Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.6 dev attestations #348

Merged
merged 25 commits into from
Jan 14, 2024
Merged

1.6 dev attestations #348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
de4193c
Initial checkin of 1.6 attestation support
stevespringett Jul 11, 2023
2a62ac3
Updates at the end of todays call
Aug 1, 2023
4a64108
Moved standards out from declarations into definitions.
stevespringett Aug 28, 2023
d7d1890
Merge remote-tracking branch 'origin/1.6-dev-attestations' into 1.6-d…
stevespringett Aug 28, 2023
53ff77d
Removing invalid types
stevespringett Aug 29, 2023
f73a14a
adding missing type
stevespringett Aug 29, 2023
e70a6e3
Added missing type
stevespringett Aug 29, 2023
8f86882
Added missing type
stevespringett Aug 29, 2023
52506bb
Correcting object type
stevespringett Aug 29, 2023
8f0557e
Added descriptions that were developed by the working group. Minor ch…
stevespringett Sep 26, 2023
1fde9ff
Updates as of todays working group
Sep 26, 2023
d854c03
Added properties and description array as a result of todays meeting
stevespringett Oct 4, 2023
41fc736
Merge remote-tracking branch 'origin/1.6-dev-attestations' into 1.6-d…
stevespringett Oct 4, 2023
f3d54da
Updated CRE support based on conversation with CRE project.
stevespringett Oct 10, 2023
e8ae437
Merge branch '1.6-dev' into 1.6-dev-attestations
jkowalleck Nov 28, 2023
0a54c3d
Merge branch '1.6-dev' into 1.6-dev-attestations
jkowalleck Dec 15, 2023
29a9a7d
Added attestation support to XSD and added JSON and XML test cases.
stevespringett Dec 21, 2023
7b6c563
Merge remote-tracking branch 'origin/1.6-dev-attestations' into 1.6-d…
stevespringett Dec 21, 2023
5be18a1
Added valid standard JSON and XML test cases and minor corrections to…
stevespringett Dec 21, 2023
89c0088
Added valid standard JSON and XML test cases and minor corrections to…
stevespringett Dec 22, 2023
c537c58
corrected parent
stevespringett Dec 22, 2023
1bac4d6
Corrected level ref
stevespringett Dec 22, 2023
423fefe
Added protobuf support and test cases
stevespringett Dec 27, 2023
b2033e0
Changed opencre to openCre
stevespringett Jan 14, 2024
4ff0242
Merge branch '1.6-dev' into 1.6-dev-attestations
stevespringett Jan 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
197 changes: 197 additions & 0 deletions schema/bom-1.6.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ message Bom {
repeated Property properties = 12;
// Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process.
repeated Formula formulation = 13;
// The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.
repeated Declarations declarations = 14;
// A collection of reusable objects that are defined and may be used elsewhere in the BOM.
repeated Definition definitions = 15;
}

enum Classification {
Expand Down Expand Up @@ -265,6 +269,10 @@ enum ExternalReferenceType {
EXTERNAL_REFERENCE_TYPE_FORMULATION = 37;
// URL to a source archive.
EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38;
// An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.
EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39;
// A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.
EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40;
}

enum HashAlg {
Expand Down Expand Up @@ -1488,3 +1496,192 @@ message EnvironmentVars {
string value = 2;
}
}

message Declarations {
message Assessor {
// An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor.
optional bool thirdParty = 2;
// The entity issuing the assessment.
optional OrganizationalEntity organization = 3;
}
message Attestation {
message AttestationMap {
message AttestationConformance {
// The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance.
optional double score = 1;
// The rationale for the conformance score.
optional string rationale = 2;
// The list of `bom-ref` to the evidence provided describing the mitigation strategies.
repeated string mitigationStrategies = 3;
}
message AttestationConfidence {
// The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence.
optional double score = 1;
// The rationale for the confidence score.
optional string rationale = 2;
}
// The `bom-ref` to the requirement being attested to.
optional string requirement = 1;
// The list of `bom-ref` to the claims being attested to.
repeated string claims = 2;
// The list of `bom-ref` to the counter claims being attested to.
repeated string counterClaims = 3;
// The conformance of the claim meeting a requirement.
optional AttestationConformance conformance = 4;
// The confidence of the claim meeting the requirement.
optional AttestationConfidence confidence = 5;
}
// The short description explaining the main points of the attestation.
optional string summary = 1;
// The `bom-ref` to the assessor asserting the attestation.
optional string assessor = 2;
// The grouping of requirements to claims and the attestors declared conformance and confidence thereof.
repeated AttestationMap map = 3;
}
message Claim {
// An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to.
optional string target = 2;
// The specific statement or assertion about the target.
optional string predicate = 3;
// The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.
repeated string mitigationStrategies = 4;
// The written explanation of why the evidence provided substantiates the claim.
optional string reasoning = 5;
// The list of `bom-ref` to evidence that supports this claim.
repeated string evidence = 6;
// The list of `bom-ref` to counterEvidence that supports this claim.
repeated string counterEvidence = 7;
// External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
repeated ExternalReference externalReferences = 8;
}
message Evidence {
message Data {
message Contents {
// An optional way to include textual or encoded data.
optional AttachedText attachment = 1;
// The URL to where the data can be retrieved.
optional string url = 2;
}
// The name of the data.
optional string name = 1;
// The contents or references to the contents of the data being described.
optional Contents contents = 2;
// Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
optional string classification = 3;
// A description of any sensitive data included.
repeated string sensitiveData = 4;
// Data Governance
optional DataGovernance governance = 5;
}
// An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/.
optional string propertyName = 2;
// The written description of what this evidence is and how it was created.
optional string description = 3;
// The output or analysis that supports claims.
repeated Data data = 4;
// The date and time (timestamp) when the evidence was created.
optional google.protobuf.Timestamp created = 5;
// The optional date and time (timestamp) when the evidence is no longer valid.
optional google.protobuf.Timestamp expires = 6;
// The author of the evidence.
optional OrganizationalContact author = 7;
// The reviewer of the evidence.
optional OrganizationalContact reviewer = 8;
}
message Targets {
// The list of organizations which claims are made against.
repeated OrganizationalEntity organizations = 1;
// The list of components which claims are made against.
repeated Component components = 2;
// The list of services which claims are made against.
repeated Service services = 3;
}
message Affirmation {
message Signatory {
// The signatory's name.
optional string name = 1;
// The signatory's role within an organization.
optional string role = 2;
// The signatory's organization.
optional OrganizationalEntity organization = 3;
// An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
optional ExternalReference externalReference = 4;
}
// The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.
optional string statement = 1;
// The list of signatories authorized on behalf of an organization to assert validity of this document.
repeated Signatory signatories = 2;
}
// The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.
repeated Assessor assessors = 1;
// The list of attestations asserted by an assessor that maps requirements to claims.
repeated Attestation attestations = 2;
// The list of claims.
repeated Claim claims = 3;
// The list of evidence
repeated Evidence evidence = 4;
// The list of targets which claims are made against.
optional Targets targets = 5;
// affirmation
optional Affirmation affirmation = 6;
}

message Definition {
message Standard {
message Requirement {
// An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref.
optional string identifier = 2;
// The title of the requirement.
optional string title = 3;
// The textual content of the requirement.
optional string text = 4;
// The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.
repeated string descriptions = 5;
// The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.
repeated string openCre = 6;
// The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents.
optional string parent = 7;
// Specifies optional, custom, properties
repeated Property properties = 8;
// External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
repeated ExternalReference externalReferences = 9;
}
message Level {
// An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The identifier used in the standard to identify a specific level.
optional string identifier = 2;
// The title of the level.
optional string title = 3;
// The description of the level.
optional string description = 4;
// The list of requirement `bom-ref`s that comprise the level.
repeated string requirements = 5;
}
// An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The name of the standard. This will often be a shortened, single name of the standard.
optional string name = 2;
// The version of the standard.
optional string version = 3;
// The description of the standard.
optional string description = 4;
// The owner of the standard, often the entity responsible for its release.
optional string owner = 5;
// The list of requirements comprising the standard.
repeated Requirement requirements = 6;
// The list of levels associated with the standard. Some standards have different levels of compliance.
repeated Level levels = 7;
// External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
repeated ExternalReference externalReferences = 8;
}
repeated Standard standards = 1;
}
Loading