feat: Add support for TLP marking in metadata #604
Conversation
anthonyharrison
force-pushed
the
1.7-dev
branch
from
2d456e1 to
5d5201f
Compare
anthonyharrison
force-pushed
the
1.7-dev
branch
from
e7f1f82 to
1fd2561
Compare
Signed-off-by: anthonyharrison <[email protected]>
Signed-off-by: anthonyharrison <[email protected]>
CycloneDX#595) Signed-off-by: anthonyharrison <[email protected]>
anthonyharrison
force-pushed
the
1.7-dev
branch
from
a767891 to
55425e5
Compare
|
for backwards compatibility reasons, i would not set "CLEAR" as the default value. clean means a decision actively was made, right? in JSON, this would mean no default is defined, and the property is optional. |
I see CLEAR as the default when the user makes no choice as the user is more likely to explicitly state one of the other values (which indicates that he has thought about the constraints as regards sharing the BOM). Personally, I would prefer to see all BOMs to have the TLP value explicitly stated but that is possibly too much to expect at this stage. |
…d documentation (fixes CycloneDX#595) Signed-off-by: anthonyharrison <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto
Outdated
Show resolved
Hide resolved
|
I'll try to fix the open issues ASAP |
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
schema/bom-1.7.proto
Outdated
| @@ -514,6 +514,8 @@ message Metadata { | |||
| repeated Lifecycles lifecycles = 9; | |||
| // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. | |||
| optional OrganizationalEntity manufacturer = 10; | |||
| // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes. | |||
| optional Tlp distribution = 11; | |||
There was a problem hiding this comment.
The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes.
wait what? was the original ticket not about the distribution of the BOM?
why is it now about the distribution of the component???
if this was really about the distribution of the component that the BOM describes,
than the appropriate field would not be $.metadata.someshting but $.metadata.component.something.
There was a problem hiding this comment.
@anthonyharrison could you revisit this annotation?
There was a problem hiding this comment.
@jkowalleck I was using the term component to mean SBOM, HBOM, etc and not a software component. Is there a recommended way of saying this as the TLP applies to all types of BOM?
My proposed change would be 'The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the BOM'
There was a problem hiding this comment.
maybe use
The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the BOM.
PS: eventually there will be a community review phase (RFC), so somebody else might have additional ideas how to phase things better.
Signed-off-by: Jan Kowalleck <[email protected]>
…on (fixes CycloneDX#595) Signed-off-by: anthonyharrison <[email protected]>
# Conflicts: # schema/bom-1.7.proto # schema/bom-1.7.schema.json # schema/bom-1.7.xsd
…on (fixes CycloneDX#595) Signed-off-by: anthonyharrison <[email protected]>
|
@anthonyharrison, the current state looks promising. According to the CycloneDX working model, the next step would be to move from "prototype" to "draft", meaning the community review phase (RFC) would start. |
|
@jkowalleck Let's go to the next stage and see what the community thinks. I have no outstanding changes. |
jkowalleck
added
draft
RFC notice sent
|
RFC notice sent.
Public RFC period ends April 13, 2025 |
jkowalleck
changed the title
jkowalleck
added
promote to tc54
| "title": "Traffic Light Protocol (TLP) Classification", | ||
| "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", | ||
| "type" : "string", | ||
| "default": "CLEAR", |
There was a problem hiding this comment.
UNKNOWN is not a valid TLP value
| "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", | ||
| "type" : "string", | ||
| "default": "CLEAR", | ||
| "enum": [ |
There was a problem hiding this comment.
We can retain the TLP: prefix to avoid confusions and retain the exact semantic meanings.
From the first.org website:
The four TLP labels are: TLP:RED, TLP:AMBER, TLP:GREEN, and TLP:CLEAR. In written form, they MUST not contain spaces and SHOULD be in capitals. TLP labels MUST remain in their original form, even when used in other languages: content can be translated, but the labels cannot.
There was a problem hiding this comment.
The TLP values are identical to those adopted by CSAF
|
All current discussuons are basically too late. Public RFC ended on 13. of April. This feature is promoted to become standardized under Ecma. Vote will be on 1. May. Please do not alter the current state last minute. |
As discussed in ticket #595, this PR adds TLP marking in the BOM metadata.
This PR superseeds #603
fixes #595