Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v1.6 #323

Merged
merged 285 commits into from
Apr 9, 2024
Merged

v1.6 #323

merged 285 commits into from
Apr 9, 2024

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Oct 15, 2023

Added

  • Core enhancement: Attestation (#192 via #348)
  • Core enhancement: Cryptography Bill of Materials — CBOM (#171, #291 via #347)
  • Feature to express the URL to source distribution (#98 via #269)
  • Feature to express the URL to RFC 9116 compliant documents (#380 via #381)
  • Feature to express tags/keywords for services and components (via #383)
  • Feature to express details for component authors (#335 via #379)
  • Feature to express details for component and BOM manufacturer (#346 via #379)
  • Feature to express communicate concluded values from observed evidences (#411 via #412)
  • Features to express license acknowledgement (#407 via #408)
  • Feature to express environmental consideration information for model cards (#396 via #395)
  • Feature to express the address of organizational entities (via #395)
  • Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs (#413 via #414)

Fixed

  • Allow multiple evidence identities by XML/JSON schema (#272 via #359)
    This was already correct via ProtoBuff schema.
  • Prevent empty license entities by XML schema (#288 via #292)
    This was already correct in JSON/ProtoBuff schema.
  • Prevent empty or malformed property entities by JSON schema (#371 via #375)
    This was already correct in XML/ProtoBuff schema.
  • Allow multiple licenses in Metadata by ProtoBuff schema (#264 via #401)
    This was already correct in XML/JSON schema.

Changed

  • Allow arbitrary $schema values by JSON schema (#402 via #403)
  • Increased max length of versionRange (via 3e01ce6)
  • Harmonized length of version (via #417)

Deprecated

  • Data model "Component"'s field author was deprecated. (via #379)
    Use field authors or field manufacturer instead.
  • Data model "Metadata"'s field manufacture was deprecated. (#346 via #379)
    Use "Metadata"'s field component's field manufacturer instead.
    • for XML: /bom/metadata/component/manufacturer
    • for JSON: $.metadata.component.manufacturer
    • for ProtoBuf: Bom:metadata.component.manufacturer

Documentation

  • Centralize version and version-range (via #322)
  • Streamlined SPDX expression related descriptions (via #327)
  • Enhanced descriptions of bom-ref/refType (#336 via #344)
  • Enhanced readability of enum documentation in JSON schema (#361 via #362)
  • Fixed typo "compliment" -> "complement" (via #369)
  • Added documentation for enum "ComponentScope"'s values in JSON schema (#293 via d92e58e)
    Texts were a taken from the existing ones in XML/ProtoBuff schema.
  • Added documentation for enum "TaskType"'s values (#245 via #377)
  • Improve documentation for data model "Metadata"'s field licenses (#273 via #378)
  • Added documentation for enum "MachineLearningApproachType"'s values (#351 via #416)
  • Rephrased some texts here and there.

Test data

  • Added test data for newly added use cases
  • Added quality assurance for our ProtoBuf schemas (#384 via #385)

@jkowalleck jkowalleck added this to the 1.6 milestone Oct 15, 2023
jkowalleck and others added 19 commits October 15, 2023 13:08
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
This PR follows our CBOM WG call from Oct 12. It removes the
`detectionContext` property from components and merges them with
`componentEvidence`. The following properties are added to evidence:
- `lineNumber`
- `offset`
- `symbol`
- `additionalContext`

The plan is to make a separate proposal/PR for `keyword`

The PR also removes the extra fields for confidence levels since they
are already covered by `componentEvidence`.

Tagging @stevespringett @n1ckl0sk0rtge @mrutkows
This addresses the use case described in
IBM/CBOM#31:
- Expiry and life cycle of any relatedCryptoMaterial (e.g. keys, tokens,
password) should be expressible.

This is done by merging the "key" asset type and "relatedCryptoMaterial"
to "relatedCryptoMaterial", which contains the needed properties.
goal: improve documentation by consolidating elements regarding
"version".
pure refactoring, no new functionality was added, nor removed, nor
changed.


- [x] consolidate `version`
- [x] consolidate `range`
- [x] rename `range` definition to `version-range`
- [x] add more examples
- [x] review rendered documentation
The new property 'parameterSetIdentifier' replaces 'variant' and
contains information about the parameter set identifying an algorithm.
This can be, for example, the key length (in AES), the digest length (in
SHA2), or the hash algorithm used internally (in SLH-DSA / FIPS205). The
"description" field contains some examples.

This PR is motivated by IBM/CBOM#37 and
intends to address its use case.

Tagging @stevespringett, @n1ckl0sk0rtge, @mrutkows, @GeroDittmann
Signed-off-by: steve.springett <[email protected]>
Signed-off-by: andreas hilti <[email protected]>
Move comment in `$comment` to description for increased visibility.

Closes: #336
@jkowalleck jkowalleck linked an issue Nov 27, 2023 that may be closed by this pull request
jkowalleck and others added 8 commits November 28, 2023 19:07
Reviews the description fields and addresses my TODOs.
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Adds 'combiner' as enum entry in 'primitive'.

Addresses the use case when combinations of (e.g.) classical crypto like
RSA is used together with QSC like Dilithium. An entry of this primitive
allows to express the combiner used. Adding dependencies to
RSA/Dilithium then allows to express the algorithms used in the
combiner. Note: "combiners" are also known as "hybrids", but this term
can be ambiguous so I prefer the term combiner.
schema/bom-1.6.xsd Outdated Show resolved Hide resolved
schema/bom-1.6.xsd Outdated Show resolved Hide resolved
@jkowalleck jkowalleck marked this pull request as ready for review April 5, 2024 10:54
@jkowalleck jkowalleck requested a review from a team as a code owner April 5, 2024 10:54
<xs:annotation>
<xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst</xs:documentation>
</xs:annotation>
</xs:element>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong place annotated.

@madpah
Copy link

madpah commented Apr 5, 2024

@jkowalleck - .cryptoProperties.assetType is optional currently in XSD - see here:
<xs:element name="assetType" minOccurs="0" maxOccurs="1">

Which leaves the entirety of .cryptoProperties optional, which seems incorrect to me.

@madpah
Copy link

madpah commented Apr 5, 2024

@jkowalleck - .cryptoProperties.protocolProperties.version has no type in the XSD here, but is defined as a String under the JSON schema:

<xs:element name="version" minOccurs="0" maxOccurs="1">

@madpah
Copy link

madpah commented Apr 5, 2024

@jkowalleck .cryptoProperties.protocolProperties.ikev2TransformTypes.esn is defined a boolean occurring 0 or more times in XSD, but as an optional (singular) boolean in JSON schema.

See XSD here
<xs:element name="esn" type="xs:boolean" minOccurs="0" maxOccurs="unbounded">

@stevespringett
Copy link
Member

@jkowalleck - .cryptoProperties.assetType is optional currently in XSD - see here: <xs:element name="assetType" minOccurs="0" maxOccurs="1">

Which leaves the entirety of .cryptoProperties optional, which seems incorrect to me.

@madpah thanks. This has been corrected in 2bb8bae

Signed-off-by: Steve Springett <[email protected]>
@stevespringett
Copy link
Member

@jkowalleck - .cryptoProperties.protocolProperties.version has no type in the XSD here, but is defined as a String under the JSON schema:

<xs:element name="version" minOccurs="0" maxOccurs="1">

@madpah Not really an issue, but I did make this explicit in f5d959b

Signed-off-by: Steve Springett <[email protected]>
@stevespringett
Copy link
Member

@jkowalleck .cryptoProperties.protocolProperties.ikev2TransformTypes.esn is defined a boolean occurring 0 or more times in XSD, but as an optional (singular) boolean in JSON schema.

See XSD here <xs:element name="esn" type="xs:boolean" minOccurs="0" maxOccurs="unbounded">

@madpah Nice catch. Corrected in d278e70

Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
@stevespringett stevespringett merged commit c5032b8 into master Apr 9, 2024
8 checks passed
@stevespringett stevespringett deleted the 1.6-dev branch April 9, 2024 05:13
@jkowalleck jkowalleck changed the title [WIP] v1.6 v1.6 Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chore: QA A chore related to Quality Assurance defect documentation proposed core enhancement test-data related to test-resources and -data
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants