From de4193c331e4f688df28eaa5848483c39f8dfb88 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 11 Jul 2023 14:23:10 -0500 Subject: [PATCH 01/19] Initial checkin of 1.6 attestation support Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 446 +++++++++++++++++++++++++++++++++++++ 1 file changed, 446 insertions(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 726fbf03..3243832d 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -105,6 +105,452 @@ "title": "Formulation", "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." }, + "declarations": { + "type": "object", + "title": "Declarations", + "description": "", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "", + "items": { + "type": "object", + "title": "Standard", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the standard" + }, + "version": { + "type": "string", + "title": "Version", + "description": "A version of the standard" + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The requirements that make up the standard", + "items": { + "type": "object", + "title": "Requirement", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific requirement" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement" + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement" + }, + "opencre": { + "type": "string", + "format": "iri-reference", + "title": "OWASP OpenCRE", + "description": "URL to the Common Requirements Enumeration" + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "", + "items": { + "type": "object", + "title": "Level", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "assessors": { + "type": "array", + "title": "Assessors", + "description": "", + "items": { + "type": "object", + "title": "Assessor", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "type": { + "type": "string", + "enum": [ + "self", + "purchaser", + "independent" + ], + "title": "Type", + "description": "" + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "" + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "", + "items": { + "additionalProperties": false, + "properties": { + "targets": { + "type": "array", + "title": "Targets", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "assessor": { + "$ref": "#/definitions/refLinkType", + "title": "Assessor", + "description": "" + }, + "map": { + "type": "array", + "title": "Map", + "description": "", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/definitions/refLinkType", + "title": "Requirement", + "description": "" + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterClaims": { + "type": "array", + "title": "Claims", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "conformance": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Conformance", + "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." + }, + "mitigationStrategy": { + "type": "array", + "title": "Mitigation Strategy", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the attestation from 0 - 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "" + } + } + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "", + "items": { + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "target": { + "$ref": "#/definitions/refLinkType", + "title": "Target", + "description": "" + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "" + }, + "mitigationStrategy": { + "type": "array", + "title": "Mitigation Strategy", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "" + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "", + "items": { + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "type": { + "type": "string", + "title": "Type", + "description": "TODO - make this extensible - see valid-attestations-1.6.json for notes" + }, + "description": { + "type": "string", + "title": "Description", + "description": "" + }, + "data": { + "type": "string", + "title": "Description", + "description": "", + "additionalProperties": false, + "properties": { + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "" + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "" + }, + "author": { + "$ref": "#/definitions/organizationalContact", + "title": "Author", + "description": "" + }, + "reviewer": { + "$ref": "#/definitions/organizationalContact", + "title": "Reviewer", + "description": "" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, + "contacts": { + "type": "array", + "title": "Contacts", + "description": "", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "components": { + "type": "array", + "title": "Components", + "description": "", + "items": {"$ref": "#/definitions/component"} + }, + "services": { + "type": "array", + "title": "Services", + "description": "", + "items": {"$ref": "#/definitions/service"} + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "additionalProperties": false, + "properties": { + "text": { + + } + } + } + } + }, "properties": { "type": "array", "title": "Properties", From 2a62ac30517304a6cd877676f996b609a019cbdc Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Tue, 1 Aug 2023 14:57:35 -0500 Subject: [PATCH 02/19] Updates at the end of todays call --- schema/bom-1.6.schema.json | 40 +++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 3243832d..8e946f51 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -289,11 +289,10 @@ "items": { "additionalProperties": false, "properties": { - "targets": { - "type": "array", - "title": "Targets", - "description": "", - "items": { "$ref": "#/definitions/refLinkType" } + "summary": { + "type": "string", + "title": "Summary", + "description": "" }, "assessor": { "$ref": "#/definitions/refLinkType", @@ -326,17 +325,30 @@ "items": { "$ref": "#/definitions/refLinkType" } }, "conformance": { - "type": "number", - "minimum": 0, - "maximum": 1, + "type": "object", "title": "Conformance", - "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." - }, - "mitigationStrategy": { - "type": "array", - "title": "Mitigation Strategy", "description": "", - "items": { "$ref": "#/definitions/refLinkType" } + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "" + }, + "mitigationStrategy": { + "type": "array", + "title": "Mitigation Strategy", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + } + } }, "confidence": { "type": "object", From 4a64108e1b1e6e0fe8fa8132cb8bf69582398507 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 16:44:57 -0500 Subject: [PATCH 03/19] Moved standards out from declarations into definitions. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 287 +++++++++++++++++++------------------ 1 file changed, 149 insertions(+), 138 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 3243832d..2091e048 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -111,144 +111,6 @@ "description": "", "additionalProperties": false, "properties": { - "standards": { - "type": "array", - "title": "Standards", - "description": "", - "items": { - "type": "object", - "title": "Standard", - "description": "", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the standard" - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the standard" - }, - "version": { - "type": "string", - "title": "Version", - "description": "A version of the standard" - }, - "owner": { - "type": "string", - "title": "Owner", - "description": "The owner of the standard" - }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The requirements that make up the standard", - "items": { - "type": "object", - "title": "Requirement", - "description": "", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific requirement" - }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the requirement" - }, - "text": { - "type": "string", - "title": "Text", - "description": "The textual content of the requirement" - }, - "opencre": { - "type": "string", - "format": "iri-reference", - "title": "OWASP OpenCRE", - "description": "URL to the Common Requirements Enumeration" - }, - "parent": { - "$ref": "#/definitions/refLinkType", - "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - } - } - } - }, - "levels": { - "type": "array", - "title": "Levels", - "description": "", - "items": { - "type": "object", - "title": "Level", - "description": "", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level" - }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the level" - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the level" - }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "", - "items": { "$ref": "#/definitions/refLinkType" } - } - } - } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - } - }, "assessors": { "type": "array", "title": "Assessors", @@ -551,6 +413,22 @@ } } }, + "definitions": { + "type": "object", + "title": "Definitions", + "description": "", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "Defines standards which may consist of regulations, industry or organizational-specific standards, maturity models, and best practices which can be evaluated against or attested to.", + "items": { + "$ref": "#/definitions/standard" + } + } + } + }, "properties": { "type": "array", "title": "Properties", @@ -4236,6 +4114,139 @@ } } }, + "standard": { + "type": "object", + "title": "Standard", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the standard" + }, + "version": { + "type": "string", + "title": "Version", + "description": "A version of the standard" + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The requirements that make up the standard", + "items": { + "type": "object", + "title": "Requirement", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific requirement" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement" + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement" + }, + "opencre": { + "type": "string", + "format": "iri-reference", + "title": "OWASP OpenCRE", + "description": "URL to the Common Requirements Enumeration" + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "", + "items": { + "type": "object", + "title": "Level", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, "signature": { "$ref": "jsf-0.82.schema.json#/definitions/signature", "title": "Signature", From 53ff77d2c6146897ea14500a0a9f3446571a5ff6 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 19:58:48 -0500 Subject: [PATCH 04/19] Removing invalid types Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index e3042202..1e94f62f 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1723,7 +1723,6 @@ ] }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" }, @@ -3026,7 +3025,6 @@ "type": "string" }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" } From f73a14a12dd4b91a7c79c1ef6a4690a7d37561c6 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 20:01:56 -0500 Subject: [PATCH 05/19] adding missing type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 1e94f62f..2c733040 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -149,6 +149,7 @@ "title": "Attestations", "description": "", "items": { + "type": "object", "additionalProperties": false, "properties": { "summary": { From e70a6e38f4c8309327aa9807547ce96bf376311d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 20:55:58 -0500 Subject: [PATCH 06/19] Added missing type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 2c733040..54184306 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -249,6 +249,7 @@ "title": "Claims", "description": "", "items": { + "type": "object", "additionalProperties": false, "properties": { "bom-ref": { From 8f86882b49b8eb5f295e103319d4f44150766090 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 21:28:18 -0500 Subject: [PATCH 07/19] Added missing type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 54184306..5bad4307 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -309,6 +309,7 @@ "title": "Evidence", "description": "", "items": { + "type": "object", "additionalProperties": false, "properties": { "bom-ref": { From 52506bbff0b526eb658db8c21879f50ed1f89353 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 23:05:03 -0500 Subject: [PATCH 08/19] Correcting object type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 5bad4307..103f673e 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -328,7 +328,7 @@ "description": "" }, "data": { - "type": "string", + "type": "object", "title": "Description", "description": "", "additionalProperties": false, From 8f0557e710e07e91a639d2467a8374465b06ffd4 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 26 Sep 2023 13:52:19 -0500 Subject: [PATCH 09/19] Added descriptions that were developed by the working group. Minor changes to schema to include some changes and omissions. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 178 +++++++++++++++++++++++-------------- 1 file changed, 109 insertions(+), 69 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 103f673e..305937ae 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -108,13 +108,13 @@ "declarations": { "type": "object", "title": "Declarations", - "description": "", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", "additionalProperties": false, "properties": { "assessors": { "type": "array", "title": "Assessors", - "description": "", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", "items": { "type": "object", "title": "Assessor", @@ -126,20 +126,15 @@ "title": "BOM Reference", "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." }, - "type": { - "type": "string", - "enum": [ - "self", - "purchaser", - "independent" - ], - "title": "Type", - "description": "" + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." }, "organization": { "$ref": "#/definitions/organizationalEntity", "title": "Organization", - "description": "" + "description": "The entity issuing the assessment." } } } @@ -147,7 +142,7 @@ "attestations": { "type": "array", "title": "Attestations", - "description": "", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", "items": { "type": "object", "additionalProperties": false, @@ -160,12 +155,12 @@ "assessor": { "$ref": "#/definitions/refLinkType", "title": "Assessor", - "description": "" + "description": "The `bom-ref` to the assessor asserting the attestation." }, "map": { "type": "array", "title": "Map", - "description": "", + "description": "The grouping of requirements to claims and the attestors declaired conformance and confidence thereof.", "items": { "type": "object", "additionalProperties": false, @@ -173,24 +168,24 @@ "requirement": { "$ref": "#/definitions/refLinkType", "title": "Requirement", - "description": "" + "description": "The `bom-ref` to the requirement being attested to." }, "claims": { "type": "array", "title": "Claims", - "description": "", + "description": "The list of `bom-ref` to the claims being attested to.", "items": { "$ref": "#/definitions/refLinkType" } }, "counterClaims": { "type": "array", "title": "Claims", - "description": "", + "description": "The list of `bom-ref` to the counter claims being attested to.", "items": { "$ref": "#/definitions/refLinkType" } }, "conformance": { "type": "object", "title": "Conformance", - "description": "", + "description": "The conformance of the claim meeting a requirement.", "additionalProperties": false, "properties": { "score": { @@ -198,17 +193,17 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." + "description": "The conformance of the claim within [0,1], where 1 is 100% confidence." }, "rationale": { "type": "string", "title": "Rationale", - "description": "" + "description": "The rationale for the score of conformance." }, "mitigationStrategy": { "type": "array", "title": "Mitigation Strategy", - "description": "", + "description": "The description of the mitigation strategy if conformance is not `1`.", "items": { "$ref": "#/definitions/refLinkType" } } } @@ -216,7 +211,7 @@ "confidence": { "type": "object", "title": "Confidence", - "description": "", + "description": "The confidence of the claim meeting the requirement.", "additionalProperties": false, "properties": { "score": { @@ -224,12 +219,12 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The confidence of the attestation from 0 - 1, where 1 is 100% confidence." + "description": "The confidence of the claim within [0,1], where 1 is 100% confidence." }, "rationale": { "type": "string", "title": "Rationale", - "description": "" + "description": "The rationale for the confidence score." } } } @@ -247,7 +242,7 @@ "claims": { "type": "array", "title": "Claims", - "description": "", + "description": "The list of claims.", "items": { "type": "object", "additionalProperties": false, @@ -260,34 +255,34 @@ "target": { "$ref": "#/definitions/refLinkType", "title": "Target", - "description": "" + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." }, "predicate": { "type": "string", "title": "Predicate", - "description": "" + "description": "The specific statement or assertion about the target." }, "mitigationStrategy": { "type": "array", "title": "Mitigation Strategy", - "description": "", + "description": "The written explanation of how any weaknesses in the evidence will be mitigated.", "items": { "$ref": "#/definitions/refLinkType" } }, "reasoning": { "type": "string", "title": "Reasoning", - "description": "" + "description": "The written explanation of why the evidence provided substantiates the claim." }, "evidence": { "type": "array", "title": "Evidence", - "description": "", + "description": "The array of references to evidence that supports this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "counterEvidence": { "type": "array", "title": "Counter Evidence", - "description": "", + "description": "The array of references to counterEvidence that undermines this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "externalReferences": { @@ -307,7 +302,7 @@ "evidence": { "type": "array", "title": "Evidence", - "description": "", + "description": "The list of evidence.", "items": { "type": "object", "additionalProperties": false, @@ -325,12 +320,12 @@ "description": { "type": "string", "title": "Description", - "description": "" + "description": "The written description of what this evidence is and how it was created." }, "data": { "type": "object", "title": "Description", - "description": "", + "description": "The output or analysis that supports claims.", "additionalProperties": false, "properties": { "contents": { @@ -341,13 +336,13 @@ "properties": { "attachment": { "title": "Data Attachment", - "description": "An optional way to include textual or encoded data.", + "description": "The optional way to include textual or encoded data.", "$ref": "#/definitions/attachment" }, "url": { "type": "string", "title": "Data URL", - "description": "The URL to where the data can be retrieved.", + "description": "The URL where the data can be retrieved.", "format": "iri-reference" } } @@ -358,23 +353,23 @@ "type": "string", "format": "date-time", "title": "Created", - "description": "" + "description": "The date and time (timestamp) when the evidence was created." }, "expires": { "type": "string", "format": "date-time", "title": "Expires", - "description": "" + "description": "The optional date and time (timestamp) when the evidence is no longer valid." }, "author": { "$ref": "#/definitions/organizationalContact", "title": "Author", - "description": "" + "description": "The author of the evidence." }, "reviewer": { "$ref": "#/definitions/organizationalContact", "title": "Reviewer", - "description": "" + "description": "The reviewer of the evidence." }, "signature": { "$ref": "#/definitions/signature", @@ -387,31 +382,31 @@ "targets": { "type": "object", "title": "Targets", - "description": "", + "description": "The list of targets which claims are made against.", "additionalProperties": false, "properties": { "organizations": { "type": "array", "title": "Organizations", - "description": "", + "description": "The list of organizations which claims are made against.", "items": {"$ref": "#/definitions/organizationalEntity"} }, - "contacts": { + "people": { "type": "array", - "title": "Contacts", - "description": "", + "title": "People", + "description": "The list of individuals which claims are made against.", "items": {"$ref": "#/definitions/organizationalContact"} }, "components": { "type": "array", "title": "Components", - "description": "", + "description": "The list of components which claims are made against.", "items": {"$ref": "#/definitions/component"} }, "services": { "type": "array", "title": "Services", - "description": "", + "description": "The list of services which claims are made against.", "items": {"$ref": "#/definitions/service"} } } @@ -421,8 +416,55 @@ "title": "Affirmation", "additionalProperties": false, "properties": { - "text": { - + "statement": { + "type": "string", + "title": "Text", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ "I certify, to the best of my knowledge, that all information is correct." ] + }, + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "additionalProperties": false, + "oneOf": [ + { + "required": ["signature"] + }, + { + "required": ["externalReference", "organization"] + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/definitions/externalReference", + "title": "External Reference", + "description": "An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } } } } @@ -437,7 +479,7 @@ "standards": { "type": "array", "title": "Standards", - "description": "Defines standards which may consist of regulations, industry or organizational-specific standards, maturity models, and best practices which can be evaluated against or attested to.", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", "items": { "$ref": "#/definitions/standard" } @@ -4130,7 +4172,7 @@ "standard": { "type": "object", "title": "Standard", - "description": "", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", "additionalProperties": false, "properties": { "bom-ref": { @@ -4141,31 +4183,30 @@ "name": { "type": "string", "title": "Name", - "description": "The name of the standard" + "description": "The name of the standard. This will often be a shortened, single name of the standard." }, "description": { "type": "string", "title": "Description", - "description": "A description of the standard" + "description": "The description of the standard." }, "version": { "type": "string", "title": "Version", - "description": "A version of the standard" + "description": "The version of the standard." }, "owner": { "type": "string", "title": "Owner", - "description": "The owner of the standard" + "description": "The owner of the standard, often the entity responsible for its release." }, "requirements": { "type": "array", "title": "Requirements", - "description": "The requirements that make up the standard", + "description": "The list of requirements comprising the standard.", "items": { "type": "object", "title": "Requirement", - "description": "", "additionalProperties": false, "properties": { "bom-ref": { @@ -4176,28 +4217,28 @@ "identifier": { "type": "string", "title": "Identifier", - "description": "The identifier used in the standard to identify a specific requirement" + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." }, "title": { "type": "string", "title": "Title", - "description": "The title of the requirement" + "description": "The title of the requirement." }, "text": { "type": "string", "title": "Text", - "description": "The textual content of the requirement" + "description": "The textual content of the requirement." }, "opencre": { "type": "string", "format": "iri-reference", "title": "OWASP OpenCRE", - "description": "URL to the Common Requirements Enumeration" + "description": "The URL to the corresponding Common Requirements Enumeration (CRE) common requirement identifier." }, "parent": { "$ref": "#/definitions/refLinkType", "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." }, "externalReferences": { "type": "array", @@ -4211,11 +4252,10 @@ "levels": { "type": "array", "title": "Levels", - "description": "", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", "items": { "type": "object", "title": "Level", - "description": "", "additionalProperties": false, "properties": { "bom-ref": { @@ -4226,22 +4266,22 @@ "identifier": { "type": "string", "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level" + "description": "The identifier used in the standard to identify a specific level." }, "title": { "type": "string", "title": "Title", - "description": "The title of the level" + "description": "The title of the level." }, "description": { "type": "string", "title": "Description", - "description": "The description of the level" + "description": "The description of the level." }, "requirements": { "type": "array", "title": "Requirements", - "description": "", + "description": "The list of requirement `bom-ref`s that comprise the level.", "items": { "$ref": "#/definitions/refLinkType" } } } From 1fde9ff8868f4a4445704b6531cb02cfcfba351c Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Tue, 26 Sep 2023 14:49:28 -0500 Subject: [PATCH 10/19] Updates as of todays working group Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 305937ae..6e13682b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -150,7 +150,7 @@ "summary": { "type": "string", "title": "Summary", - "description": "" + "description": "The short description explaining the main points of the attestation." }, "assessor": { "$ref": "#/definitions/refLinkType", @@ -193,7 +193,7 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The conformance of the claim within [0,1], where 1 is 100% confidence." + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." }, "rationale": { "type": "string", @@ -219,7 +219,7 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The confidence of the claim within [0,1], where 1 is 100% confidence." + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." }, "rationale": { "type": "string", @@ -312,10 +312,10 @@ "title": "BOM Reference", "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." }, - "type": { + "propertyName": { "type": "string", "title": "Type", - "description": "TODO - make this extensible - see valid-attestations-1.6.json for notes" + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). " }, "description": { "type": "string", From d854c03ae6283cc157331ce1fcd7f7a97bc2273f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 3 Oct 2023 22:40:23 -0500 Subject: [PATCH 11/19] Added properties and description array as a result of todays meeting Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 305937ae..cee16af7 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4229,6 +4229,12 @@ "title": "Text", "description": "The textual content of the requirement." }, + "descriptions": { + "type": "array", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "items": { "type": "string" } + }, "opencre": { "type": "string", "format": "iri-reference", @@ -4240,6 +4246,14 @@ "title": "Parent BOM Reference", "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": { + "$ref": "#/definitions/property" + } + }, "externalReferences": { "type": "array", "items": {"$ref": "#/definitions/externalReference"}, From f3d54daa2f6f3cc480124e4c667bb594a941c756 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 9 Oct 2023 22:26:14 -0500 Subject: [PATCH 12/19] Updated CRE support based on conversation with CRE project. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index dd86287c..46248ee7 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4236,10 +4236,14 @@ "items": { "type": "string" } }, "opencre": { - "type": "string", - "format": "iri-reference", - "title": "OWASP OpenCRE", - "description": "The URL to the corresponding Common Requirements Enumeration (CRE) common requirement identifier." + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ "CRE:764-507" ] + } }, "parent": { "$ref": "#/definitions/refLinkType", From 29a9a7d7d831d634a912ac548de74bae5c41dbf8 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 16:54:47 -0600 Subject: [PATCH 13/19] Added attestation support to XSD and added JSON and XML test cases. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 111 +- schema/bom-1.6.xsd | 991 ++++++++++++++++-- .../resources/1.6/valid-attestation-1.6.json | 209 ++++ .../resources/1.6/valid-attestation-1.6.xml | 165 +++ 4 files changed, 1370 insertions(+), 106 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.xml diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 76d0ef02..7ed54830 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -118,7 +118,7 @@ "items": { "type": "object", "title": "Assessor", - "description": "", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", "additionalProperties": false, "properties": { "bom-ref": { @@ -160,7 +160,7 @@ "map": { "type": "array", "title": "Map", - "description": "The grouping of requirements to claims and the attestors declaired conformance and confidence thereof.", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", "items": { "type": "object", "additionalProperties": false, @@ -193,17 +193,17 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." }, "rationale": { "type": "string", "title": "Rationale", - "description": "The rationale for the score of conformance." + "description": "The rationale for the conformance score." }, - "mitigationStrategy": { + "mitigationStrategies": { "type": "array", - "title": "Mitigation Strategy", - "description": "The description of the mitigation strategy if conformance is not `1`.", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", "items": { "$ref": "#/definitions/refLinkType" } } } @@ -262,10 +262,10 @@ "title": "Predicate", "description": "The specific statement or assertion about the target." }, - "mitigationStrategy": { + "mitigationStrategies": { "type": "array", - "title": "Mitigation Strategy", - "description": "The written explanation of how any weaknesses in the evidence will be mitigated.", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", "items": { "$ref": "#/definitions/refLinkType" } }, "reasoning": { @@ -276,13 +276,13 @@ "evidence": { "type": "array", "title": "Evidence", - "description": "The array of references to evidence that supports this claim.", + "description": "The list of `bom-ref` to evidence that supports this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "counterEvidence": { "type": "array", "title": "Counter Evidence", - "description": "The array of references to counterEvidence that undermines this claim.", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "externalReferences": { @@ -302,7 +302,7 @@ "evidence": { "type": "array", "title": "Evidence", - "description": "The list of evidence.", + "description": "The list of evidence", "items": { "type": "object", "additionalProperties": false, @@ -315,7 +315,7 @@ "propertyName": { "type": "string", "title": "Type", - "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). " + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." }, "description": { "type": "string", @@ -323,28 +323,49 @@ "description": "The written description of what this evidence is and how it was created." }, "data": { - "type": "object", - "title": "Description", + "type": "array", + "title": "Data", "description": "The output or analysis that supports claims.", - "additionalProperties": false, - "properties": { - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "The optional way to include textual or encoded data.", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL where the data can be retrieved.", - "format": "iri-reference" + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" } } } @@ -391,12 +412,6 @@ "description": "The list of organizations which claims are made against.", "items": {"$ref": "#/definitions/organizationalEntity"} }, - "people": { - "type": "array", - "title": "People", - "description": "The list of individuals which claims are made against.", - "items": {"$ref": "#/definitions/organizationalContact"} - }, "components": { "type": "array", "title": "Components", @@ -465,15 +480,25 @@ } } } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, "definitions": { "type": "object", "title": "Definitions", - "description": "", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", "additionalProperties": false, "properties": { "standards": { @@ -1551,7 +1576,7 @@ "type": { "type": "string", "title": "Type", - "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", + "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __electronic-signature__ An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.\n* __digital-signature__ = A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", "enum": [ "vcs", "issue-tracker", @@ -1591,6 +1616,8 @@ "codified-infrastructure", "quality-metrics", "poam", + "electronic-signature", + "digital-signature", "other" ] }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..51ed8658 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1402,6 +1402,16 @@ limitations under the License. Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + + + + + A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + + Use this if no other types accurately describe the purpose of the external reference @@ -5402,70 +5412,923 @@ limitations under the License. - - - - - - Provides additional information about a BOM. - - - - - A list of software and hardware components. - - - - - A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. - - - - - Provides the ability to document external references related to the BOM or - to the project the BOM describes. - - - - - Provides the ability to document dependency relationships. - - - - - Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. - - - - - Provides the ability to document properties in a name/value store. - This provides flexibility to include data not officially supported in the standard - without having to use additional namespaces or create extensions. Property names - of interest to the general public are encouraged to be registered in the - CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. - - - - - Vulnerabilities identified in components or services. - - - - - Comments made by people, organizations, or tools about any object with - a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike - inventory information, annotations may contain opinion or commentary from various - stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, - and may optionally be signed. - - - - - Describes how a component or service was manufactured or deployed. This is - achieved through the use of formulas, workflows, tasks, and steps, which declare the precise - steps to reproduce along with the observed formulas describing the steps which transpired - in the manufacturing process. + + + + + + The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + + + + + + + + The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment. + + + + + + + + The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + + + + + + + The entity issuing the assessment. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of attestations asserted by an assessor that maps requirements to claims. + + + + + + + + An attestation asserted by an assessor that maps requirements to claims. + + + + + + + + The short description explaining the main points of the attestation. + + + + + + + The `bom-ref` to the assessor asserting the attestation. + + + + + + + The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + + + + + + + + The `bom-ref` to the requirement being attested to. + + + + + + + The list of `bom-ref` to the claims being attested to. + + + + + + + + The `bom-ref` to the claim being attested to. + + + + + + + + + + The list of `bom-ref` to the counter claims being attested to. + + + + + + + + The `bom-ref` to the counter claim being attested to. + + + + + + + + + + The conformance of the claim meeting a requirement. + + + + + + + + The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + + + + + + + + + + + + + The rationale for the score of conformance. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + + + + The confidence of the claim meeting the requirement. + + + + + + + + The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + + + + + + + + + + + + + The rationale for the confidence score. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + The list of claims. + + + + + + + + + + + The `bom-ref` to a target representing a specific system, application, + API, module, team, person, process, business unit, company, etc... + that this claim is being applied to. + + + + + + + The specific statement or assertion about the target. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + The written explanation of why the evidence provided substantiates the claim. + + + + + + + The list of `bom-ref` to evidence that supports this claim. + + + + + + + The list of `bom-ref` to counterEvidence that supports this claim. + + + + + + Provides the ability to document external references related to the claim the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of evidence + + + + + + + + The list of evidence + + + + + + + + The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). + + + + + + + The written description of what this evidence is and how it was created. + + + + + + + The output or analysis that supports claims. + + + + + + + + The name of the data. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + An optional way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data. + + + + + + + + + + The date and time (timestamp) when the evidence was created. + + + + + The optional date and time (timestamp) when the evidence is no longer valid. + + + + + The author of the evidence. + + + + + The reviewer of the evidence. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of targets which claims are made against. + + + + + + + + The list of organizations which claims are made against. + + + + + + + + + + + + The list of components which claims are made against. + + + + + + + + + + + + The list of services which claims are made against. + + + + + + + + + + + + + + + + + + The brief statement affirmed by an individual regarding all declarations. + This could be an affirmation of acceptance by a third-party auditor or receiving + individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct." + + + + + + + The list of signatories authorized on behalf of an organization to assert validity of this document. + + + + + + + + + + + The signatory's name. + + + + + + + The signatory's role within an organization. + + + + + + + The signatory's organization. + + + + + + + An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + + + + + + The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + The name of the standard. This will often be a shortened, single name of the standard. + + + + + + + The description of the standard. + + + + + + + The version of the standard. + + + + + + + The owner of the standard, often the entity responsible for its release. + + + + + + + The list of requirements comprising the standard. + + + + + + + + + + + The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + + + + + + + The title of the requirement. + + + + + + + The textual content of the requirement. + + + + + + + The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + + + + + + + + + + + + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + + + + + + + + + + + + The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of levels associated with the standard. Some standards have different levels of compliance. + + + + + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes how a component or service was manufactured or deployed. This is + achieved through the use of formulas, workflows, tasks, and steps, which declare the precise + steps to reproduce along with the observed formulas describing the steps which transpired + in the manufacturing process. + + + + + + The list of declarations which describe the conformance to standards. Each declaration may + include attestations, claims, and evidence. + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.json b/tools/src/test/resources/1.6/valid-attestation-1.6.json new file mode 100644 index 00000000..c270d49b --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.json @@ -0,0 +1,209 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "declarations": { + "assessors": [ + { + "bom-ref": "assessor-1", + "thirdParty": true, + "organization": { + "name": "Assessors Inc" + } + } + ], + "attestations": [ + { + "summary": "Attestation summary here", + "assessor": "assessor-1", + "map": [ + { + "requirement": "requirement-1", + "claims": [ "claim-1" ], + "counterClaims": [ "counterClaim-1" ], + "conformance": { + "score": 0.8, + "rationale": "Conformance rationale here", + "mitigationStrategies": [ "mitigationStrategy-1" ] + }, + "confidence": { + "score": 1, + "rationale": "Confidence rationale here" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "claims": [ + { + "bom-ref": "claim-1", + "target": "acme-inc", + "predicate": "Predicate here", + "mitigationStrategies": [ "mitigationStrategy-1" ], + "reasoning": "Reasoning here", + "evidence": [ "evidence-1" ], + "counterEvidence": [ "counterEvidence-1" ], + "externalReferences": [ + { + "type": "issue-tracker", + "url": "https://alm.example.com" + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "evidence": [ + { + "bom-ref": "evidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Evidence here", + "contentType": "text/plain" + } + }, + "classification": "PII", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "bom-ref": "counterEvidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Counter evidence here", + "contentType": "text/plain" + } + }, + "classification": "Pubic", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "bom-ref": "mitigationStrategy-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Mitigation strategy here", + "contentType": "text/plain" + } + }, + "classification": "Company Confidential", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "targets": { + "organizations": [ + { + "bom-ref": "acme-inc", + "name": "Acme Inc" + } + ] + }, + "affirmation": { + "statement": "I certify, to the best of my knowledge, that all information is correct...", + "signatories": [ + { + "name": "Tom", + "role": "CEO", + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "name": "Jerry", + "role": "COO", + "organization": { + "name": "Acme Inc" + }, + "externalReference": { + "type": "electronic-signature", + "url": "https://example.com/coo-sig.png" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.xml b/tools/src/test/resources/1.6/valid-attestation-1.6.xml new file mode 100644 index 00000000..1dce0ced --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.xml @@ -0,0 +1,165 @@ + + + + + + false + + Acme Inc + + + + + + Attestation summary here + assessor-1 + + requirement-1 + + claim-1 + + + counterClaim-1 + + + 0.8 + Conformance rationale here + + mitigations-1 + + + + 1 + Confidence rationale here + + + + + + + + + + acme-inc + Predicate here + + mitigationStrategy-1 + + Reasoning here + evidence-1 + counterEvidence-1 + + + https://alm.example.com + + + + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Evidence here + + PII + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Counter evidence here + + Public + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Mitigation strategy here + + Public + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + Acme Inc + + + + + I certify, to the best of my knowledge, that all information is correct... + + + Tom + CEO + + + + + + Jerry + COO + + Acme Inc + + + https://example.com/coo-sig.png + + + + + + + + + + + + + + + \ No newline at end of file From 5be18a145aec7999776f5acbce2ce62516f9708e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 17:58:35 -0600 Subject: [PATCH 14/19] Added valid standard JSON and XML test cases and minor corrections to schemas. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 10 +- schema/bom-1.6.xsd | 98 ++++++++++--------- .../resources/1.6/valid-standard-1.6.json | 73 ++++++++++++++ 3 files changed, 130 insertions(+), 51 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.json diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 7ed54830..f9fcc6b4 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4231,16 +4231,16 @@ "title": "Name", "description": "The name of the standard. This will often be a shortened, single name of the standard." }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the standard." - }, "version": { "type": "string", "title": "Version", "description": "The version of the standard." }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, "owner": { "type": "string", "title": "Owner", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 51ed8658..05748c18 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -6042,17 +6042,17 @@ limitations under the License. - + - The description of the standard. + The version of the standard. - + - The version of the standard. + The description of the standard. @@ -6170,54 +6170,60 @@ limitations under the License. - - - - The identifier used in the standard to identify a specific level. - - - - - - - The title of the level. - - - - - - - The description of the level. - - - - - - - The list of requirement `bom-ref`s that comprise the level. - - + - + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + - - - - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json new file mode 100644 index 00000000..b7b1e5fd --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.json @@ -0,0 +1,73 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "definitions": { + "standards": [ + { + "bom-ref": "standard-1", + "name": "Sample Standard", + "version": "1.0.0", + "description": "Description here", + "owner": "Acme Inc", + "requirements": [ + { + "bom-ref": "requirement-1", + "identifier": "v1", + "title": "Title here" + }, + { + "bom-ref": "requirement-1.1", + "identifier": "v1.1", + "title": "Title here", + "parent": "requirement-1" + }, + { + "bom-ref": "requirement-1.1.1", + "identifier": "v1.1.1", + "text": "Text of the requirement here", + "descriptions": [ + "Supplemental text here" + ], + "opencre": [ + "CRE:616-305" + ], + "parent": "requirement-1.1" + } + ], + "levels": [ + { + "bom-ref": "level-1", + "identifier": "Level 1", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-2", + "identifier": "Level 2", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-3", + "identifier": "Level 3", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ] + } +} \ No newline at end of file From 89c0088cd99174c6ebcb4660db776fd51dd11724 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 18:02:06 -0600 Subject: [PATCH 15/19] Added valid standard JSON and XML test cases and minor corrections to schemas. Signed-off-by: Steve Springett --- .../test/resources/1.6/valid-standard-1.6.xml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.xml diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml new file mode 100644 index 00000000..68272488 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -0,0 +1,59 @@ + + + + + + Sample Standard + 1.0.0 + Description here + Acme Inc + + + v1 + Title here + + + v1.1 + Title here + requirement-1 + + + v1.1.1 + Text of the requirement here + + Supplemental text here + + CRE:616-305 + requirement-1.1.1 + + + + + Level 1 + Description here + + v1.1.1 + + + + Level 2 + Description here + + v1.1.1 + + + + Level 3 + Description here + + v1.1.1 + + + + + + + + + + \ No newline at end of file From c537c581d615b7e8e4ed485ee44c3aafa54de0a6 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 18:04:25 -0600 Subject: [PATCH 16/19] corrected parent Signed-off-by: Steve Springett --- tools/src/test/resources/1.6/valid-standard-1.6.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml index 68272488..530b3c08 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -24,7 +24,7 @@ Supplemental text here CRE:616-305 - requirement-1.1.1 + requirement-1.1 From 1bac4d62e6016d3e7faf6d4b7310f4e9e8c9b90d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 18:05:35 -0600 Subject: [PATCH 17/19] Corrected level ref Signed-off-by: Steve Springett --- tools/src/test/resources/1.6/valid-standard-1.6.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml index 530b3c08..f2cb0119 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -32,21 +32,21 @@ Level 1 Description here - v1.1.1 + requirement-1.1.1 Level 2 Description here - v1.1.1 + requirement-1.1.1 Level 3 Description here - v1.1.1 + requirement-1.1.1 From 423fefe397e1be4b98f6519936d128f70f7690fa Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 26 Dec 2023 20:15:16 -0600 Subject: [PATCH 18/19] Added protobuf support and test cases Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 197 ++++++++++++++++++ .../1.6/valid-attestation-1.6.textproto | 179 ++++++++++++++++ .../1.6/valid-standard-1.6.textproto | 65 ++++++ 3 files changed, 441 insertions(+) create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.textproto diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e6a6c4fe..78eb7698 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -39,6 +39,10 @@ message Bom { repeated Property properties = 12; // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process. repeated Formula formulation = 13; + // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. + repeated Declarations declarations = 14; + // A collection of reusable objects that are defined and may be used elsewhere in the BOM. + repeated Definition definitions = 15; } enum Classification { @@ -263,6 +267,10 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; // Describes how a component or service was manufactured or deployed. EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; + // An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 38; + // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 39; } enum HashAlg { @@ -1486,3 +1494,192 @@ message EnvironmentVars { string value = 2; } } + +message Declarations { + message Assessor { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + optional bool thirdParty = 2; + // The entity issuing the assessment. + optional OrganizationalEntity organization = 3; + } + message Attestation { + message AttestationMap { + message AttestationConformance { + // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + optional double score = 1; + // The rationale for the conformance score. + optional string rationale = 2; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. + repeated string mitigationStrategies = 3; + } + message AttestationConfidence { + // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + optional double score = 1; + // The rationale for the confidence score. + optional string rationale = 2; + } + // The `bom-ref` to the requirement being attested to. + optional string requirement = 1; + // The list of `bom-ref` to the claims being attested to. + repeated string claims = 2; + // The list of `bom-ref` to the counter claims being attested to. + repeated string counterClaims = 3; + // The conformance of the claim meeting a requirement. + optional AttestationConformance conformance = 4; + // The confidence of the claim meeting the requirement. + optional AttestationConfidence confidence = 5; + } + // The short description explaining the main points of the attestation. + optional string summary = 1; + // The `bom-ref` to the assessor asserting the attestation. + optional string assessor = 2; + // The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + repeated AttestationMap map = 3; + } + message Claim { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to. + optional string target = 2; + // The specific statement or assertion about the target. + optional string predicate = 3; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated. + repeated string mitigationStrategies = 4; + // The written explanation of why the evidence provided substantiates the claim. + optional string reasoning = 5; + // The list of `bom-ref` to evidence that supports this claim. + repeated string evidence = 6; + // The list of `bom-ref` to counterEvidence that supports this claim. + repeated string counterEvidence = 7; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + message Evidence { + message Data { + message Contents { + // An optional way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + } + // The name of the data. + optional string name = 1; + // The contents or references to the contents of the data being described. + optional Contents contents = 2; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 3; + // A description of any sensitive data included. + repeated string sensitiveData = 4; + // Data Governance + optional DataGovernance governance = 5; + } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. + optional string propertyName = 2; + // The written description of what this evidence is and how it was created. + optional string description = 3; + // The output or analysis that supports claims. + repeated Data data = 4; + // The date and time (timestamp) when the evidence was created. + optional google.protobuf.Timestamp created = 5; + // The optional date and time (timestamp) when the evidence is no longer valid. + optional google.protobuf.Timestamp expires = 6; + // The author of the evidence. + optional OrganizationalContact author = 7; + // The reviewer of the evidence. + optional OrganizationalContact reviewer = 8; + } + message Targets { + // The list of organizations which claims are made against. + repeated OrganizationalEntity organizations = 1; + // The list of components which claims are made against. + repeated Component components = 2; + // The list of services which claims are made against. + repeated Service services = 3; + } + message Affirmation { + message Signatory { + // The signatory's name. + optional string name = 1; + // The signatory's role within an organization. + optional string role = 2; + // The signatory's organization. + optional OrganizationalEntity organization = 3; + // An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + optional ExternalReference externalReference = 4; + } + // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. + optional string statement = 1; + // The list of signatories authorized on behalf of an organization to assert validity of this document. + repeated Signatory signatories = 2; + } + // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + repeated Assessor assessors = 1; + // The list of attestations asserted by an assessor that maps requirements to claims. + repeated Attestation attestations = 2; + // The list of claims. + repeated Claim claims = 3; + // The list of evidence + repeated Evidence evidence = 4; + // The list of targets which claims are made against. + optional Targets targets = 5; + // affirmation + optional Affirmation affirmation = 6; +} + +message Definition { + message Standard { + message Requirement { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + optional string identifier = 2; + // The title of the requirement. + optional string title = 3; + // The textual content of the requirement. + optional string text = 4; + // The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + repeated string descriptions = 5; + // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + repeated string opencre = 6; + // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + optional string parent = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 9; + } + message Level { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier used in the standard to identify a specific level. + optional string identifier = 2; + // The title of the level. + optional string title = 3; + // The description of the level. + optional string description = 4; + // The list of requirement `bom-ref`s that comprise the level. + repeated string requirements = 5; + } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The name of the standard. This will often be a shortened, single name of the standard. + optional string name = 2; + // The version of the standard. + optional string version = 3; + // The description of the standard. + optional string description = 4; + // The owner of the standard, often the entity responsible for its release. + optional string owner = 5; + // The list of requirements comprising the standard. + repeated Requirement requirements = 6; + // The list of levels associated with the standard. Some standards have different levels of compliance. + repeated Level levels = 7; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + repeated Standard standards = 1; +} diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.textproto b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto new file mode 100644 index 00000000..ca16cf57 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto @@ -0,0 +1,179 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +declarations: { + assessors: [ + { + bom_ref: "assessor-1" + thirdParty: true + organization: { + name: "Assessors Inc" + } + } + ] + attestations: [ + { + summary: "Attestation summary here" + assessor: "assessor-1" + map: [ + { + requirement: "requirement-1" + claims: [ "claim-1" ] + counterClaims: [ "counterClaim-1" ] + conformance: { + score: 0.8, + rationale: "Conformance rationale here", + mitigationStrategies: [ "mitigationStrategy-1" ] + } + confidence: { + score: 1, + rationale: "Confidence rationale here" + } + } + ] + } + ], + claims: [ + { + bom_ref: "claim-1" + target: "acme-inc" + predicate: "Predicate here" + mitigationStrategies: [ "mitigationStrategy-1" ] + reasoning: "Reasoning here" + evidence: [ "evidence-1" ] + counterEvidence: [ "counterEvidence-1" ] + externalReferences: [ + { + type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER, + url: "https://alm.example.com" + } + ] + } + ] + evidence: [ + { + bom_ref: "evidence-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Evidence here" + } + } + classification: "PII", + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + }, + { + bom_ref: "counterEvidence-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Counter evidence here" + } + } + classification: "Pubic" + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + }, + { + bom_ref: "mitigationStrategy-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Mitigation strategy here" + } + } + classification: "Company Confidential" + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + } + ], + targets: { + organizations: [ + { + bom_ref: "acme-inc" + name: "Acme Inc" + } + ] + } + affirmation: { + statement: "I certify, to the best of my knowledge, that all information is correct..." + signatories: [ + { + name: "Tom" + role: "CEO" + }, + { + name: "Jerry" + role: "COO" + organization: { + name: "Acme Inc" + } + externalReference: { + type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE + url: "https://example.com/coo-sig.png" + } + } + ] + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto new file mode 100644 index 00000000..a9a68bc7 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.textproto @@ -0,0 +1,65 @@ +spec_version: "1.6", +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +definitions { + standards: [ + { + bom_ref: "standard-1" + name: "Sample Standard" + version: "1.0.0" + description: "Description here" + owner: "Acme Inc" + requirements: [ + { + bom_ref: "requirement-1" + identifier: "v1" + title: "Title here" + }, + { + bom_ref: "requirement-1.1" + identifier: "v1.1" + title: "Title here" + parent: "requirement-1" + }, + { + bom_ref: "requirement-1.1.1" + identifier: "v1.1.1" + text: "Text of the requirement here" + descriptions: [ + "Supplemental text here" + ] + opencre: [ + "CRE:616-305" + ], + parent: "requirement-1.1" + } + ] + levels: [ + { + bom_ref: "level-1" + identifier: "Level 1" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + }, + { + bom_ref: "level-2" + identifier: "Level 2" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + }, + { + bom_ref: "level-3" + identifier: "Level 3" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + } + ] + } + ] +} \ No newline at end of file From b2033e0b708d2f7e74bc0f766c3bf79caca4669a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 13 Jan 2024 22:53:40 -0600 Subject: [PATCH 19/19] Changed opencre to openCre Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- tools/src/test/resources/1.6/valid-standard-1.6.json | 2 +- tools/src/test/resources/1.6/valid-standard-1.6.textproto | 2 +- tools/src/test/resources/1.6/valid-standard-1.6.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 78eb7698..ca17a107 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1644,7 +1644,7 @@ message Definition { // The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. repeated string descriptions = 5; // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. - repeated string opencre = 6; + repeated string openCre = 6; // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. optional string parent = 7; // Specifies optional, custom, properties diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f9fcc6b4..b4fd4ca6 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4281,7 +4281,7 @@ "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", "items": { "type": "string" } }, - "opencre": { + "openCre": { "type": "array", "title": "OWASP OpenCRE Identifier(s)", "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 05748c18..dcb729dc 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -6107,7 +6107,7 @@ limitations under the License. - + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json index b7b1e5fd..ad6b4bab 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.json +++ b/tools/src/test/resources/1.6/valid-standard-1.6.json @@ -30,7 +30,7 @@ "descriptions": [ "Supplemental text here" ], - "opencre": [ + "openCre": [ "CRE:616-305" ], "parent": "requirement-1.1" diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto index a9a68bc7..65b90e2a 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-standard-1.6.textproto @@ -28,7 +28,7 @@ definitions { descriptions: [ "Supplemental text here" ] - opencre: [ + openCre: [ "CRE:616-305" ], parent: "requirement-1.1" diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml index f2cb0119..7a36430a 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -23,7 +23,7 @@ Supplemental text here - CRE:616-305 + CRE:616-305 requirement-1.1