Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CBOM to CycloneDX 1.6 format #1831

Closed
planetf1 opened this issue Jul 1, 2024 · 3 comments · Fixed by #1834
Closed

Update CBOM to CycloneDX 1.6 format #1831

planetf1 opened this issue Jul 1, 2024 · 3 comments · Fixed by #1834

Comments

@planetf1
Copy link
Contributor

planetf1 commented Jul 1, 2024
edited
Loading

State of current BOM:

The current BOM at docs/cbom.json mostly validates against the 1.4 spec with just 1 issue

  • metadata.,timestamp value of 2024-03-05T11:49:42.428605 fails with String is not a RFC3339 date-time.

In RFC3339 a time-offset is required, ie can be Z.

Using 2024-03-05T11:49:42.428605Z passes validation.

This change is needed in the tooling that builds/tests the BOM

Improvement to include pointer to schema

Many BOMs include a pointer to the spec ie we could add

  "$schema": "https://raw.githubusercontent.com/IBM/CBOM/main/bom-1.4-cbom-1.0.schema.json#",

Aside - as an alternative, and for testing, the following can be added in .vscode settings:

    "json.schemas": [
        

        {
            "fileMatch": [
                "cbom.json"
            ],
            "url": "https://raw.githubusercontent.com/IBM/CBOM/main/bom-1.4-cbom-1.0.schema.json"
        }
    ]

Cyclone DX 1.6

CBOM is now incorporated into CycloneDX 1.6, but here the schema as evolved a little

We can validate against the new spec - the example below includes the vscode definition:

    "json.schemas": [


        {
            "fileMatch": [
                "cbom.json"
            ],
            "url": "http://cyclonedx.org/schema/bom-1.6.schema.json"
        }
    ]

If $schema is included in the bom, then other tools wouldn't need to explicitly be configured, and should find the schema definition automatically

In CycloneDX 1.6 the following is noted:

  • "bomFormat": "CBOM", -> can only be 'CycloneDX'
  • "type": "crypto-asset", -> 'cryptographic-asset'
  • In algorithmProperties, variant & implementationLevel are not allowed. where the last segment of Variant includes a platform like x86_64 this probably is now best matched to implementationPlatform , whilst implementationLevel is executionEnvironment
  • in cryptoProperties, nistQuantumSecurityLevel is not allowed - it has moved under algorithmProperties
  • "primitive": "blockcipher", -> block-cipher
  • "dependencyType": "uses" - not allowed. there is a new property provides which seems to make sense where an algorithm is provided, whilst just having a dependency presumes uses ..?

Note the above is from a quick scan - need to check in more detail...

@bhess @dstebila I think it would be useful to consider this update now that the 1.6 spec is out, and we're seeing more tooling support CBOM.

Happy to work on some updates if it's helpful - or perhaps you plan to @bhess ?
This was referenced Jul 1, 2024
Closed
Closed
@bhess
Copy link
Member

bhess commented Jul 8, 2024

Thanks @planetf1 for this issue. Do you want to move your analysis to #1753 ?
I have a good grasp about the changes needed and can do a PR with the updates for 1.6.

@bhess bhess mentioned this issue Jul 9, 2024
Merged
2 tasks
@bhess
Copy link
Member

bhess commented Jul 9, 2024

See PR #1834 which should include the updates you propose @planetf1.

@planetf1
Copy link
Contributor Author

planetf1 commented Aug 5, 2024

Fixes #1831

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
liboqs planning
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update CBOM format to upstream v1.6 open-quantum-safe/liboqs
2 participants
@bhess @planetf1