappos the readme for SBOMit doesn't state the project goals and the term SBOM in the spec is severely limiting. I really dont know what the project is attempting to do. But our aim has nothing to do with SBOM but since CDX isn't an SBOM standard, rather a BOM standard, it makes sense to support bill of attestation use cases. Does SBOMit have clearly articulated goals?

@JustinCappos
Copy link

@JustinCappos the readme for SBOMit doesn't state the project goals and the term SBOM in the spec is severely limiting. I really dont know what the project is attempting to do. But our aim has nothing to do with SBOM but since CDX isn't an SBOM standard, rather a BOM standard, it makes sense to support bill of attestation use cases. Does SBOMit have clearly articulated goals?

We're in the process of moving everything over from a Google Doc we've been collectively working on to the github repos, etc. So, we have them and they will transition over relatively soon.

From what you're saying about BOM vs SBOM, then it seems more likely that in-toto attestation framework more closely meets your needs (as other have stated).

I am curious to understand more about how BOM vs SBOM really changes things for your use cases.

@stevespringett stevespringett modified the milestones: 1.5, Attestation 1.0 May 20, 2023
@stevespringett
Copy link
Member Author

The working groups have made a ton of progress over the past few months. The idea is to create a dedicated schema specific to attestations. It will all fall under the CycloneDX umbrella, but will initially not be part of the CycloneDX BOM standard. The goal is to have an independent CycloneDX Attestation standard with support in existing CycloneDX tooling to support it. We may incorporate the attestation standard into the BOM standard in a future release. TBD.

Therefore, moving this out from v1.5 and into its own milestone.

@stevespringett stevespringett linked a pull request Dec 27, 2023 that will close this issue
4 tasks
@jkowalleck jkowalleck mentioned this issue Jan 13, 2024
4 tasks
stevespringett added a commit that referenced this issue Jan 14, 2024
fixes #192


task list for spec enhacement
- [x] schema: JSON
- [x] schema: XML  
- [x] schema: protobuff
- [x] examples/test cases
@stevespringett stevespringett added tc54 reviewed Ecma TC54 has reviewed the feature candidate tc54 accepted Ecma TC54 has accepted the feature candidate labels Jan 14, 2024
@stevespringett
Copy link
Member Author

The attestation implementation in #348 has been approved by TC54. Thank you everyone for your contributions.

@stevespringett stevespringett modified the milestones: Attestation 1.0, 1.6 Jan 14, 2024
@jkowalleck jkowalleck mentioned this issue Jan 14, 2024
stevespringett added a commit that referenced this issue Apr 9, 2024
## Added

* Core enhancement: Attestation
([#192](#192) via
[#348](#348))
* Core enhancement: Cryptography Bill of Materials — CBOM
([#171](#171),
[#291](#291) via
[#347](#347))
* Feature to express the URL to source distribution
([#98](#98) via
[#269](#269))
* Feature to express the URL to RFC 9116 compliant documents
([#380](#380) via
[#381](#381))
* Feature to express tags/keywords for services and components (via
[#383](#383))
* Feature to express details for component authors
([#335](#335) via
[#379](#379))
* Feature to express details for component and BOM manufacturer
([#346](#346) via
[#379](#379))
* Feature to express communicate concluded values from observed
evidences ([#411](#411)
via [#412](#412))
* Features to express license acknowledgement
([#407](#407) via
[#408](#408))
* Feature to express environmental consideration information for model
cards ([#396](#396) via
[#395](#395))
* Feature to express the address of organizational entities (via
[#395](#395))
* Feature to express additional component identifiers: Universal Bill Of
Receipts Identifier and Software Heritage persistent IDs
([#413](#413) via
[#414](#414))

## Fixed

* Allow multiple evidence identities by XML/JSON schema
([#272](#272) via
[#359](#359))
  This was already correct via ProtoBuff schema.
* Prevent empty `license` entities by XML schema
([#288](#288) via
[#292](#292))
  This was already correct in JSON/ProtoBuff schema.
* Prevent empty or malformed `property` entities by JSON schema
([#371](#371) via
[#375](#375))
  This was already correct in XML/ProtoBuff schema.
* Allow multiple `licenses` in `Metadata` by ProtoBuff schema
([#264](#264) via
[#401](#401))
  This was already correct in XML/JSON schema.

## Changed

* Allow arbitrary `$schema` values by JSON schema
([#402](#402) via
[#403](#403))
* Increased max length of `versionRange` (via
[`3e01ce6`](3e01ce6))
* Harmonized length of `version` (via
[#417](#417))

## Deprecated

* Data model "Component"'s field `author` was deprecated. (via
[#379](#379))
  Use field `authors` or field `manufacturer` instead.
* Data model "Metadata"'s field `manufacture` was deprecated.
([#346](#346) via
[#379](#379))
  Use "Metadata"'s field `component`'s field `manufacturer` instead. 
  - for XML: `/bom/metadata/component/manufacturer`
  - for JSON: `$.metadata.component.manufacturer`
  - for ProtoBuf: `Bom:metadata.component.manufacturer`

## Documentation

* Centralize version and version-range (via
[#322](#322))
* Streamlined SPDX expression related descriptions (via
[#327](#327))
* Enhanced descriptions of `bom-ref`/`refType`
([#336](#336) via
[#344](#344))
* Enhanced readability of enum documentation in JSON schema
([#361](#361) via
[#362](#362))
* Fixed typo "compliment" -> "complement" (via
[#369](#369))
* Added documentation for enum "ComponentScope"'s values in JSON schema
([#293](#293) via
[`d92e58e`](d92e58e))
  Texts were a taken from the existing ones in XML/ProtoBuff schema.
* Added documentation for enum "TaskType"'s values
([#245](#245) via
[#377](#377))
* Improve documentation for data model "Metadata"'s field `licenses`
([#273](#273) via
[#378](#378))
* Added documentation for enum "MachineLearningApproachType"'s values
([#351](#351) via
[#416](#416))
* Rephrased some texts here and there.

## Test data

* Added test data for newly added use cases
* Added quality assurance for our ProtoBuf schemas
([#384](#384) via
[#385](#385))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
proposed core enhancement tc54 accepted Ecma TC54 has accepted the feature candidate tc54 reviewed Ecma TC54 has reviewed the feature candidate
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants