From a1697ef52ccc9fb5f2dd4e549082ce6face33dda Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Wed, 20 Sep 2023 14:47:26 -0500 Subject: [PATCH 01/22] Added schema documentation generation for v1.6 Signed-off-by: steve.springett --- docgen/json/gen.sh | 5 +++-- docgen/xml/gen.sh | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docgen/json/gen.sh b/docgen/json/gen.sh index b37d2461..e92128bc 100755 --- a/docgen/json/gen.sh +++ b/docgen/json/gen.sh @@ -1,6 +1,6 @@ #!/bin/bash rm -f -R docs -mkdir -p docs/{1.2,1.3,1.4,1.5} +mkdir -p docs/{1.2,1.3,1.4,1.5,1.6} # Check to see if generate-schema-doc is executable and is in the path. If not, install JSON Schema for Humans. if ! [ -x "$(command -v generate-schema-doc)" ]; then @@ -27,4 +27,5 @@ generate () { generate 1.2 generate 1.3 generate 1.4 -generate 1.5 \ No newline at end of file +generate 1.5 +generate 1.6 \ No newline at end of file diff --git a/docgen/xml/gen.sh b/docgen/xml/gen.sh index 03e494df..fc850311 100755 --- a/docgen/xml/gen.sh +++ b/docgen/xml/gen.sh @@ -16,4 +16,5 @@ generate 1.1 generate 1.2 generate 1.3 generate 1.4 -generate 1.5 \ No newline at end of file +generate 1.5 +generate 1.6 \ No newline at end of file From f1c9fe298e1f4fcdd4c7410625d64b1c66a0aedf Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Wed, 20 Sep 2023 17:17:13 -0500 Subject: [PATCH 02/22] Initial commit and port of IBM/CBOM Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 850 ++++++++++++++++++++++++++++++++++++- 1 file changed, 848 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 726fbf03..f038ab14 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -409,10 +409,11 @@ "firmware", "file", "machine-learning-model", - "data" + "data", + "crypto-asset" ], "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.\n* __crypto-asset__ = Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.", "examples": ["library"] }, "mime-type": { @@ -591,6 +592,11 @@ "title": "Data", "description": "This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types." }, + "cryptoProperties": { + "$ref": "#/definitions/cryptoProperties", + "title": "Crypto Properties", + "description": "Properties for Crypto Assets" + }, "properties": { "type": "array", "title": "Properties", @@ -1243,6 +1249,12 @@ }, "title": "Depends On", "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "dependencyType": { + "type": "string", + "title": "Type of dependency", + "description": "Defines and characterizes the type of dependency", + "$ref": "#/definitions/dependencyType" } } }, @@ -3794,6 +3806,840 @@ "$ref": "jsf-0.82.schema.json#/definitions/signature", "title": "Signature", "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "dependencyType": { + "type": "string", + "enum": [ + "implements", + "uses" + ], + "title": "Type to characterize a dependency" + }, + "cryptoProperties": { + "type": "object", + "title": "Crypto Properties", + "description": "Properties for Crypto Assets", + "additionalProperties": false, + "properties": { + "assetType": { + "type": "string", + "title": "assetType", + "description": "The specific asset type for the crypto asset", + "enum": [ + "algorithm", + "certificate", + "key", + "protocol", + "relatedCryptoMaterial" + ] + }, + "algorithmProperties": { + "type": "object", + "title": "algorithm properties", + "description": "Properties for crypto assets of asset type 'algorithm'", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "The primitive for the crypto algorithm", + "enum": [ + "drbg", + "mac", + "blockcipher", + "streamcipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "keyagree", + "kem", + "ae", + "other", + "unknown" + ] + }, + "variant": { + "type": "string", + "title": "variant", + "description": "The variant for the crypto algorithm, algorithm components should be delimited with '-'", + "examples": [ + "aes128-cbc-pkcs7", + "rsa2048-cbc-oaep-sha256-mgf1", + "kyber1024" + ] + }, + "curve": { + "type": "string", + "title": "elliptic curve", + "description": "If applicable, the curve of the crypto algorithm", + "enum": [ + "brainpoolP160r1", + "brainpoolP160t1", + "brainpoolP192r1", + "brainpoolP192t1", + "brainpoolP224r1", + "brainpoolP224t1", + "brainpoolP256r1", + "brainpoolP256t1", + "brainpoolP320r1", + "brainpoolP320t1", + "brainpoolP384r1", + "brainpoolP384t1", + "brainpoolP512r1", + "brainpoolP512t1", + "secp160k1", + "secp192k1", + "secp224k1", + "secp256k1", + "secp112r1", + "secp128r1", + "secp160r1", + "secp192r1", + "secp224r1", + "secp256r1", + "secp384r1", + "secp521r1", + "secp112r2", + "secp128r2", + "secp160r2", + "sect163k1", + "sect233k1", + "sect239k1", + "sect283k1", + "sect409k1", + "sect571k1", + "sect113r1", + "sect131r1", + "sect163r1", + "sect193r1", + "sect233r1", + "sect283r1", + "sect409r1", + "sect571r1", + "sect113r2", + "sect131r2", + "sect163r2", + "sect193r2", + "BLS12-377", + "BLS12-381", + "BLS12-446", + "BLS12-455", + "BLS12-638", + "BLS24-477", + "gost256", + "gost512", + "curve25519", + "curve448", + "sm2", + "Fp256BN", + "Fp384BN", + "Fp512BN", + "prime192v1", + "prime192v2", + "prime192v3", + "prime239v1", + "prime239v2", + "prime239v3", + "prime256v1", + "c2pnb176w1", + "c2pnb163v1", + "c2pnb163v2", + "c2pnb163v3", + "c2pnb208w1", + "c2tnb191v3", + "c2tnb191v2", + "c2tnb191v1", + "c2tnb239v3", + "c2tnb239v2", + "c2tnb239v1", + "c2pnb272w1", + "c2pnb304w1", + "c2pnb368w1", + "c2tnb359v1", + "c2tnb431r1", + "c2onb191v4", + "c2onb191v5", + "c2onb239v4", + "c2onb239v5", + "ansit163k1", + "ansit163r1", + "ansit163r2", + "ansit193r1", + "ansit193r2", + "ansit233k1", + "ansit233r1", + "ansit239k1", + "ansit283k1", + "ansit283r1", + "ansit409k1", + "ansit409r1", + "ansit571k1", + "ansit571r1", + "ansip160k1", + "ansip160r1", + "ansip160r2", + "ansip192k1", + "ansip224k1", + "ansip224r1", + "ansip256k1", + "ansip384r1", + "ansip521r1", + "FRP256v1", + "bn158", + "bn190", + "bn222", + "bn254", + "bn286", + "bn318", + "bn350", + "bn382", + "bn414", + "bn446", + "bn478", + "bn510", + "bn542", + "bn574", + "bn606", + "bn638", + "P-192", + "P-224", + "P-256", + "P-384", + "P-521", + "K-163", + "B-163", + "K-233", + "B-233", + "K-283", + "B-283", + "K-409", + "B-409", + "K-571", + "B-571", + "FourQ", + "wap-wsg-idm-ecid-wtls1", + "wap-wsg-idm-ecid-wtls3", + "wap-wsg-idm-ecid-wtls4", + "wap-wsg-idm-ecid-wtls5", + "wap-wsg-idm-ecid-wtls6", + "wap-wsg-idm-ecid-wtls7", + "wap-wsg-idm-ecid-wtls8", + "wap-wsg-idm-ecid-wtls9", + "wap-wsg-idm-ecid-wtls1", + "wap-wsg-idm-ecid-wtls1", + "wap-wsg-idm-ecid-wtls1", + "other", + "unknown" + ] + }, + "implementationLevel": { + "type": "string", + "title": "implementation level", + "description": "The implementation level for the crypto algorithm", + "enum": [ + "softwarePlainRam", + "softwareEncryptedRam", + "softwareTee", + "hardware", + "other", + "unknown" + ] + }, + "implementationPlatform": { + "type": "string", + "title": "implementation platform", + "description": "The implementation platform for the crypto algorithm", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "string", + "title": "certification level", + "description": "The certification level for the crypto algorithm", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ] + }, + "mode": { + "type": "string", + "title": "mode", + "description": "The cipher mode of operation for the crypto algorithm", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ] + }, + "padding": { + "type": "string", + "title": "padding", + "description": "The padding for the crypto algorithm ", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ] + }, + "cryptoFunctions": { + "type": "array", + "title": "crypto function", + "description": "The crypto functions implemented by the crypto algorithm", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "classical security level", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria), or 0 if none of the categories are met", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "certificate properties", + "description": "Properties for crypto assets of asset type 'certificate'", + "additionalProperties": false, + "properties": { + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the crypto certificate" + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the crypto certificate" + }, + "notValidBefore": { + "type": "string", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid" + }, + "notValidAfter": { + "type": "string", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" + }, + "signatureAlgorithm": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to signature algorithm used by the certificate" + }, + "subjectPublicKey": { + "$ref": "#/definitions/cryptoRef", + "title": "Key reference", + "description": "Bom-ref to the public key of the subject" + }, + "certificateFormat": { + "type": "string", + "title": "Certificate format", + "description": "The format of the certificate", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateExtension": { + "type": "string", + "title": "Certificate extensions", + "description": "The certificate extensions of the crypto certificate", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + } + } + }, + "keyProperties": { + "type": "object", + "title": "Properties for Keys", + "description": "Properties for crypto assets of asset type 'key'", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "key type", + "description": "The type of the key", + "enum": [ + "privateKey", + "publicKey", + "secretKey" + ] + }, + "id": { + "type": "string", + "title": "key id", + "description": "The identifier for the key" + }, + "state": { + "type": "string", + "title": "key state", + "description": "The key state according to NIST SP 800-57", + "enum": [ + "preActivation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "size": { + "type": "integer", + "title": "Crypto asset size (in bits)", + "description": "Size of the crypto asset (in bits)" + }, + "keyAlgorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm used to generate the key" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "creation date", + "description": "The date and time (timestamp) when the key was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "activation date", + "description": "The date and time (timestamp) when the key was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "update date", + "description": "The date and time (timestamp) when the key was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "expiration date", + "description": "The date and time (timestamp) when the key expired." + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "related crypto material properties", + "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related crypto material", + "enum": [ + "ciphertext", + "signature", + "digest", + "initializationVector", + "nonce", + "seed", + "salt", + "sharedSecret", + "tag", + "additionalData", + "password", + "credential", + "token", + "other", + "unknown" + ] + }, + "value": { + "type": "string", + "title": "Value assosiated to the crypto material", + "description": "The assosiated value of the crypto material" + }, + "size": { + "type": "integer", + "title": "Crypto asset size (in bits)", + "description": "Size of the crypto asset (in bits)" + }, + "format": { + "type": "string", + "title": "format", + "description": "format of the related crypto material (e.g. P8, PEM, DER)" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + } + } + }, + "protocolProperties": { + "type": "object", + "title": "protocol properties", + "description": "Properties for crypto assets of asset type 'protocol'", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "type", + "description": "The concrete protocol type", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "other", + "unknown" + ] + }, + "version": { + "type": "string", + "title": "protocol version", + "description": "The version of the protocol", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher suites related to the protocol", + "description": "A list of cipher suites related to the protocol", + "additionalItems": false, + "items": { + "$ref": "#/definitions/cipherSuite", + "title": "Cipher suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 transform types supported", + "description": "the IKEv2 transform types supported (types 1-4), according to RFC7296 section 3.3.2, and additional properties", + "properties": { + "encr": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Transform Type 1: encryption algorithms" + }, + "prf": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Transform Type 2: pseudorandom functions" + }, + "integ": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Transform Type 3: integrity algorithms" + }, + "ke": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Key Exchange Method (KE) by RFC9370, formerly called dh" + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number is used" + }, + "auth": { + "$ref": "#/definitions/cryptoRefArray", + "title": "IKEv2 Authentication method" + } + } + }, + "cryptoRefArray": { + "$ref": "#/definitions/cryptoRefArray", + "title": "A list of protocol-related cryptographic assets" + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "OID of crypto asset" + }, + "confidenceLevels": { + "type": "object", + "additionalItems": false, + "title": "confidence levels", + "description": "confidence levels of the reported crypto properties", + "properties": { + "assetType": { + "$ref": "#/definitions/confidenceLevel", + "title": "assetType confidence level" + }, + "primitive": { + "$ref": "#/definitions/confidenceLevel", + "title": "primitive confidence level" + }, + "relatedCryptoMaterialType": { + "$ref": "#/definitions/confidenceLevel", + "title": "related crypto material confidence level" + }, + "variant": { + "$ref": "#/definitions/confidenceLevel", + "title": "variant confidence level" + }, + "mode": { + "$ref": "#/definitions/confidenceLevel", + "title": "mode of opreation confidence level" + }, + "padding": { + "$ref": "#/definitions/confidenceLevel", + "title": "padding confidence level" + }, + "cryptoFunctions": { + "$ref": "#/definitions/confidenceLevel", + "title": "related crypto material confidence level" + }, + "subjectName": { + "$ref": "#/definitions/confidenceLevel", + "title": "subjectName confidence level" + }, + "issuerName": { + "$ref": "#/definitions/confidenceLevel", + "title": "issuerName confidence level" + }, + "notValidBefore": { + "$ref": "#/definitions/confidenceLevel", + "title": "notValidBefore confidence level" + }, + "notValidAfter": { + "$ref": "#/definitions/confidenceLevel", + "title": "notValidAfter confidence level" + }, + "certificateAlgorithm": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateAlgorithm confidence level" + }, + "certificateSignatureAlgorithm": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateSignatureAlgorithm confidence level" + }, + "certificateFormat": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateFormat confidence level" + }, + "certificateExtension": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateExtension confidence level" + }, + "tlsCipherSuites": { + "$ref": "#/definitions/confidenceLevel", + "title": "tlsCipherSuites confidence level" + }, + "ikev2TransformTypes": { + "$ref": "#/definitions/confidenceLevel", + "title": "ikev2TransformTypes confidence level" + } + } + }, + "detectionContext": { + "type": "array", + "additionalItems": false, + "title": "detection context", + "description": "Defines additional context metadata related to the detected crypto asset", + "items": { + "type": "object", + "title": "detection context", + "additionalProperties": false, + "properties": { + "filePath": { + "type": "string", + "title": "filePath", + "description": "File path of the detected crypto asset" + }, + "lineNumbers": { + "type": "array", + "title": "lineNumbers", + "description": "Line numbers of the detected crypto asset" + }, + "offsets": { + "type": "array", + "title": "offsets", + "description": "Offsets of the detected crypto asset" + }, + "symbols": { + "type": "array", + "title": "symbols", + "description": "symbol names detected for the crypto asset" + }, + "keywords": { + "type": "array", + "title": "keywords", + "description": "keywords detected for the crypto asset" + }, + "additionalContext": { + "type": "string", + "title": "additionalContext", + "description": "additional context of the detected crypto asset (e.g. code snippet)" + } + } + } + } + } + }, + "cryptoRef": { + "type": "string", + "title": "Reference to a crypto asset", + "description": "Reference (bom-ref) to the crypto asset used in this context" + }, + "confidenceLevel": { + "title": "ConfidenceLevel", + "description": "The ConfidenceLevel related to a property", + "type": "number" + }, + "cipherSuite": { + "type": "object", + "title": "Cipher suite", + "description": "Object representing a cipher suite", + "additionalItems": false, + "properties": { + "name": { + "type": "string", + "title": "Common name", + "description": "A common name for the cipher suite", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related algorithms", + "description": "List of algorithms related to the cipher suite", + "additionalItems": false, + "items": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm crypto asset" + } + }, + "identifiers": { + "type": "array", + "title": "Cipher suite identifiers", + "description": "A list of common identifiers for the cipher suite", + "additionalItems": false, + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier", + "examples": [ + "0xC0", + "0x9E" + ] + } + } + } + }, + "cryptoRefArray" : { + "type": "array", + "additionalItems": false, + "items": { + "$ref": "#/definitions/cryptoRef" + } + }, + "securedBy": { + "type": "object", + "title": "Crypto asset is secured by", + "description": "Specifies the mechanism by which the crypto asset is secured by", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "mechanism by which the crypto asset is secured by", + "description": "Specifies the mechanism by which the crypto asset is secured by", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference" + } + } } } } From 7801028b5e1a7d9d31032c019b1bcba27bc65b45 Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Thu, 21 Sep 2023 08:11:52 -0500 Subject: [PATCH 03/22] Removed duplicate curves Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f038ab14..d9f6dfd0 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4027,9 +4027,6 @@ "wap-wsg-idm-ecid-wtls7", "wap-wsg-idm-ecid-wtls8", "wap-wsg-idm-ecid-wtls9", - "wap-wsg-idm-ecid-wtls1", - "wap-wsg-idm-ecid-wtls1", - "wap-wsg-idm-ecid-wtls1", "other", "unknown" ] From 6f38f48cd88359f16c6d17be775049ac4436aecc Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 11 Oct 2023 19:36:46 +0200 Subject: [PATCH 04/22] CBOM: merges relatedCryptoMaterial and key asset types Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 206 ++++++++++++++++--------------------- 1 file changed, 90 insertions(+), 116 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index d9f6dfd0..789a92b7 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3828,7 +3828,6 @@ "enum": [ "algorithm", "certificate", - "key", "protocol", "relatedCryptoMaterial" ] @@ -4228,127 +4227,102 @@ } } }, - "keyProperties": { - "type": "object", - "title": "Properties for Keys", - "description": "Properties for crypto assets of asset type 'key'", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "key type", - "description": "The type of the key", - "enum": [ - "privateKey", - "publicKey", - "secretKey" - ] - }, - "id": { - "type": "string", - "title": "key id", - "description": "The identifier for the key" - }, - "state": { - "type": "string", - "title": "key state", - "description": "The key state according to NIST SP 800-57", - "enum": [ - "preActivation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] - }, - "size": { - "type": "integer", - "title": "Crypto asset size (in bits)", - "description": "Size of the crypto asset (in bits)" - }, - "keyAlgorithmRef": { - "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", - "description": "Bom-ref to algorithm used to generate the key" - }, - "securedBy": { - "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "creation date", - "description": "The date and time (timestamp) when the key was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "activation date", - "description": "The date and time (timestamp) when the key was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "update date", - "description": "The date and time (timestamp) when the key was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "expiration date", - "description": "The date and time (timestamp) when the key expired." - } - } - }, "relatedCryptoMaterialProperties": { "type": "object", "title": "related crypto material properties", "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", "additionalProperties": false, "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related crypto material", - "enum": [ - "ciphertext", - "signature", - "digest", - "initializationVector", - "nonce", - "seed", - "salt", - "sharedSecret", - "tag", - "additionalData", - "password", - "credential", - "token", - "other", - "unknown" - ] - }, - "value": { - "type": "string", - "title": "Value assosiated to the crypto material", - "description": "The assosiated value of the crypto material" - }, - "size": { - "type": "integer", - "title": "Crypto asset size (in bits)", - "description": "Size of the crypto asset (in bits)" - }, - "format": { - "type": "string", - "title": "format", - "description": "format of the related crypto material (e.g. P8, PEM, DER)" - }, - "securedBy": { - "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" - } + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related crypto material", + "enum": [ + "privateKey", + "publicKey", + "secretKey", + "ciphertext", + "signature", + "digest", + "initializationVector", + "nonce", + "seed", + "salt", + "sharedSecret", + "tag", + "additionalData", + "password", + "credential", + "token", + "other", + "unknown" + ] + }, + "id": { + "type": "string", + "title": "key id", + "description": "The identifier for the key" + }, + "state": { + "type": "string", + "title": "key state", + "description": "The key state according to NIST SP 800-57", + "enum": [ + "preActivation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "creation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "activation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "update date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "expiration date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." + }, + "value": { + "type": "string", + "title": "Value assosiated to the crypto material", + "description": "The assosiated value of the crypto material" + }, + "size": { + "$ref": "#/definitions/size", + "title": "Crypto asset size (in bits)" + }, + "format": { + "type": "string", + "title": "format", + "description": "format of the related crypto material (e.g. P8, PEM, DER)" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + } } }, "protocolProperties": { From e91b9f07b6f989125928cbd657c32f1d8553c3c5 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 12 Oct 2023 16:09:30 +0200 Subject: [PATCH 05/22] fix size type and formatting Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 180 ++++++++++++++++++------------------- 1 file changed, 90 insertions(+), 90 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 789a92b7..8d918819 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4233,96 +4233,96 @@ "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", "additionalProperties": false, "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related crypto material", - "enum": [ - "privateKey", - "publicKey", - "secretKey", - "ciphertext", - "signature", - "digest", - "initializationVector", - "nonce", - "seed", - "salt", - "sharedSecret", - "tag", - "additionalData", - "password", - "credential", - "token", - "other", - "unknown" - ] - }, - "id": { - "type": "string", - "title": "key id", - "description": "The identifier for the key" - }, - "state": { - "type": "string", - "title": "key state", - "description": "The key state according to NIST SP 800-57", - "enum": [ - "preActivation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] - }, - "algorithmRef": { - "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", - "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "creation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "activation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "update date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "expiration date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." - }, - "value": { - "type": "string", - "title": "Value assosiated to the crypto material", - "description": "The assosiated value of the crypto material" - }, - "size": { - "$ref": "#/definitions/size", - "title": "Crypto asset size (in bits)" - }, - "format": { - "type": "string", - "title": "format", - "description": "format of the related crypto material (e.g. P8, PEM, DER)" - }, - "securedBy": { - "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" - } + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related crypto material", + "enum": [ + "privateKey", + "publicKey", + "secretKey", + "ciphertext", + "signature", + "digest", + "initializationVector", + "nonce", + "seed", + "salt", + "sharedSecret", + "tag", + "additionalData", + "password", + "credential", + "token", + "other", + "unknown" + ] + }, + "id": { + "type": "string", + "title": "id", + "description": "The identifier for the relatedCryptoMaterial" + }, + "state": { + "type": "string", + "title": "state", + "description": "The key state according to NIST SP 800-57", + "enum": [ + "preActivation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "creation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "activation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "update date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "expiration date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." + }, + "value": { + "type": "string", + "title": "Value assosiated to the crypto material", + "description": "The assosiated value of the crypto material" + }, + "size": { + "type": "integer", + "title": "Crypto asset size (in bits)" + }, + "format": { + "type": "string", + "title": "format", + "description": "format of the related crypto material (e.g. P8, PEM, DER)" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + } } }, "protocolProperties": { From 8d1c9a4fcd24d8499d6f506f7d9214cff7a92678 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 18 Oct 2023 14:04:55 +0200 Subject: [PATCH 06/22] Merges detectionContext properties with component evidence Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 139 ++++++------------------------------- 1 file changed, 20 insertions(+), 119 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index d9f6dfd0..b3da20d6 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1576,6 +1576,26 @@ "type": "string", "title": "Location", "description": "The location or path to where the component was found." + }, + "lineNumber": { + "type": "integer", + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." } } } @@ -4433,125 +4453,6 @@ "type": "string", "title": "OID", "description": "OID of crypto asset" - }, - "confidenceLevels": { - "type": "object", - "additionalItems": false, - "title": "confidence levels", - "description": "confidence levels of the reported crypto properties", - "properties": { - "assetType": { - "$ref": "#/definitions/confidenceLevel", - "title": "assetType confidence level" - }, - "primitive": { - "$ref": "#/definitions/confidenceLevel", - "title": "primitive confidence level" - }, - "relatedCryptoMaterialType": { - "$ref": "#/definitions/confidenceLevel", - "title": "related crypto material confidence level" - }, - "variant": { - "$ref": "#/definitions/confidenceLevel", - "title": "variant confidence level" - }, - "mode": { - "$ref": "#/definitions/confidenceLevel", - "title": "mode of opreation confidence level" - }, - "padding": { - "$ref": "#/definitions/confidenceLevel", - "title": "padding confidence level" - }, - "cryptoFunctions": { - "$ref": "#/definitions/confidenceLevel", - "title": "related crypto material confidence level" - }, - "subjectName": { - "$ref": "#/definitions/confidenceLevel", - "title": "subjectName confidence level" - }, - "issuerName": { - "$ref": "#/definitions/confidenceLevel", - "title": "issuerName confidence level" - }, - "notValidBefore": { - "$ref": "#/definitions/confidenceLevel", - "title": "notValidBefore confidence level" - }, - "notValidAfter": { - "$ref": "#/definitions/confidenceLevel", - "title": "notValidAfter confidence level" - }, - "certificateAlgorithm": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateAlgorithm confidence level" - }, - "certificateSignatureAlgorithm": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateSignatureAlgorithm confidence level" - }, - "certificateFormat": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateFormat confidence level" - }, - "certificateExtension": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateExtension confidence level" - }, - "tlsCipherSuites": { - "$ref": "#/definitions/confidenceLevel", - "title": "tlsCipherSuites confidence level" - }, - "ikev2TransformTypes": { - "$ref": "#/definitions/confidenceLevel", - "title": "ikev2TransformTypes confidence level" - } - } - }, - "detectionContext": { - "type": "array", - "additionalItems": false, - "title": "detection context", - "description": "Defines additional context metadata related to the detected crypto asset", - "items": { - "type": "object", - "title": "detection context", - "additionalProperties": false, - "properties": { - "filePath": { - "type": "string", - "title": "filePath", - "description": "File path of the detected crypto asset" - }, - "lineNumbers": { - "type": "array", - "title": "lineNumbers", - "description": "Line numbers of the detected crypto asset" - }, - "offsets": { - "type": "array", - "title": "offsets", - "description": "Offsets of the detected crypto asset" - }, - "symbols": { - "type": "array", - "title": "symbols", - "description": "symbol names detected for the crypto asset" - }, - "keywords": { - "type": "array", - "title": "keywords", - "description": "keywords detected for the crypto asset" - }, - "additionalContext": { - "type": "string", - "title": "additionalContext", - "description": "additional context of the detected crypto asset (e.g. code snippet)" - } - } - } } } }, From 29373d7ad8b4a2d26e5649894ccb911428cf1b10 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 19 Oct 2023 15:10:51 +0200 Subject: [PATCH 07/22] remove remaining confidenceLevel Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index b3da20d6..9eeb3cb8 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4461,11 +4461,6 @@ "title": "Reference to a crypto asset", "description": "Reference (bom-ref) to the crypto asset used in this context" }, - "confidenceLevel": { - "title": "ConfidenceLevel", - "description": "The ConfidenceLevel related to a property", - "type": "number" - }, "cipherSuite": { "type": "object", "title": "Cipher suite", From 17019b00d0b850aaf161132023f55c084f93cb9d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 21 Oct 2023 17:50:20 -0500 Subject: [PATCH 08/22] Corrected strict schema violations Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index d9f6dfd0..99081f5a 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4386,7 +4386,6 @@ "type": "array", "title": "Cipher suites related to the protocol", "description": "A list of cipher suites related to the protocol", - "additionalItems": false, "items": { "$ref": "#/definitions/cipherSuite", "title": "Cipher suite" @@ -4436,9 +4435,9 @@ }, "confidenceLevels": { "type": "object", - "additionalItems": false, "title": "confidence levels", "description": "confidence levels of the reported crypto properties", + "additionalProperties": false, "properties": { "assetType": { "$ref": "#/definitions/confidenceLevel", @@ -4512,7 +4511,6 @@ }, "detectionContext": { "type": "array", - "additionalItems": false, "title": "detection context", "description": "Defines additional context metadata related to the detected crypto asset", "items": { @@ -4569,7 +4567,7 @@ "type": "object", "title": "Cipher suite", "description": "Object representing a cipher suite", - "additionalItems": false, + "additionalProperties": false, "properties": { "name": { "type": "string", @@ -4583,7 +4581,6 @@ "type": "array", "title": "Related algorithms", "description": "List of algorithms related to the cipher suite", - "additionalItems": false, "items": { "$ref": "#/definitions/cryptoRef", "title": "Algorithm reference", @@ -4594,7 +4591,6 @@ "type": "array", "title": "Cipher suite identifiers", "description": "A list of common identifiers for the cipher suite", - "additionalItems": false, "items": { "type": "string", "title": "identifier", @@ -4609,7 +4605,6 @@ }, "cryptoRefArray" : { "type": "array", - "additionalItems": false, "items": { "$ref": "#/definitions/cryptoRef" } From dd517f6ea8fda373390e93c6f7d0b9d46b926948 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 16 Nov 2023 11:04:25 +0100 Subject: [PATCH 09/22] CBOM: adds 'parameterSetIdentifier' property, replacing 'variant' Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8014bdb6..58a17f89 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3879,15 +3879,10 @@ "unknown" ] }, - "variant": { + "parameterSetIdentifier": { "type": "string", - "title": "variant", - "description": "The variant for the crypto algorithm, algorithm components should be delimited with '-'", - "examples": [ - "aes128-cbc-pkcs7", - "rsa2048-cbc-oaep-sha256-mgf1", - "kyber1024" - ] + "title": "parameter set identifier", + "description": "An identifier for the parameter set of the crypto algorithm. Exampes: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." }, "curve": { "type": "string", From d39b039b49085802df430f315ae87ac156ce0137 Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Thu, 16 Nov 2023 09:04:24 -0600 Subject: [PATCH 10/22] Description and minor field updates Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 58a17f89..663fa63a 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3837,14 +3837,14 @@ }, "cryptoProperties": { "type": "object", - "title": "Crypto Properties", - "description": "Properties for Crypto Assets", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", "additionalProperties": false, "properties": { "assetType": { "type": "string", "title": "assetType", - "description": "The specific asset type for the crypto asset", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.\n\n* __algorithm__ = Mathematical functions that encrypt text. They are used for data encryption, authentication, and digital signatures.\n* __certificate__ = An electronic document that is used to provide the identity or validate a public key.\n* __protocol__ = A set of rules and guidelines that govern the behavior and communication with each other.\n* __relatedCryptoMaterial__ = Other cryptographic assets that are related to algorithms, certificate, and protocols such as keys and tokens.", "enum": [ "algorithm", "certificate", @@ -3854,14 +3854,14 @@ }, "algorithmProperties": { "type": "object", - "title": "algorithm properties", - "description": "Properties for crypto assets of asset type 'algorithm'", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", "additionalProperties": false, "properties": { "primitive": { "type": "string", "title": "primitive", - "description": "The primitive for the crypto algorithm", + "description": "Low-level cryptographic building block used in higher-level cryptographic functions. Primitives can be used to construct algorithms used for encryption (e.g. AES), digital signatures (e.g. ECDSA), and pseudorandom number generators (e.g. PRNG).\n\n TODO Basil", "enum": [ "drbg", "mac", @@ -3881,13 +3881,13 @@ }, "parameterSetIdentifier": { "type": "string", - "title": "parameter set identifier", - "description": "An identifier for the parameter set of the crypto algorithm. Exampes: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." }, "curve": { "type": "string", - "title": "elliptic curve", - "description": "If applicable, the curve of the crypto algorithm", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity.", "enum": [ "brainpoolP160r1", "brainpoolP160t1", @@ -4045,14 +4045,14 @@ "unknown" ] }, - "implementationLevel": { + "executionEnvironment": { "type": "string", - "title": "implementation level", - "description": "The implementation level for the crypto algorithm", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.\n\n* TODO Basil", "enum": [ - "softwarePlainRam", - "softwareEncryptedRam", - "softwareTee", + "softwarePlainRAM", + "softwareEncryptedRAM", + "softwareTEE", "hardware", "other", "unknown" From 224f7561e97e03d49e1bf08c387e8bd4334456a1 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 29 Nov 2023 16:48:42 +0100 Subject: [PATCH 11/22] Review description fields of 'algorithmProperties' Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ef27e1a7..a25450c9 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3880,7 +3880,7 @@ "primitive": { "type": "string", "title": "primitive", - "description": "Low-level cryptographic building block used in higher-level cryptographic functions. Primitives can be used to construct algorithms used for encryption (e.g. AES), digital signatures (e.g. ECDSA), and pseudorandom number generators (e.g. PRNG).\n\n TODO Basil", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM) and authenticated encryption (ae, e.g. AES-GCM).", "enum": [ "drbg", "mac", @@ -4067,7 +4067,7 @@ "executionEnvironment": { "type": "string", "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in.\n\n* TODO Basil", + "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation runing in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", "enum": [ "softwarePlainRAM", "softwareEncryptedRAM", @@ -4080,7 +4080,7 @@ "implementationPlatform": { "type": "string", "title": "implementation platform", - "description": "The implementation platform for the crypto algorithm", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform such as 'x86_32', 'x86_64, 'armv7-a', 'armv7-m', 'armv8-a', 'armv8-m', 's390x', 'ppc64' or 'ppc64le'.", "enum": [ "generic", "x86_32", @@ -4099,7 +4099,7 @@ "certificationLevel": { "type": "string", "title": "certification level", - "description": "The certification level for the crypto algorithm", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", "enum": [ "none", "fips140-1-l1", @@ -4135,7 +4135,7 @@ "mode": { "type": "string", "title": "mode", - "description": "The cipher mode of operation for the crypto algorithm", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", "enum": [ "cbc", "ecb", @@ -4151,7 +4151,7 @@ "padding": { "type": "string", "title": "padding", - "description": "The padding for the crypto algorithm ", + "description": "The padding scheme that is used for the cryptographic algorithm.", "enum": [ "pkcs5", "pkcs7", @@ -4165,7 +4165,7 @@ "cryptoFunctions": { "type": "array", "title": "crypto function", - "description": "The crypto functions implemented by the crypto algorithm", + "description": "The cryptographic functions implemented by the cryptographic algorithm", "items": { "type": "string", "enum": [ @@ -4188,13 +4188,13 @@ "classicalSecurityLevel": { "type": "integer", "title": "classical security level", - "description": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", "minimum": 0 }, "nistQuantumSecurityLevel": { "type": "integer", "title": "NIST security strength category", - "description": "NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria), or 0 if none of the categories are met", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", "minimum": 0, "maximum": 6 } From ad47938ed2323a5d7ca853b78d669a6944a72319 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 7 Dec 2023 08:21:39 -0600 Subject: [PATCH 12/22] Added key to enum Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index a25450c9..e2547587 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4275,6 +4275,7 @@ "privateKey", "publicKey", "secretKey", + "key", "ciphertext", "signature", "digest", From 800ad2a7e4620ee5cbdab631c839219fc1c1cf8e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 11 Dec 2023 21:18:39 -0600 Subject: [PATCH 13/22] Commits as of last meeting Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 170 ++----------------------------------- 1 file changed, 8 insertions(+), 162 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index e2547587..43db4eb1 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3906,168 +3906,12 @@ "curve": { "type": "string", "title": "Elliptic Curve", - "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity.", - "enum": [ - "brainpoolP160r1", - "brainpoolP160t1", - "brainpoolP192r1", - "brainpoolP192t1", - "brainpoolP224r1", - "brainpoolP224t1", - "brainpoolP256r1", - "brainpoolP256t1", - "brainpoolP320r1", - "brainpoolP320t1", - "brainpoolP384r1", - "brainpoolP384t1", - "brainpoolP512r1", - "brainpoolP512t1", - "secp160k1", - "secp192k1", - "secp224k1", - "secp256k1", - "secp112r1", - "secp128r1", - "secp160r1", - "secp192r1", - "secp224r1", - "secp256r1", - "secp384r1", - "secp521r1", - "secp112r2", - "secp128r2", - "secp160r2", - "sect163k1", - "sect233k1", - "sect239k1", - "sect283k1", - "sect409k1", - "sect571k1", - "sect113r1", - "sect131r1", - "sect163r1", - "sect193r1", - "sect233r1", - "sect283r1", - "sect409r1", - "sect571r1", - "sect113r2", - "sect131r2", - "sect163r2", - "sect193r2", - "BLS12-377", - "BLS12-381", - "BLS12-446", - "BLS12-455", - "BLS12-638", - "BLS24-477", - "gost256", - "gost512", - "curve25519", - "curve448", - "sm2", - "Fp256BN", - "Fp384BN", - "Fp512BN", - "prime192v1", - "prime192v2", - "prime192v3", - "prime239v1", - "prime239v2", - "prime239v3", - "prime256v1", - "c2pnb176w1", - "c2pnb163v1", - "c2pnb163v2", - "c2pnb163v3", - "c2pnb208w1", - "c2tnb191v3", - "c2tnb191v2", - "c2tnb191v1", - "c2tnb239v3", - "c2tnb239v2", - "c2tnb239v1", - "c2pnb272w1", - "c2pnb304w1", - "c2pnb368w1", - "c2tnb359v1", - "c2tnb431r1", - "c2onb191v4", - "c2onb191v5", - "c2onb239v4", - "c2onb239v5", - "ansit163k1", - "ansit163r1", - "ansit163r2", - "ansit193r1", - "ansit193r2", - "ansit233k1", - "ansit233r1", - "ansit239k1", - "ansit283k1", - "ansit283r1", - "ansit409k1", - "ansit409r1", - "ansit571k1", - "ansit571r1", - "ansip160k1", - "ansip160r1", - "ansip160r2", - "ansip192k1", - "ansip224k1", - "ansip224r1", - "ansip256k1", - "ansip384r1", - "ansip521r1", - "FRP256v1", - "bn158", - "bn190", - "bn222", - "bn254", - "bn286", - "bn318", - "bn350", - "bn382", - "bn414", - "bn446", - "bn478", - "bn510", - "bn542", - "bn574", - "bn606", - "bn638", - "P-192", - "P-224", - "P-256", - "P-384", - "P-521", - "K-163", - "B-163", - "K-233", - "B-233", - "K-283", - "B-283", - "K-409", - "B-409", - "K-571", - "B-571", - "FourQ", - "wap-wsg-idm-ecid-wtls1", - "wap-wsg-idm-ecid-wtls3", - "wap-wsg-idm-ecid-wtls4", - "wap-wsg-idm-ecid-wtls5", - "wap-wsg-idm-ecid-wtls6", - "wap-wsg-idm-ecid-wtls7", - "wap-wsg-idm-ecid-wtls8", - "wap-wsg-idm-ecid-wtls9", - "other", - "unknown" - ] + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." }, "executionEnvironment": { "type": "string", "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation runing in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", + "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation running in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", "enum": [ "softwarePlainRAM", "softwareEncryptedRAM", @@ -4089,6 +3933,8 @@ "armv7-m", "armv8-a", "armv8-m", + "armv9-a", + "armv9-m", "s390x", "ppc64", "ppc64le", @@ -4098,7 +3944,7 @@ }, "certificationLevel": { "type": "string", - "title": "certification level", + "title": "Certification Level", "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", "enum": [ "none", @@ -4134,7 +3980,7 @@ }, "mode": { "type": "string", - "title": "mode", + "title": "Mode", "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", "enum": [ "cbc", @@ -4150,7 +3996,7 @@ }, "padding": { "type": "string", - "title": "padding", + "title": "Padding", "description": "The padding scheme that is used for the cryptographic algorithm.", "enum": [ "pkcs5", @@ -4164,7 +4010,7 @@ }, "cryptoFunctions": { "type": "array", - "title": "crypto function", + "title": "Crypto function", "description": "The cryptographic functions implemented by the cryptographic algorithm", "items": { "type": "string", From 32ffcc0796b5aae0c76b39d53ae209c7d480ca67 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Tue, 12 Dec 2023 10:47:26 +0100 Subject: [PATCH 14/22] add 'combiner' as primitive Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index e2547587..11863f12 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3880,7 +3880,7 @@ "primitive": { "type": "string", "title": "primitive", - "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM) and authenticated encryption (ae, e.g. AES-GCM).", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", "enum": [ "drbg", "mac", @@ -3894,6 +3894,7 @@ "keyagree", "kem", "ae", + "combiner", "other", "unknown" ] From 551d7ff16f74b8020f476ee470d2ade3fb6e440d Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Thu, 14 Dec 2023 08:58:45 -0600 Subject: [PATCH 15/22] Updates from todays CBOM meeting Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 109 +++++++++++++++++++------------------ 1 file changed, 57 insertions(+), 52 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f4267821..78f4fa11 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3848,11 +3848,13 @@ }, "dependencyType": { "type": "string", + "title": "Dependency Type", "enum": [ "implements", - "uses" + "uses", + "protectedBy" ], - "title": "Type to characterize a dependency" + "description": "An optional field that describes the type of dependency.\n\n* implement: refers to crypto assets implemented, or statically available in a component. Examples are the algorithms provided by crypto libraries. A crypto asset 'implemented' by a component does not imply that it is in use.\n* uses: refers to crypto assets in use, or being referenced by other components. The referencing can be done by explicit function calls or by configuration at run time. Usage may change over time, so CBOMs always represent a snapshot at a given point in time." }, "cryptoProperties": { "type": "object", @@ -4049,19 +4051,19 @@ }, "certificateProperties": { "type": "object", - "title": "certificate properties", - "description": "Properties for crypto assets of asset type 'certificate'", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'", "additionalProperties": false, "properties": { "subjectName": { "type": "string", "title": "Subject Name", - "description": "The subject name for the crypto certificate" + "description": "The subject name for the certificate" }, "issuerName": { "type": "string", "title": "Issuer Name", - "description": "The issuer name for the crypto certificate" + "description": "The issuer name for the certificate" }, "notValidBefore": { "type": "string", @@ -4075,7 +4077,7 @@ }, "signatureAlgorithm": { "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", + "title": "Algorithm Reference", "description": "Bom-ref to signature algorithm used by the certificate" }, "subjectPublicKey": { @@ -4085,7 +4087,7 @@ }, "certificateFormat": { "type": "string", - "title": "Certificate format", + "title": "Certificate Format", "description": "The format of the certificate", "examples": [ "X.509", @@ -4096,8 +4098,8 @@ }, "certificateExtension": { "type": "string", - "title": "Certificate extensions", - "description": "The certificate extensions of the crypto certificate", + "title": "Certificate File Extension", + "description": "The file extension of the certificate", "examples": [ "crt", "pem", @@ -4110,14 +4112,14 @@ }, "relatedCryptoMaterialProperties": { "type": "object", - "title": "related crypto material properties", - "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type 'relatedCryptoMaterial'", "additionalProperties": false, "properties": { "type": { "type": "string", "title": "relatedCryptoMaterialType", - "description": "The type for the related crypto material", + "description": "The type for the related cryptographic material", "enum": [ "privateKey", "publicKey", @@ -4142,13 +4144,13 @@ }, "id": { "type": "string", - "title": "id", - "description": "The identifier for the relatedCryptoMaterial" + "title": "ID", + "description": "The optional unique identifier for the related cryptographic material" }, "state": { "type": "string", - "title": "state", - "description": "The key state according to NIST SP 800-57", + "title": "State", + "description": "The key state as defined by NIST SP 800-57", "enum": [ "preActivation", "active", @@ -4160,62 +4162,64 @@ }, "algorithmRef": { "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", - "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" + "title": "Algorithm Reference", + "description": "Bom-ref to the algorithm used to generate the related cryptographic material" }, "creationDate": { "type": "string", "format": "date-time", - "title": "creation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." }, "activationDate": { "type": "string", "format": "date-time", - "title": "activation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." }, "updateDate": { "type": "string", "format": "date-time", - "title": "update date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." }, "expirationDate": { "type": "string", "format": "date-time", - "title": "expiration date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." }, "value": { "type": "string", - "title": "Value assosiated to the crypto material", - "description": "The assosiated value of the crypto material" + "title": "Value", + "description": "The associated value of the cryptographic material" }, "size": { "type": "integer", - "title": "Crypto asset size (in bits)" + "title":"Size", + "description": "Cryptographic asset size (in bits)" }, "format": { "type": "string", - "title": "format", - "description": "format of the related crypto material (e.g. P8, PEM, DER)" + "title": "Format", + "description": "Format of the related cryptographic material (e.g. P8, PEM, DER)" }, "securedBy": { "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." } } }, "protocolProperties": { "type": "object", - "title": "protocol properties", - "description": "Properties for crypto assets of asset type 'protocol'", + "title": "Protocol Properties", + "description": "Properties for cryptographic assets of asset type 'protocol'", "additionalProperties": false, "properties": { "type": { "type": "string", - "title": "type", + "title": "Type", "description": "The concrete protocol type", "enum": [ "tls", @@ -4230,7 +4234,7 @@ }, "version": { "type": "string", - "title": "protocol version", + "title": "Protocol Version", "description": "The version of the protocol", "examples": [ "1.0", @@ -4240,17 +4244,17 @@ }, "cipherSuites": { "type": "array", - "title": "Cipher suites related to the protocol", + "title": "Cipher Suites", "description": "A list of cipher suites related to the protocol", "items": { "$ref": "#/definitions/cipherSuite", - "title": "Cipher suite" + "title": "Cipher Suite" } }, "ikev2TransformTypes": { "type": "object", - "title": "IKEv2 transform types supported", - "description": "the IKEv2 transform types supported (types 1-4), according to RFC7296 section 3.3.2, and additional properties", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties", "properties": { "encr": { "$ref": "#/definitions/cryptoRefArray", @@ -4280,31 +4284,32 @@ }, "cryptoRefArray": { "$ref": "#/definitions/cryptoRefArray", - "title": "A list of protocol-related cryptographic assets" + "title": "Cryptographic References", + "description": "A list of protocol-related cryptographic assets" } } }, "oid": { "type": "string", "title": "OID", - "description": "OID of crypto asset" + "description": "Object identifier of cryptographic asset" } } }, "cryptoRef": { "type": "string", - "title": "Reference to a crypto asset", - "description": "Reference (bom-ref) to the crypto asset used in this context" + "title": "Reference to a Cryptographic Asset", + "description": "Reference (bom-ref) to the cryptographic asset used in this context" }, "cipherSuite": { "type": "object", - "title": "Cipher suite", + "title": "Cipher Suite", "description": "Object representing a cipher suite", "additionalProperties": false, "properties": { "name": { "type": "string", - "title": "Common name", + "title": "Common Name", "description": "A common name for the cipher suite", "examples": [ "TLS_DHE_RSA_WITH_AES_128_CCM" @@ -4312,17 +4317,17 @@ }, "algorithms": { "type": "array", - "title": "Related algorithms", + "title": "Related Algorithms", "description": "List of algorithms related to the cipher suite", "items": { "$ref": "#/definitions/cryptoRef", "title": "Algorithm reference", - "description": "Bom-ref to algorithm crypto asset" + "description": "Bom-ref to algorithm cryptographic asset" } }, "identifiers": { "type": "array", - "title": "Cipher suite identifiers", + "title": "Cipher Suite Identifiers", "description": "A list of common identifiers for the cipher suite", "items": { "type": "string", @@ -4344,13 +4349,13 @@ }, "securedBy": { "type": "object", - "title": "Crypto asset is secured by", + "title": "Secured By", "description": "Specifies the mechanism by which the crypto asset is secured by", "additionalProperties": false, "properties": { "mechanism": { "type": "string", - "title": "mechanism by which the crypto asset is secured by", + "title": "Mechanism", "description": "Specifies the mechanism by which the crypto asset is secured by", "examples": [ "HSM", From 29087203fd848fabb34748b4db0272ae72b543cf Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Jan 2024 17:37:47 -0600 Subject: [PATCH 16/22] Normalizing CBOM and porting to XML and Protobuf. Adding test files. Signed-off-by: Steve Springett --- docgen/json/templates/cyclonedx/content.html | 6 +- schema/bom-1.6.proto | 254 ++++ schema/bom-1.6.schema.json | 282 ++-- schema/bom-1.6.xsd | 1199 +++++++++++++++++ tools/src/test/js/json-schema-lint-tests.js | 1 + .../resources/1.6/valid-cryptography-1.6.json | 71 + .../1.6/valid-cryptography-1.6.textproto | 77 ++ .../resources/1.6/valid-cryptography-1.6.xml | 57 + .../1.6/valid-cryptography-full-1.6.json | 99 ++ .../1.6/valid-cryptography-full-1.6.textproto | 119 ++ .../1.6/valid-cryptography-full-1.6.xml | 93 ++ 11 files changed, 2164 insertions(+), 94 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-cryptography-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-cryptography-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-cryptography-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-cryptography-full-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml diff --git a/docgen/json/templates/cyclonedx/content.html b/docgen/json/templates/cyclonedx/content.html index 3e880425..7a2dbd0d 100644 --- a/docgen/json/templates/cyclonedx/content.html +++ b/docgen/json/templates/cyclonedx/content.html @@ -67,7 +67,11 @@

Must be one of:

    {%- for enum_choice in schema.kw_enum.array_items -%} -
  • {{ enum_choice.literal | python_to_json }}
    • +
  • + {%- if schema.kw_meta_enum -%}{%- endif -%} + {{ enum_choice.literal | python_to_json }} + {%- if schema.kw_meta_enum -%} = {{ schema.enum_description(enum_choice.literal) }}{%- endif -%} +
    • {%- endfor -%}
diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e6a6c4fe..87963505 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -67,6 +67,8 @@ enum Classification { CLASSIFICATION_MACHINE_LEARNING_MODEL = 11; // A collection of discrete values that convey information. CLASSIFICATION_DATA = 12; + // Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + CLASSIFICATION_CRYPTOGRAPHIC_ASSET = 13; } message Commit { @@ -133,6 +135,8 @@ message Component { optional ModelCard modelCard = 25; // This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types. optional ComponentData data = 26; + // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + optional CryptoProperties cryptoProperties = 27; } // Specifies the data flow. @@ -163,9 +167,17 @@ enum DataFlowDirection { } message Dependency { + enum DependencyType { + DEPENDENCY_TYPE_IMPLEMENTS = 0; + DEPENDENCY_TYPE_USES = 1; + DEPENDENCY_TYPE_PROTECTED_BY = 2; + } // References a component or service by the its bom-ref attribute string ref = 1; + // The bom-ref identifiers of the components or services that are dependencies of this dependency object. repeated Dependency dependencies = 2; + // Defines and characterizes the type of dependency + optional DependencyType type = 3; } message Diff { @@ -1486,3 +1498,245 @@ message EnvironmentVars { string value = 2; } } + +message CryptoProperties { + enum CryptoAssetType { + CRYPTO_ASSET_TYPE_ALGORITHM = 0; + CRYPTO_ASSET_TYPE_CERTIFICATE = 1; + CRYPTO_ASSET_TYPE_PROTOCOL = 2; + CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 3; + } + message AlgorithmProperties { + enum CryptoPrimitive { + CRYPTO_PRIMITIVE_DRBG = 0; + CRYPTO_PRIMITIVE_MAC = 1; + CRYPTO_PRIMITIVE_BLOCK_CIPHER = 2; + CRYPTO_PRIMITIVE_STREAM_CIPHER = 3; + CRYPTO_PRIMITIVE_SIGNATURE = 4; + CRYPTO_PRIMITIVE_HASH = 5; + CRYPTO_PRIMITIVE_PKE = 6; + CRYPTO_PRIMITIVE_XOF = 7; + CRYPTO_PRIMITIVE_KDF = 8; + CRYPTO_PRIMITIVE_KEY_AGREE = 9; + CRYPTO_PRIMITIVE_KEM = 10; + CRYPTO_PRIMITIVE_AE = 11; + CRYPTO_PRIMITIVE_COMBINER = 12; + CRYPTO_PRIMITIVE_OTHER = 13; + CRYPTO_PRIMITIVE_UNKNOWN = 14; + } + enum CryptoExecutionEnvironment { + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 0; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 1; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 2; + CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 3; + CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 4; + CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 5; + } + enum CryptoImplementationPlatform { + CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 0; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 1; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 2; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 3; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 4; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 5; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 6; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 7; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 8; + CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 9; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 10; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 11; + CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 12; + CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 13; + } + enum CryptoAlgorithmMode { + CRYPTO_ALGORITHM_MODE_CBC = 0; + CRYPTO_ALGORITHM_MODE_ECB = 1; + CRYPTO_ALGORITHM_MODE_CCM = 2; + CRYPTO_ALGORITHM_MODE_GCM = 3; + CRYPTO_ALGORITHM_MODE_CFB = 4; + CRYPTO_ALGORITHM_MODE_OFB = 5; + CRYPTO_ALGORITHM_MODE_CTR = 6; + CRYPTO_ALGORITHM_MODE_OTHER = 7; + CRYPTO_ALGORITHM_MODE_UNKNOWN = 8; + } + enum CryptoAlgorithmPadding { + CRYPTO_ALGORITHM_PADDING_PKCS5 = 0; + CRYPTO_ALGORITHM_PADDING_PKCS7 = 1; + CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 2; + CRYPTO_ALGORITHM_PADDING_OAEP = 3; + CRYPTO_ALGORITHM_PADDING_RAW = 4; + CRYPTO_ALGORITHM_PADDING_OTHER = 5; + CRYPTO_ALGORITHM_PADDING_UNKNOWN = 6; + } + enum CryptoAlgorithmFunction { + CRYPTO_ALGORITHM_FUNCTION_GENERATE = 0; + CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 1; + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 2; + CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 3; + CRYPTO_ALGORITHM_FUNCTION_DIGEST = 4; + CRYPTO_ALGORITHM_FUNCTION_TAG = 5; + CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 6; + CRYPTO_ALGORITHM_FUNCTION_SIGN = 7; + CRYPTO_ALGORITHM_FUNCTION_VERIFY = 8; + CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 9; + CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 10; + CRYPTO_ALGORITHM_FUNCTION_OTHER = 11; + CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 12; + } + // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). + optional CryptoPrimitive primitive = 1; + // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + optional string parameterSetIdentifier = 2; + // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). + optional string curve = 3; + // The target and execution environment in which the algorithm is implemented in. + optional CryptoExecutionEnvironment executionEnvironment = 4; + // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. + optional CryptoImplementationPlatform implementationPlatform = 5; + // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). + optional string certificationLevel = 6; + // The mode of operation in which the cryptographic algorithm (block cipher) is used. + optional CryptoAlgorithmMode mode = 7; + // The padding scheme that is used for the cryptographic algorithm. + optional CryptoAlgorithmPadding padding = 8; + // The cryptographic functions implemented by the cryptographic algorithm. + repeated CryptoAlgorithmFunction cryptoFunctions = 9; + // The classical security level that a cryptographic algorithm provides (in bits). + optional int32 classicalSecurityLevel = 10; + // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. + optional int32 nistQuantumSecurityLevel = 11; + } // end of AlgorithmProperties + message CertificateProperties { + // The subject name for the certificate + optional string subjectName = 1; + // The issuer name for the certificate + optional string issuerName = 2; + // The date and time according to ISO-8601 standard from which the certificate is valid + optional google.protobuf.Timestamp notValidBefore = 3; + // The date and time according to ISO-8601 standard from which the certificate is not valid anymore + optional google.protobuf.Timestamp notValidAfter = 4; + // The bom-ref to signature algorithm used by the certificate + optional string signatureAlgorithm = 5; + // The bom-ref to the public key of the subject + optional string subjectPublicKey = 6; + // The format of the certificate. Examples include X.509, PEM, DER, and CVC. + optional string certificateFormat = 7; + // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + optional string certificateExtension = 8; + } // end of CertificateProperties + message RelatedCryptoMaterialProperties { + enum CryptoRelatedType { + CRYPTO_RELATED_TYPE_PRIVATE_KEY = 0; + CRYPTO_RELATED_TYPE_PUBLIC_KEY = 1; + CRYPTO_RELATED_TYPE_SECRET_KEY = 2; + CRYPTO_RELATED_TYPE_KEY = 3; + CRYPTO_RELATED_TYPE_CIPHERTEXT = 4; + CRYPTO_RELATED_TYPE_SIGNATURE = 5; + CRYPTO_RELATED_TYPE_DIGEST = 6; + CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 7; + CRYPTO_RELATED_TYPE_NONCE = 8; + CRYPTO_RELATED_TYPE_SEED = 9; + CRYPTO_RELATED_TYPE_SALT = 10; + CRYPTO_RELATED_TYPE_SHARED_SECRET = 11; + CRYPTO_RELATED_TYPE_TAG = 12; + CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 13; + CRYPTO_RELATED_TYPE_PASSWORD = 14; + CRYPTO_RELATED_TYPE_CREDENTIAL = 15; + CRYPTO_RELATED_TYPE_TOKEN = 16; + CRYPTO_RELATED_TYPE_OTHER = 17; + CRYPTO_RELATED_TYPE_UNKNOWN = 18; + } + enum CryptoRelatedState { + CRYPTO_RELATED_STATE_PRE_ACTIVATION = 0; + CRYPTO_RELATED_STATE_ACTIVE = 1; + CRYPTO_RELATED_STATE_SUSPENDED = 2; + CRYPTO_RELATED_STATE_DEACTIVATED = 3; + CRYPTO_RELATED_STATE_COMPROMISED = 4; + CRYPTO_RELATED_STATE_DESTROYED = 5; + } + message CryptoRelatedSecuredBy { + // Specifies the mechanism by which the cryptographic asset is secured by. Examples include HSM, TPM, SGX, Software, and None + optional string mechanism = 1; + // The bom-ref to the algorithm. + optional string algorithmRef = 2; + } + // The type for the related cryptographic material + optional CryptoRelatedType type = 1; + // The optional unique identifier for the related cryptographic material. + optional string id = 2; + // The key state as defined by NIST SP 800-57. + optional CryptoRelatedState state = 3; + // The bom-ref to the algorithm used to generate the related cryptographic material. + optional string algorithmRef = 4; + // The date and time (timestamp) when the related cryptographic material was created. + optional google.protobuf.Timestamp creationDate = 5; + // The date and time (timestamp) when the related cryptographic material was activated. + optional google.protobuf.Timestamp activationDate = 6; + // The date and time (timestamp) when the related cryptographic material was updated. + optional google.protobuf.Timestamp updateDate = 7; + // The date and time (timestamp) when the related cryptographic material expires. + optional google.protobuf.Timestamp expirationDate = 8; + // The associated value of the cryptographic material. + optional string value = 9; + // The size of the cryptographic asset (in bits). + optional int64 size = 10; + // The format of the related cryptographic material (e.g. P8, PEM, DER). + optional string format = 11; + // The mechanism by which the cryptographic asset is secured by. + optional CryptoRelatedSecuredBy securedBy = 12; + } // end of RelatedCryptoMaterialProperties + message ProtocolProperties { + enum CryptoProtocolType { + CRYPTO_PROTOCOL_TYPE_TLS = 0; + CRYPTO_PROTOCOL_TYPE_SSH = 1; + CRYPTO_PROTOCOL_TYPE_IPSEC = 2; + CRYPTO_PROTOCOL_TYPE_IKE = 3; + CRYPTO_PROTOCOL_TYPE_SSTP = 4; + CRYPTO_PROTOCOL_TYPE_WPA = 5; + CRYPTO_PROTOCOL_TYPE_OTHER = 6; + CRYPTO_PROTOCOL_TYPE_UNKNOWN = 7; + } + message CryptoProtocolCipherSuite { + // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + optional string name = 1; + // A list of algorithms related to the cipher suite. Use the bom-ref to the algorithm cryptographic asset. + repeated string algorithms = 2; + // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E + repeated string identifiers = 3; + } + message Ikev2TransformTypes { + // Transform Type 1: encryption algorithms + repeated string encr = 1; + // Transform Type 2: pseudorandom functions + repeated string prf = 2; + // Transform Type 3: integrity algorithms + repeated string integ = 3; + // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + repeated string ke = 4; + // Specifies if an Extended Sequence Number (ESN) is used. + optional bool esn = 5; + // IKEv2 Authentication method + repeated string auth = 6; + } + // The concrete protocol type. + optional CryptoProtocolType type = 1; + // The version of the protocol. Examples include 1.0, 1.2, and 1.99. + optional string version = 2; + // A list of cipher suites related to the protocol. + repeated CryptoProtocolCipherSuite cipherSuites = 3; + // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties. + optional Ikev2TransformTypes ikev2TransformTypes = 4; + } // end of ProtocolProperties + // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. + optional CryptoAssetType assetType = 1; + // Additional properties specific to a cryptographic algorithm. + optional AlgorithmProperties algorithmProperties = 2; + // Properties for cryptographic assets of asset type 'certificate' + optional CertificateProperties certificateProperties = 3; + // Properties for cryptographic assets of asset type: `related-crypto-material` + optional RelatedCryptoMaterialProperties relatedCryptoMaterialProperties = 4; + // Properties specific to cryptographic assets of type: `protocol`. + optional ProtocolProperties protocolProperties = 5; + // The object identifier (OID) of the cryptographic asset. + optional string oid = 6; +} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 78f4fa11..eae7430b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -410,10 +410,10 @@ "file", "machine-learning-model", "data", - "crypto-asset" + "cryptographic-asset" ], "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.\n* __crypto-asset__ = Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.\n* __cryptographic-asset__ = Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.", "examples": ["library"] }, "mime-type": { @@ -593,8 +593,7 @@ }, "cryptoProperties": { "$ref": "#/definitions/cryptoProperties", - "title": "Crypto Properties", - "description": "Properties for Crypto Assets" + "title": "Cryptographic Properties" }, "properties": { "type": "array", @@ -1250,9 +1249,9 @@ "title": "Depends On", "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." }, - "dependencyType": { + "type": { "type": "string", - "title": "Type of dependency", + "title": "Dependency Type", "description": "Defines and characterizes the type of dependency", "$ref": "#/definitions/dependencyType" } @@ -3852,9 +3851,15 @@ "enum": [ "implements", "uses", - "protectedBy" + "protected-by" ], - "description": "An optional field that describes the type of dependency.\n\n* implement: refers to crypto assets implemented, or statically available in a component. Examples are the algorithms provided by crypto libraries. A crypto asset 'implemented' by a component does not imply that it is in use.\n* uses: refers to crypto assets in use, or being referenced by other components. The referencing can be done by explicit function calls or by configuration at run time. Usage may change over time, so CBOMs always represent a snapshot at a given point in time." + "meta:enum": { + "implements": "Refers to a component or service that fulfills the requirements of a given specification or standard. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.", + "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time.", + "protected-by": "Refers to a component or service that safeguards another component or service. For example, a cryptographic component that protects a data component. A component or service which is protected by another component or service does not imply that either are in use." + }, + "default": "uses", + "description": "An optional field that describes the type of dependency." }, "cryptoProperties": { "type": "object", @@ -3864,14 +3869,20 @@ "properties": { "assetType": { "type": "string", - "title": "assetType", - "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.\n\n* __algorithm__ = Mathematical functions that encrypt text. They are used for data encryption, authentication, and digital signatures.\n* __certificate__ = An electronic document that is used to provide the identity or validate a public key.\n* __protocol__ = A set of rules and guidelines that govern the behavior and communication with each other.\n* __relatedCryptoMaterial__ = Other cryptographic assets that are related to algorithms, certificate, and protocols such as keys and tokens.", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", "enum": [ "algorithm", "certificate", "protocol", - "relatedCryptoMaterial" - ] + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets that are related to algorithms, certificate, and protocols such as keys and tokens." + } }, "algorithmProperties": { "type": "object", @@ -3882,24 +3893,41 @@ "primitive": { "type": "string", "title": "primitive", - "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", "enum": [ "drbg", "mac", - "blockcipher", - "streamcipher", + "block-cipher", + "stream-cipher", "signature", "hash", "pke", "xof", "kdf", - "keyagree", + "key-agree", "kem", "ae", "combiner", "other", "unknown" - ] + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } }, "parameterSetIdentifier": { "type": "string", @@ -3914,20 +3942,28 @@ "executionEnvironment": { "type": "string", "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation running in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", + "description": "The target and execution environment in which the algorithm is implemented in.", "enum": [ - "softwarePlainRAM", - "softwareEncryptedRAM", - "softwareTEE", + "software-plain-ram", + "software-encrypted-ram", + "software-tee", "hardware", "other", "unknown" - ] + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } }, "implementationPlatform": { "type": "string", "title": "implementation platform", - "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform such as 'x86_32', 'x86_64, 'armv7-a', 'armv7-m', 'armv8-a', 'armv8-m', 's390x', 'ppc64' or 'ppc64le'.", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", "enum": [ "generic", "x86_32", @@ -3979,7 +4015,38 @@ "cc-eal7+", "other", "unknown" - ] + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } }, "mode": { "type": "string", @@ -3995,7 +4062,18 @@ "ctr", "other", "unknown" - ] + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } }, "padding": { "type": "string", @@ -4009,12 +4087,21 @@ "raw", "other", "unknown" - ] + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } }, "cryptoFunctions": { "type": "array", - "title": "Crypto function", - "description": "The cryptographic functions implemented by the cryptographic algorithm", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", "items": { "type": "string", "enum": [ @@ -4067,23 +4154,25 @@ }, "notValidBefore": { "type": "string", + "format": "date-time", "title": "Not Valid Before", "description": "The date and time according to ISO-8601 standard from which the certificate is valid" }, "notValidAfter": { "type": "string", + "format": "date-time", "title": "Not Valid After", "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" }, "signatureAlgorithm": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "Bom-ref to signature algorithm used by the certificate" + "description": "The bom-ref to signature algorithm used by the certificate" }, "subjectPublicKey": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Key reference", - "description": "Bom-ref to the public key of the subject" + "description": "The bom-ref to the public key of the subject" }, "certificateFormat": { "type": "string", @@ -4113,46 +4202,46 @@ "relatedCryptoMaterialProperties": { "type": "object", "title": "Related Cryptographic Material Properties", - "description": "Properties for cryptographic assets of asset type 'relatedCryptoMaterial'", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`", "additionalProperties": false, "properties": { "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related cryptographic material", - "enum": [ - "privateKey", - "publicKey", - "secretKey", - "key", - "ciphertext", - "signature", - "digest", - "initializationVector", - "nonce", - "seed", - "salt", - "sharedSecret", - "tag", - "additionalData", - "password", - "credential", - "token", - "other", - "unknown" - ] + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ] }, "id": { "type": "string", "title": "ID", - "description": "The optional unique identifier for the related cryptographic material" + "description": "The optional unique identifier for the related cryptographic material." }, "state": { "type": "string", "title": "State", - "description": "The key state as defined by NIST SP 800-57", + "description": "The key state as defined by NIST SP 800-57.", "enum": [ - "preActivation", + "pre-activation", "active", "suspended", "deactivated", @@ -4161,9 +4250,9 @@ ] }, "algorithmRef": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "Bom-ref to the algorithm used to generate the related cryptographic material" + "description": "The bom-ref to the algorithm used to generate the related cryptographic material." }, "creationDate": { "type": "string", @@ -4192,17 +4281,17 @@ "value": { "type": "string", "title": "Value", - "description": "The associated value of the cryptographic material" + "description": "The associated value of the cryptographic material." }, "size": { "type": "integer", "title":"Size", - "description": "Cryptographic asset size (in bits)" + "description": "The size of the cryptographic asset (in bits)." }, "format": { "type": "string", "title": "Format", - "description": "Format of the related cryptographic material (e.g. P8, PEM, DER)" + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." }, "securedBy": { "$ref": "#/definitions/securedBy", @@ -4214,13 +4303,13 @@ "protocolProperties": { "type": "object", "title": "Protocol Properties", - "description": "Properties for cryptographic assets of asset type 'protocol'", + "description": "Properties specific to cryptographic assets of type: `protocol`.", "additionalProperties": false, "properties": { "type": { "type": "string", "title": "Type", - "description": "The concrete protocol type", + "description": "The concrete protocol type.", "enum": [ "tls", "ssh", @@ -4230,12 +4319,22 @@ "wpa", "other", "unknown" - ] + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } }, "version": { "type": "string", "title": "Protocol Version", - "description": "The version of the protocol", + "description": "The version of the protocol.", "examples": [ "1.0", "1.2", @@ -4245,7 +4344,7 @@ "cipherSuites": { "type": "array", "title": "Cipher Suites", - "description": "A list of cipher suites related to the protocol", + "description": "A list of cipher suites related to the protocol.", "items": { "$ref": "#/definitions/cipherSuite", "title": "Cipher Suite" @@ -4254,31 +4353,32 @@ "ikev2TransformTypes": { "type": "object", "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties", + "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.", + "additionalProperties": false, "properties": { "encr": { "$ref": "#/definitions/cryptoRefArray", - "title": "Transform Type 1: encryption algorithms" + "description": "Transform Type 1: encryption algorithms" }, "prf": { "$ref": "#/definitions/cryptoRefArray", - "title": "Transform Type 2: pseudorandom functions" + "description": "Transform Type 2: pseudorandom functions" }, "integ": { "$ref": "#/definitions/cryptoRefArray", - "title": "Transform Type 3: integrity algorithms" + "description": "Transform Type 3: integrity algorithms" }, "ke": { "$ref": "#/definitions/cryptoRefArray", - "title": "Key Exchange Method (KE) by RFC9370, formerly called dh" + "description": "Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)" }, "esn": { "type": "boolean", - "title": "Extended Sequence Number is used" + "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { "$ref": "#/definitions/cryptoRefArray", - "title": "IKEv2 Authentication method" + "description": "IKEv2 Authentication method" } } }, @@ -4292,15 +4392,10 @@ "oid": { "type": "string", "title": "OID", - "description": "Object identifier of cryptographic asset" + "description": "The object identifier (OID) of the cryptographic asset." } } }, - "cryptoRef": { - "type": "string", - "title": "Reference to a Cryptographic Asset", - "description": "Reference (bom-ref) to the cryptographic asset used in this context" - }, "cipherSuite": { "type": "object", "title": "Cipher Suite", @@ -4310,7 +4405,7 @@ "name": { "type": "string", "title": "Common Name", - "description": "A common name for the cipher suite", + "description": "A common name for the cipher suite.", "examples": [ "TLS_DHE_RSA_WITH_AES_128_CCM" ] @@ -4318,17 +4413,17 @@ "algorithms": { "type": "array", "title": "Related Algorithms", - "description": "List of algorithms related to the cipher suite", + "description": "A list of algorithms related to the cipher suite.", "items": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Algorithm reference", - "description": "Bom-ref to algorithm cryptographic asset" + "description": "The bom-ref to algorithm cryptographic asset." } }, "identifiers": { "type": "array", "title": "Cipher Suite Identifiers", - "description": "A list of common identifiers for the cipher suite", + "description": "A list of common identifiers for the cipher suite.", "items": { "type": "string", "title": "identifier", @@ -4344,19 +4439,19 @@ "cryptoRefArray" : { "type": "array", "items": { - "$ref": "#/definitions/cryptoRef" + "$ref": "#/definitions/refType" } }, "securedBy": { "type": "object", "title": "Secured By", - "description": "Specifies the mechanism by which the crypto asset is secured by", + "description": "Specifies the mechanism by which the cryptographic asset is secured by", "additionalProperties": false, "properties": { "mechanism": { "type": "string", "title": "Mechanism", - "description": "Specifies the mechanism by which the crypto asset is secured by", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", "examples": [ "HSM", "TPM", @@ -4366,8 +4461,9 @@ ] }, "algorithmRef": { - "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference" + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." } } } diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..a672e8d7 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -634,6 +634,18 @@ limitations under the License. specified for other component types. + + + + Cryptographic assets have properties that uniquely define them and that make them actionable + for further reasoning. As an example, it makes a difference if one knows the algorithm family + (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the + security level and the algorithm primitive (authenticated encryption) is only defined by the + definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 + vs. HMAC-SHA1 also makes a difference. + + + @@ -997,6 +1009,11 @@ limitations under the License. A collection of discrete values that convey information. + + + Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + + @@ -1826,6 +1843,11 @@ limitations under the License. References a component or service by its bom-ref attribute + + + An optional field that describes the type of dependency. + + User-defined attributes may be used on this element as long as they @@ -1834,6 +1856,37 @@ limitations under the License. + + + + + + Refers to a component or service that fulfills the requirements of a given specification or + standard. For example, a cryptographic library which implements a cryptographic algorithm. + A component which implements another component does not imply that the implementation is in use. + + + + + + + Refers to a component or service that relies on another component or service, either explicitly + via function calls or via configuration at run time. + + + + + + + Refers to a component or service that safeguards another component or service. For example, + a cryptographic component that protects a data component. A component or service which is + protected by another component or service does not imply that either are in use. + + + + + + @@ -5402,6 +5455,1152 @@ limitations under the License. + + + + Cryptographic assets have properties that uniquely define them and that make them actionable for + further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) + or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the + algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. + The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + + + + + + + Cryptographic assets occur in several forms. Algorithms and protocols are most commonly + implemented in specialized cryptographic libraries. They may however also be 'hardcoded' + in software components. Certificates and related cryptographic material like keys, tokens, + secrets or passwords are other cryptographic assets to be modelled. + + + + + + + + Mathematical function commonly used for data encryption, authentication, and + digital signatures. + + + + + + + An electronic document that is used to provide the identity or validate a public key. + + + + + + + A set of rules and guidelines that govern the behavior and communication with each other. + + + + + + + Other cryptographic assets that are related to algorithms, certificate, and protocols + such as keys and tokens. + + + + + + + + + + Additional properties specific to a cryptographic algorithm. + + + + + + + + Cryptographic building blocks used in higher-level cryptographic systems and + protocols. Primitives represent different cryptographic routines: deterministic + random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message + authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), + streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), + public-key encryption schemes (pke, e.g. RSA), extended output functions + (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement + algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated + encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms + (combiner, e.g. SP800-56Cr2). + + + + + + + + Deterministic Random Bit Generator (DRBG) is a type of pseudorandom + number generator designed to produce a sequence of bits from an initial + seed value. DRBGs are commonly used in cryptographic applications where + reproducibility of random values is important. + + + + + + + In cryptography, a Message Authentication Code (MAC) is information + used for authenticating and integrity-checking a message. + + + + + + + A block cipher is a symmetric key algorithm that operates on fixed-size + blocks of data. It encrypts or decrypts the data in block units, + providing confidentiality. Block ciphers are widely used in various + cryptographic modes and protocols for secure data transmission. + + + + + + + A stream cipher is a symmetric key cipher where plaintext digits are + combined with a pseudorandom cipher digit stream (keystream). + + + + + + + In cryptography, a signature is a digital representation of a message + or data that proves its origin, identity, and integrity. Digital + signatures are generated using cryptographic algorithms and are widely + used for authentication and verification in secure communication. + + + + + + + A hash function is a mathematical algorithm that takes an input + (or 'message') and produces a fixed-size string of characters, which is + typically a hash value. Hash functions are commonly used in various + cryptographic applications, including data integrity verification and + password hashing. + + + + + + + Public Key Encryption (PKE) is a type of encryption that uses a pair of + public and private keys for secure communication. The public key is used + for encryption, while the private key is used for decryption. PKE is a + fundamental component of public-key cryptography. + + + + + + + An XOF is an extendable output function that can take arbitrary input + and creates a stream of output, up to a limit determined by the size of + the internal state of the hash function that underlies the XOF. + + + + + + + A Key Derivation Function (KDF) derives key material from another source + of entropy while preserving the entropy of the input. + + + + + + + In cryptography, a key-agreement is a protocol whereby two or more + parties agree on a cryptographic key in such a way that both influence + the outcome. + + + + + + + A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for + transporting random keying material to a recipient using the recipient's + public key. + + + + + + + Authenticated Encryption (AE) is a cryptographic process that provides + both confidentiality and data integrity. It ensures that the encrypted + data has not been tampered with and comes from a legitimate source. + AE is commonly used in secure communication protocols. + + + + + + + A combiner aggregates many candidates for a cryptographic primitive and + generates a new candidate for the same primitive. + + + + + + + Another primitive type. + + + + + + + The primitive is not known. + + + + + + + + + + An identifier for the parameter set of the cryptographic algorithm. Examples: in + AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the + digest length, '128' in SHAKE128 identifies its maximum security level in bits, and + 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + + + + + + + The specific underlying Elliptic Curve (EC) definition employed which is an indicator + of the level of security strength, performance and complexity. Absent an + authoritative source of curve names, CycloneDX recommends use of curve names as + defined at https://neuromancer.sk/std/, the source from which can be found at + https://github.com/J08nY/std-curves. + + + + + + + The target and execution environment in which the algorithm is implemented in. + + + + + + + + A software implementation running in plain unencrypted RAM. + + + + + + + A software implementation running in encrypted RAM. + + + + + + A software implementation running in a trusted execution environment. + + + + + + A hardware implementation. + + + + + + Another implementation environment. + + + + + + The execution environment is not known. + + + + + + + + + + The target platform for which the algorithm is implemented. The implementation can + be 'generic', running on any platform or for a specific platform. + + + + + + + + + + + + + + + + + + + + + + + + + The certification that the implementation of the cryptographic algorithm has + received, if any. Certifications include revisions and levels of FIPS 140 or + Common Criteria of different Extended Assurance Levels (CC-EAL). + + + + + + + + No certification obtained + + + + + + + FIPS 140-1 Level 1 + + + + + + + FIPS 140-1 Level 2 + + + + + + + FIPS 140-1 Level 3 + + + + + + + FIPS 140-1 Level 4 + + + + + + + FIPS 140-2 Level 1 + + + + + + + FIPS 140-2 Level 2 + + + + + + + FIPS 140-2 Level 3 + + + + + + + FIPS 140-2 Level 4 + + + + + + + FIPS 140-3 Level 1 + + + + + + + FIPS 140-3 Level 2 + + + + + + + FIPS 140-3 Level 3 + + + + + + + FIPS 140-3 Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 1 + + + + + + + Common Criteria - Evaluation Assurance Level 1 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 2 + + + + + + + Common Criteria - Evaluation Assurance Level 2 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 3 + + + + + + + Common Criteria - Evaluation Assurance Level 3 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 4 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 5 + + + + + + + Common Criteria - Evaluation Assurance Level 5 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 6 + + + + + + + Common Criteria - Evaluation Assurance Level 6 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 7 + + + + + + + Common Criteria - Evaluation Assurance Level 7 (Augmented) + + + + + + + Another certification + + + + + + + The certification level is not known + + + + + + + + + + The mode of operation in which the cryptographic algorithm (block cipher) is used. + + + + + + + + Cipher block chaining + + + + + + + Electronic codebook + + + + + + + Counter with cipher block chaining message authentication code + + + + + + + Galois/counter + + + + + + + Cipher feedback + + + + + + + Output feedback + + + + + + + Counter + + + + + + + Another mode of operation + + + + + + + The mode of operation is not known + + + + + + + + + + The padding scheme that is used for the cryptographic algorithm. + + + + + + + + Password-Based Cryptography Specification #5 + + + + + + + Public Key Cryptography Standard: Cryptographic Message Syntax + + + + + + + Public Key Cryptography Standard: RSA Cryptography v1.5 + + + + + + + Optimal asymmetric encryption padding + + + + + + + Raw + + + + + + + Another padding scheme + + + + + + + The padding scheme is not known + + + + + + + + + + The cryptographic functions implemented by the cryptographic algorithm. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The classical security level that a cryptographic algorithm provides (in bits). + + + + + + + + + + + + The NIST security strength category as defined in + https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). + A value of 0 indicates that none of the categories are met. + + + + + + + + + + + + + + + + Properties for cryptographic assets of asset type 'certificate' + + + + + + + + The subject name for the certificate + + + + + + + The issuer name for the certificate + + + + + + + The date and time according to ISO-8601 standard from which the certificate is valid + + + + + + + The date and time according to ISO-8601 standard from which the certificate is not valid anymore + + + + + + + The bom-ref to signature algorithm used by the certificate + + + + + + + The bom-ref to the public key of the subject + + + + + + + The format of the certificate. Examples include X.509, PEM, DER, and CVC + + + + + + + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + + + + Properties for cryptographic assets of asset type 'relatedCryptoMaterial' + + + + + + + + The type for the related cryptographic material + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The optional unique identifier for the related cryptographic material. + + + + + + + The key state as defined by NIST SP 800-57. + + + + + + + + + + + + + + + + + The bom-ref to the algorithm used to generate the related cryptographic material. + + + + + + + The date and time (timestamp) when the related cryptographic material was created. + + + + + + + The date and time (timestamp) when the related cryptographic material was activated. + + + + + + + The date and time (timestamp) when the related cryptographic material was updated. + + + + + + + The date and time (timestamp) when the related cryptographic material expires. + + + + + + + The associated value of the cryptographic material. + + + + + + + The size of the cryptographic asset (in bits). + + + + + + + The format of the related cryptographic material (e.g. P8, PEM, DER). + + + + + + + The mechanism by which the cryptographic asset is secured by. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples include HSM, TPM, XGX, Software, and None. + + + + + + + The bom-ref to the algorithm. + + + + + + + + + + + + + Properties specific to cryptographic assets of type: 'protocol'. + + + + + + + + The concrete protocol type. + + + + + + + + Transport Layer Security + + + + + + + Secure Shell + + + + + + + Internet Protocol Security + + + + + + + Internet Key Exchange + + + + + + + Secure Socket Tunneling Protocol + + + + + + + Wi-Fi Protected Access + + + + + + + Another protocol type + + + + + + + The protocol type is not known + + + + + + + + + + The version of the protocol. Examples include 1.0, 1.2, and 1.99. + + + + + + + A list of cipher suites related to the protocol. + + + + + + + + + + + A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + + + + + + + A list of algorithms related to the cipher suite. + + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + A list of common identifiers for the cipher suite. + + + + + + + + Cipher suite identifier. Examples include 0xC0 and 0x9E. + + + + + + + + + + + + + + + + The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, + and additional properties. + + + + + + + + Transform Type 1: encryption algorithms + + + + + + + Transform Type 2: pseudorandom functions + + + + + + + Transform Type 3: integrity algorithms + + + + + + + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + + + + + + Specifies if an Extended Sequence Number (ESN) is used. + + + + + + + IKEv2 Authentication method + + + + + + + + + + + + + The object identifier (OID) of the cryptographic asset. + + + + + + diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 2afd4bcb..651ef18f 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -49,6 +49,7 @@ function getAjv(strict) { validateFormats: true, allowMatchingProperties: true, addUsedSchema: false, + keywords: ["meta:enum"], schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-1.6.json new file mode 100644 index 00000000..1a9dfb5a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.json @@ -0,0 +1,71 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "component": { + "type": "application", + "bom-ref": "acme-application", + "name": "Acme Application", + "version": "1.0" + } + }, + "components": [ + { + "type": "cryptographic-asset", + "bom-ref": "aes128gcm", + "name": "AES", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "ae", + "parameterSetIdentifier": "128", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": "none", + "mode": "gcm", + "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], + "classicalSecurityLevel": 128, + "nistQuantumSecurityLevel": 1 + }, + "oid": "oid:2.16.840.1.101.3.4.1.6" + } + }, + { + "type": "library", + "bom-ref": "crypto-library", + "name": "Crypto library", + "version": "1.0.0" + }, + { + "type": "data", + "bom-ref": "some-data", + "name": "Some Data", + "data": [ + { + "type": "dataset", + "classification": "confidential", + "sensitiveData": [ "Highly sensitive data including all PII fields and some PHI" ] + } + ] + } + ], + "dependencies": [ + { + "ref": "acme-application", + "type": "uses", + "dependsOn": ["crypto-library"] + }, + { + "ref": "crypto-library", + "type": "implements", + "dependsOn": ["aes128gcm"] + }, + { + "ref": "some-data", + "type": "protected-by", + "dependsOn": [ "crypto-library" ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto new file mode 100644 index 00000000..99ef7699 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto @@ -0,0 +1,77 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata: { + component: { + type: CLASSIFICATION_APPLICATION + bom_ref: "acme-application" + name: "Acme Application" + version: "1.0" + } +} +components: [ + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "aes128gcm" + name: "AES" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties: { + primitive: CRYPTO_PRIMITIVE_AE + parameterSetIdentifier: "128" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none", + mode: CRYPTO_ALGORITHM_MODE_GCM + cryptoFunctions: [ + CRYPTO_ALGORITHM_FUNCTION_KEYGEN, + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT, + CRYPTO_ALGORITHM_FUNCTION_DECRYPT, + CRYPTO_ALGORITHM_FUNCTION_TAG + ] + classicalSecurityLevel: 128 + nistQuantumSecurityLevel: 1 + }, + oid: "oid:2.16.840.1.101.3.4.1.6" + } + }, + { + type: CLASSIFICATION_LIBRARY + bom_ref: "crypto-library" + name: "Crypto library" + version: "1.0.0" + }, + { + type: CLASSIFICATION_DATA + bom_ref: "some-data" + name: "Some Data" + data: { + type: COMPONENT_DATA_TYPE_DATASET + classification: "confidential" + sensitiveData: [ "Highly sensitive data including all PII fields and some PHI" ] + } + } +], +dependencies: [ + { + ref: "acme-application" + type: DEPENDENCY_TYPE_USES + dependencies { + ref: "crypto-library" + } + }, + { + ref: "crypto-library" + type: DEPENDENCY_TYPE_IMPLEMENTS + dependencies { + ref: "aes128gcm" + } + }, + { + ref: "some-data" + type: DEPENDENCY_TYPE_PROTECTED_BY + dependencies { + ref: "crypto-library" + } + } +] diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml new file mode 100644 index 00000000..97baac72 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml @@ -0,0 +1,57 @@ + + + + + Acme Application + 1.0 + + + + + AES + + algorithm + + ae + 128 + software-plain-ram + x86_64 + none + gcm + + keygen + encrypt + decrypt + tag + + 128 + 1 + + oid:2.16.840.1.101.3.4.1.6 + + + + Crypto Library + 1.0.0 + + + Some Data + + dataset + confidential + Highly sensitive data including all PII fields and some PHI + + + + + + + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json new file mode 100644 index 00000000..af88e859 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json @@ -0,0 +1,99 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "cryptographic-asset", + "bom-ref": "asset-1", + "name": "Name here", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "ae", + "parameterSetIdentifier": "128", + "curve": "brainpoolP160r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": "fips140-1-l4", + "mode": "gcm", + "padding": "pkcs5", + "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], + "classicalSecurityLevel": 128, + "nistQuantumSecurityLevel": 1 + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-2", + "name": "Name here", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "subjectName": "Subject name here", + "issuerName": "Issuer name here", + "notValidBefore": "2022-01-01T00:00:00.000Z", + "notValidAfter": "2024-01-01T00:00:00.000Z", + "signatureAlgorithm": "bom-ref-to-algorithm", + "subjectPublicKey": "bom-ref-to-public-key", + "certificateFormat": "X.509", + "certificateExtension": "crt" + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-3", + "name": "Name here", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_DHE_RSA_WITH_AES_128_CCM", + "algorithms": [ + "bom-ref-to-algorithm" + ], + "identifiers": [ + "0xC0" + ] + } + ] + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-4", + "name": "Name here", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "private-key", + "id": "12345", + "state": "active", + "algorithmRef": "bom-ref-to-algorithm", + "creationDate": "2024-01-01T00:00:00.000Z", + "activationDate": "2024-01-02T00:00:00.000Z", + "updateDate": "2024-01-03T00:00:00.000Z", + "expirationDate": "2024-01-04T00:00:00.000Z", + "value": "Value here", + "size": 1024, + "format": "PEM", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "bom-ref-to-algorithm" + } + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto new file mode 100644 index 00000000..fc985e0a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto @@ -0,0 +1,119 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components: [ + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-1" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties: { + primitive: CRYPTO_PRIMITIVE_AE + parameterSetIdentifier: "128" + curve: "brainpoolP160r1" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "fips140-1-l4" + mode: CRYPTO_ALGORITHM_MODE_GCM + padding: CRYPTO_ALGORITHM_PADDING_PKCS5 + cryptoFunctions: [ + CRYPTO_ALGORITHM_FUNCTION_KEYGEN, + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT, + CRYPTO_ALGORITHM_FUNCTION_DECRYPT, + CRYPTO_ALGORITHM_FUNCTION_TAG + ] + classicalSecurityLevel: 128 + nistQuantumSecurityLevel: 1 + }, + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-2" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + subjectName: "Subject name here" + issuerName: "Issuer name here" + notValidBefore { + seconds: 3173618478 + nanos: 3 + } + notValidAfter { + seconds: 3173618478 + nanos: 3 + } + signatureAlgorithm: "bom-ref-to-algorithm" + subjectPublicKey: "bom-ref-to-public-key" + certificateFormat: "X.509" + certificateExtension: "crt" + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-3" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_PROTOCOL + protocolProperties: { + type: CRYPTO_PROTOCOL_TYPE_TLS + version: "1.3" + cipherSuites: [ + { + name: "TLS_DHE_RSA_WITH_AES_128_CCM" + algorithms: [ + "bom-ref-to-algorithm" + ] + identifiers: [ + "0xC0" + ] + } + ] + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-4" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL + relatedCryptoMaterialProperties: { + type: CRYPTO_RELATED_TYPE_PRIVATE_KEY + id: "12345" + state: CRYPTO_RELATED_STATE_ACTIVE + algorithmRef: "bom-ref-to-algorithm" + creationDate { + seconds: 3173618478 + nanos: 3 + } + activationDate { + seconds: 3173618478 + nanos: 3 + } + updateDate { + seconds: 3173618478 + nanos: 3 + } + expirationDate { + seconds: 3173618478 + nanos: 3 + } + value: "Value here" + size: 1024 + format: "PEM" + securedBy: { + mechanism: "HSM" + algorithmRef: "bom-ref-to-algorithm" + } + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + } +] diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml new file mode 100644 index 00000000..5fed9e98 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml @@ -0,0 +1,93 @@ + + + + + Name here + + algorithm + + ae + 128 + brainpoolP160r1 + software-plain-ram + x86_64 + fips140-1-l4 + gcm + pkcs5 + + keygen + encrypt + decrypt + tag + + 128 + 1 + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + certificate + + Subject name here + Issuer name here + 2022-01-01T00:00:00.000Z + 2024-01-01T00:00:00.000Z + bom-ref-to-algorithm + bom-ref-to-public-key + X.509 + crt + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + protocol + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + related-crypto-material + + private-key + 12345 + active + bom-ref-to-algorithm + 2024-01-01T00:00:00.000Z + 2024-01-02T00:00:00.000Z + 2024-01-03T00:00:00.000Z + 2024-01-04T00:00:00.000Z + Value here + 1024 + PEM + + HSM + bom-ref-to-algorithm + + + oid:1.2.3.4.5.6.7.8.9 + + + + From 81858fec82a7af3211ad68adb9e7203ae875791a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 21 Jan 2024 20:34:31 -0600 Subject: [PATCH 17/22] Removing support for protected-by dependency type Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 1 - schema/bom-1.6.schema.json | 6 ++---- schema/bom-1.6.xsd | 9 --------- .../resources/1.6/valid-cryptography-1.6.json | 17 ----------------- .../1.6/valid-cryptography-1.6.textproto | 17 ----------------- .../resources/1.6/valid-cryptography-1.6.xml | 11 ----------- 6 files changed, 2 insertions(+), 59 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 87963505..c8aae923 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -170,7 +170,6 @@ message Dependency { enum DependencyType { DEPENDENCY_TYPE_IMPLEMENTS = 0; DEPENDENCY_TYPE_USES = 1; - DEPENDENCY_TYPE_PROTECTED_BY = 2; } // References a component or service by the its bom-ref attribute string ref = 1; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index eae7430b..cfb3c026 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3850,13 +3850,11 @@ "title": "Dependency Type", "enum": [ "implements", - "uses", - "protected-by" + "uses" ], "meta:enum": { "implements": "Refers to a component or service that fulfills the requirements of a given specification or standard. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.", - "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time.", - "protected-by": "Refers to a component or service that safeguards another component or service. For example, a cryptographic component that protects a data component. A component or service which is protected by another component or service does not imply that either are in use." + "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time." }, "default": "uses", "description": "An optional field that describes the type of dependency." diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index a672e8d7..0ce2fb82 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1875,15 +1875,6 @@ limitations under the License. - - - - Refers to a component or service that safeguards another component or service. For example, - a cryptographic component that protects a data component. A component or service which is - protected by another component or service does not imply that either are in use. - - - diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-1.6.json index 1a9dfb5a..00f8f20d 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.json @@ -37,18 +37,6 @@ "bom-ref": "crypto-library", "name": "Crypto library", "version": "1.0.0" - }, - { - "type": "data", - "bom-ref": "some-data", - "name": "Some Data", - "data": [ - { - "type": "dataset", - "classification": "confidential", - "sensitiveData": [ "Highly sensitive data including all PII fields and some PHI" ] - } - ] } ], "dependencies": [ @@ -61,11 +49,6 @@ "ref": "crypto-library", "type": "implements", "dependsOn": ["aes128gcm"] - }, - { - "ref": "some-data", - "type": "protected-by", - "dependsOn": [ "crypto-library" ] } ] } diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto index 99ef7699..e3de29b1 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto @@ -40,16 +40,6 @@ components: [ bom_ref: "crypto-library" name: "Crypto library" version: "1.0.0" - }, - { - type: CLASSIFICATION_DATA - bom_ref: "some-data" - name: "Some Data" - data: { - type: COMPONENT_DATA_TYPE_DATASET - classification: "confidential" - sensitiveData: [ "Highly sensitive data including all PII fields and some PHI" ] - } } ], dependencies: [ @@ -66,12 +56,5 @@ dependencies: [ dependencies { ref: "aes128gcm" } - }, - { - ref: "some-data" - type: DEPENDENCY_TYPE_PROTECTED_BY - dependencies { - ref: "crypto-library" - } } ] diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml index 97baac72..4639eb5c 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml @@ -34,14 +34,6 @@ Crypto Library 1.0.0 - - Some Data - - dataset - confidential - Highly sensitive data including all PII fields and some PHI - - @@ -50,8 +42,5 @@ - - - From 82ddeb04a2563b7821841c9e2cd6c40802815491 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 21 Jan 2024 20:55:41 -0600 Subject: [PATCH 18/22] Updated signatureAlgorithm and subjectPublicKey to include 'Ref'. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 4 ++-- schema/bom-1.6.schema.json | 4 ++-- schema/bom-1.6.xsd | 4 ++-- tools/src/test/resources/1.6/valid-cryptography-full-1.6.json | 4 ++-- .../test/resources/1.6/valid-cryptography-full-1.6.textproto | 4 ++-- tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index c8aae923..1a89fb41 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1615,9 +1615,9 @@ message CryptoProperties { // The date and time according to ISO-8601 standard from which the certificate is not valid anymore optional google.protobuf.Timestamp notValidAfter = 4; // The bom-ref to signature algorithm used by the certificate - optional string signatureAlgorithm = 5; + optional string signatureAlgorithmRef = 5; // The bom-ref to the public key of the subject - optional string subjectPublicKey = 6; + optional string subjectPublicKeyRef = 6; // The format of the certificate. Examples include X.509, PEM, DER, and CVC. optional string certificateFormat = 7; // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index cfb3c026..ef8f18d3 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4162,12 +4162,12 @@ "title": "Not Valid After", "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" }, - "signatureAlgorithm": { + "signatureAlgorithmRef": { "$ref": "#/definitions/refType", "title": "Algorithm Reference", "description": "The bom-ref to signature algorithm used by the certificate" }, - "subjectPublicKey": { + "subjectPublicKeyRef": { "$ref": "#/definitions/refType", "title": "Key reference", "description": "The bom-ref to the public key of the subject" diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 0ce2fb82..baca0eda 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -6205,14 +6205,14 @@ limitations under the License. - + The bom-ref to signature algorithm used by the certificate - + The bom-ref to the public key of the subject diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json index af88e859..bd12cbbd 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json @@ -37,8 +37,8 @@ "issuerName": "Issuer name here", "notValidBefore": "2022-01-01T00:00:00.000Z", "notValidAfter": "2024-01-01T00:00:00.000Z", - "signatureAlgorithm": "bom-ref-to-algorithm", - "subjectPublicKey": "bom-ref-to-public-key", + "signatureAlgorithmRef": "bom-ref-to-algorithm", + "subjectPublicKeyRef": "bom-ref-to-public-key", "certificateFormat": "X.509", "certificateExtension": "crt" }, diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto index fc985e0a..caf46df1 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto @@ -46,8 +46,8 @@ components: [ seconds: 3173618478 nanos: 3 } - signatureAlgorithm: "bom-ref-to-algorithm" - subjectPublicKey: "bom-ref-to-public-key" + signatureAlgorithmRef: "bom-ref-to-algorithm" + subjectPublicKeyRef: "bom-ref-to-public-key" certificateFormat: "X.509" certificateExtension: "crt" } diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml index 5fed9e98..0e151a34 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml @@ -35,8 +35,8 @@ Issuer name here 2022-01-01T00:00:00.000Z 2024-01-01T00:00:00.000Z - bom-ref-to-algorithm - bom-ref-to-public-key + bom-ref-to-algorithm + bom-ref-to-public-key X.509 crt From 9a9fab8377d218c4daa32406c7ee562136b3d1f8 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 22 Jan 2024 22:54:32 -0600 Subject: [PATCH 19/22] Added missing evidence in XSD and Protobuf originally missed when porting. Minor changes to JSON schema. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 8 ++++++++ schema/bom-1.6.schema.json | 2 ++ schema/bom-1.6.xsd | 23 ++++++++++++++++++++++- 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 0b4df631..83c8dce6 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -726,6 +726,14 @@ message EvidenceOccurrences { optional string bom_ref = 1; // The location or path to where the component was found. string location = 2; + // The line number where the component was found. + optional int32 lineNumber = 3; + // The offset where the component was found. + optional int32 offset = 4; + // The symbol name that was found associated with the component. + optional string symbol = 5; + // Any additional context of the detected component (e.g. a code snippet). + optional string additionalContext = 6; } enum EvidenceFieldType { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index da1011b4..0243e2a4 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2030,11 +2030,13 @@ }, "lineNumber": { "type": "integer", + "minimum": 0, "title": "Line Number", "description": "The line number where the component was found." }, "offset": { "type": "integer", + "minimum": 0, "title": "Offset", "description": "The offset where the component was found." }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 7ed436b9..96ee9090 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2367,11 +2367,32 @@ limitations under the License. - + The location or path to where the component was found. + + + The line number where the component was found. + + + + + The offset where the component was found. + + + + + The symbol name that was found associated with the component. + + + + + Any additional context of the detected component (e.g. a code snippet). + + + From 3446cce296c6ceb899785e9c0d29693c195778d5 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 23 Jan 2024 12:22:21 -0600 Subject: [PATCH 20/22] Made certificationLevel an array. Updated test cases. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 127 +++++++++--------- schema/bom-1.6.xsd | 2 +- .../resources/1.6/valid-cryptography-1.6.json | 2 +- .../1.6/valid-cryptography-1.6.textproto | 2 +- .../1.6/valid-cryptography-full-1.6.json | 2 +- .../1.6/valid-cryptography-full-1.6.textproto | 2 +- 7 files changed, 71 insertions(+), 68 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 83c8dce6..9bce71e7 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1800,7 +1800,7 @@ message CryptoProperties { // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. optional CryptoImplementationPlatform implementationPlatform = 5; // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). - optional string certificationLevel = 6; + repeated string certificationLevel = 6; // The mode of operation in which the cryptographic algorithm (block cipher) is used. optional CryptoAlgorithmMode mode = 7; // The padding scheme that is used for the cryptographic algorithm. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 0243e2a4..f33aaa71 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4736,70 +4736,73 @@ ] }, "certificationLevel": { - "type": "string", + "type": "array", "title": "Certification Level", "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", - "enum": [ - "none", - "fips140-1-l1", - "fips140-1-l2", - "fips140-1-l3", - "fips140-1-l4", - "fips140-2-l1", - "fips140-2-l2", - "fips140-2-l3", - "fips140-2-l4", - "fips140-3-l1", - "fips140-3-l2", - "fips140-3-l3", - "fips140-3-l4", - "cc-eal1", - "cc-eal1+", - "cc-eal2", - "cc-eal2+", - "cc-eal3", - "cc-eal3+", - "cc-eal4", - "cc-eal4+", - "cc-eal5", - "cc-eal5+", - "cc-eal6", - "cc-eal6+", - "cc-eal7", - "cc-eal7+", - "other", - "unknown" - ], - "meta:enum": { - "none": "No certification obtained", - "fips140-1-l1": "FIPS 140-1 Level 1", - "fips140-1-l2": "FIPS 140-1 Level 2", - "fips140-1-l3": "FIPS 140-1 Level 3", - "fips140-1-l4": "FIPS 140-1 Level 4", - "fips140-2-l1": "FIPS 140-2 Level 1", - "fips140-2-l2": "FIPS 140-2 Level 2", - "fips140-2-l3": "FIPS 140-2 Level 3", - "fips140-2-l4": "FIPS 140-2 Level 4", - "fips140-3-l1": "FIPS 140-3 Level 1", - "fips140-3-l2": "FIPS 140-3 Level 2", - "fips140-3-l3": "FIPS 140-3 Level 3", - "fips140-3-l4": "FIPS 140-3 Level 4", - "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", - "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", - "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", - "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", - "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", - "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", - "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", - "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", - "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", - "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", - "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", - "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", - "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", - "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", - "other": "Another certification", - "unknown": "The certification level is not known" + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } } }, "mode": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 96ee9090..ba5a7bb8 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -5852,7 +5852,7 @@ limitations under the License. - + The certification that the implementation of the cryptographic algorithm has diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-1.6.json index 00f8f20d..b498646a 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.json @@ -23,7 +23,7 @@ "parameterSetIdentifier": "128", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": "none", + "certificationLevel": [ "none" ], "mode": "gcm", "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], "classicalSecurityLevel": 128, diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto index e3de29b1..ccc3dbb0 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto @@ -21,7 +21,7 @@ components: [ parameterSetIdentifier: "128" executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: "none", + certificationLevel: [ "none" ], mode: CRYPTO_ALGORITHM_MODE_GCM cryptoFunctions: [ CRYPTO_ALGORITHM_FUNCTION_KEYGEN, diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json index bd12cbbd..e25d4dd9 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json @@ -16,7 +16,7 @@ "curve": "brainpoolP160r1", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": "fips140-1-l4", + "certificationLevel": [ "fips140-1-l4" ], "mode": "gcm", "padding": "pkcs5", "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto index caf46df1..a135dc63 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto @@ -14,7 +14,7 @@ components: [ curve: "brainpoolP160r1" executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: "fips140-1-l4" + certificationLevel: [ "fips140-1-l4" ] mode: CRYPTO_ALGORITHM_MODE_GCM padding: CRYPTO_ALGORITHM_PADDING_PKCS5 cryptoFunctions: [ From 29fc0a6e1470874ec7a26c63f23d894cceb11edd Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 23 Jan 2024 12:30:43 -0600 Subject: [PATCH 21/22] Renamed lineNumber to line to align properties with those in callstack/frames. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 9bce71e7..d8d3abd3 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -727,7 +727,7 @@ message EvidenceOccurrences { // The location or path to where the component was found. string location = 2; // The line number where the component was found. - optional int32 lineNumber = 3; + optional int32 line = 3; // The offset where the component was found. optional int32 offset = 4; // The symbol name that was found associated with the component. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f33aaa71..51013151 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2028,7 +2028,7 @@ "title": "Location", "description": "The location or path to where the component was found." }, - "lineNumber": { + "line": { "type": "integer", "minimum": 0, "title": "Line Number", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index ba5a7bb8..15a903b6 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2372,7 +2372,7 @@ limitations under the License. The location or path to where the component was found. - + The line number where the component was found. From d8ae85ecd1458c6d2951a3671bca955492b2d7f6 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 26 Jan 2024 15:38:22 +0100 Subject: [PATCH 22/22] rework dependency type to `provides` Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 8 +--- schema/bom-1.6.schema.json | 27 ++++------- schema/bom-1.6.xsd | 48 ++++++++----------- ...alid-cryptography-implementation-1.6.json} | 11 +++-- ...cryptography-implementation-1.6.textproto} | 14 ++++-- ...valid-cryptography-implementation-1.6.xml} | 11 +++-- 6 files changed, 57 insertions(+), 62 deletions(-) rename tools/src/test/resources/1.6/{valid-cryptography-1.6.json => valid-cryptography-implementation-1.6.json} (86%) rename tools/src/test/resources/1.6/{valid-cryptography-1.6.textproto => valid-cryptography-implementation-1.6.textproto} (85%) rename tools/src/test/resources/1.6/{valid-cryptography-1.6.xml => valid-cryptography-implementation-1.6.xml} (85%) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d8d3abd3..511e7c34 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -171,16 +171,12 @@ enum DataFlowDirection { } message Dependency { - enum DependencyType { - DEPENDENCY_TYPE_IMPLEMENTS = 0; - DEPENDENCY_TYPE_USES = 1; - } // References a component or service by the its bom-ref attribute string ref = 1; // The bom-ref identifiers of the components or services that are dependencies of this dependency object. repeated Dependency dependencies = 2; - // Defines and characterizes the type of dependency - optional DependencyType type = 3; + // The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. + repeated string provides = 3; } message Diff { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 51013151..4ecc4ae5 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1766,11 +1766,14 @@ "title": "Depends On", "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." }, - "type": { - "type": "string", - "title": "Dependency Type", - "description": "Defines and characterizes the type of dependency", - "$ref": "#/definitions/dependencyType" + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." } } }, @@ -4601,20 +4604,6 @@ "title": "Signature", "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." }, - "dependencyType": { - "type": "string", - "title": "Dependency Type", - "enum": [ - "implements", - "uses" - ], - "meta:enum": { - "implements": "Refers to a component or service that fulfills the requirements of a given specification or standard. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.", - "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time." - }, - "default": "uses", - "description": "An optional field that describes the type of dependency." - }, "cryptoProperties": { "type": "object", "title": "Cryptographic Properties", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 15a903b6..12731aa6 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1851,18 +1851,32 @@ limitations under the License. - + + + The component or service that is a dependency of this dependency object. + + + + + + The component or service that define a given specification or standard, which is provided or implemented by this dependency object. + For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use. + + + + + + References a component or service by its bom-ref attribute + + + + References a component or service by its bom-ref attribute - - - An optional field that describes the type of dependency. - - User-defined attributes may be used on this element as long as they @@ -1871,28 +1885,6 @@ limitations under the License. - - - - - - Refers to a component or service that fulfills the requirements of a given specification or - standard. For example, a cryptographic library which implements a cryptographic algorithm. - A component which implements another component does not imply that the implementation is in use. - - - - - - - Refers to a component or service that relies on another component or service, either explicitly - via function calls or via configuration at run time. - - - - - - diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json similarity index 86% rename from tools/src/test/resources/1.6/valid-cryptography-1.6.json rename to tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json index b498646a..3bff0945 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json @@ -37,18 +37,23 @@ "bom-ref": "crypto-library", "name": "Crypto library", "version": "1.0.0" + }, + { + "type": "library", + "bom-ref": "some-library", + "name": "Some library", + "version": "1.0.0" } ], "dependencies": [ { "ref": "acme-application", - "type": "uses", "dependsOn": ["crypto-library"] }, { "ref": "crypto-library", - "type": "implements", - "dependsOn": ["aes128gcm"] + "provides": ["aes128gcm"], + "dependsOn": ["some-library"] } ] } diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto similarity index 85% rename from tools/src/test/resources/1.6/valid-cryptography-1.6.textproto rename to tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto index ccc3dbb0..a7b1a0be 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto @@ -1,3 +1,6 @@ +# proto-file: schema/bom-1.6.proto +# proto-message: + spec_version: "1.6" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" @@ -40,21 +43,26 @@ components: [ bom_ref: "crypto-library" name: "Crypto library" version: "1.0.0" + }, + { + type: CLASSIFICATION_LIBRARY + bom_ref: "some-library" + name: "Some library" + version: "1.0.0" } ], dependencies: [ { ref: "acme-application" - type: DEPENDENCY_TYPE_USES dependencies { ref: "crypto-library" } }, { ref: "crypto-library" - type: DEPENDENCY_TYPE_IMPLEMENTS + provides: [ "aes128gcm" ] dependencies { - ref: "aes128gcm" + ref: "some-library" } } ] diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml similarity index 85% rename from tools/src/test/resources/1.6/valid-cryptography-1.6.xml rename to tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml index 4639eb5c..d9c97fee 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml +++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml @@ -34,13 +34,18 @@ Crypto Library 1.0.0 + + Some Library + 1.0.0 + - + - - + + +