From f137968fed3f549f2fba1e9bd628a73380d84b28 Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Thu, 3 Nov 2022 10:52:30 -0700 Subject: [PATCH 01/21] Update README.md Signed-off-by: Steve Lasker --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6a34b6c..e89c56c 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ title: What Is SCITT permalink: /index nav_order: 0 --- - + # What Is SCITT The **S**upply **C**hain **I**ntegrity, **T**ransparency and **T**rust (SCITT) initiative is a set of proposed [IETF industry standards]({{ site.ietf-scitt }}){:target="_blank"} for managing the compliance of goods and services across end-to-end supply chains. @@ -41,4 +41,4 @@ A SCITT instance will persist verifiable claims to its ledger. Any optional evid While a SCITT instance should provide a default storage, there's no limit on what storage services are used. For package managers that support breadths of content types, the evidence may be stored alongside the artifact by which the claim is being made. For package managers that limit the content types to the specific package type, a SCITT instance should provide default storage persistance. -For more info, see: [Supply Chains]({% link supply-chain.md %}) \ No newline at end of file +For more info, see: [Supply Chains]({% link supply-chain.md %}) From f44250bf8e2aef3db5305c61f5c93a404eb661bd Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Mon, 7 Nov 2022 10:19:11 -0800 Subject: [PATCH 02/21] Update _config.yml Signed-off-by: Steve Lasker --- _config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_config.yml b/_config.yml index d5c406c..0a3271b 100644 --- a/_config.yml +++ b/_config.yml @@ -17,7 +17,7 @@ title: SCITT - Supply Chain Integrity and Trust # email: your-email@example.com description: >- # this means to ignore newlines until "baseurl:" The Supply Chain Integrity, Transparency and Trust (SCITT) initiative is a set of proposed industry standards for managing the compliance of goods and services across end-to-end supply chains. -baseurl: "/" # the subpath of your site, e.g. /blog +baseurl: "/scitt-web" # the subpath of your site, e.g. /blog # url: "" # the base hostname & protocol for your site, e.g. http://example.com # twitter_username: SCITT github_username: ietf-scitt From c8ebbbb3c234bd3d09843d41a6e3ec07aafcd7ed Mon Sep 17 00:00:00 2001 From: steve lasker Date: Wed, 13 Sep 2023 08:08:30 -0700 Subject: [PATCH 03/21] Add examples for implementing the SCITT use cases Signed-off-by: steve lasker --- examples/README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 examples/README.md diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..68739a6 --- /dev/null +++ b/examples/README.md @@ -0,0 +1,19 @@ +--- +layout: page +title: "SCITT Use Case Examples" +nav_order: 110 +--- +# Examples + +To support the [SCITT Use Cases][use-cases], the follow examples are illustrated. + +## Integrating SCITT With a Build System + +- How to structure SCITT Feeds +- How to correlate each build artifact with previous versions +- How to sign the statements +- Where to store SCITT Receipts + +For this example, we'll use the ___ Github repository + +[use-cases]: https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/ \ No newline at end of file From 58521174777451f13b56bfe46ea234c2486f62df Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 25 Sep 2023 05:47:26 -0700 Subject: [PATCH 04/21] Add the binary use case outlining SCITT Feed scenarios Signed-off-by: steve lasker --- examples/README.md | 3 +- examples/feed-binary-usecase.md | 76 ++++++++++++++++++++++++++++++++ examples/fictitious-companies.md | 36 +++++++++++++++ 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 examples/feed-binary-usecase.md create mode 100644 examples/fictitious-companies.md diff --git a/examples/README.md b/examples/README.md index 68739a6..a21e0d2 100644 --- a/examples/README.md +++ b/examples/README.md @@ -16,4 +16,5 @@ To support the [SCITT Use Cases][use-cases], the follow examples are illustrated For this example, we'll use the ___ Github repository -[use-cases]: https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/ \ No newline at end of file +[use-cases]: https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/ + diff --git a/examples/feed-binary-usecase.md b/examples/feed-binary-usecase.md new file mode 100644 index 0000000..28e4eb9 --- /dev/null +++ b/examples/feed-binary-usecase.md @@ -0,0 +1,76 @@ +# Binary Use Case + +## Software Producer + +[Wabbit Networks](fictitious-companies.md#wabbit-networks) frequently releases their **net-monitor** software. +Their software is distributed as a container images and loose binaries for Linux and Windows servers. +They maintain multiple versions of their software, while releasing patched versions. + +Wabbit Networks provides SBOMs, VEX Reports with a Vendor Response File (VRF) for each of their releases. +They occasionally need to issue new versions of the VRF, as well as updated VEX reports. + +### The Net Monitor Release Page + +Due to the complexity of different versions, platforms, architectures and product lines, companies and projects typically use marketing based navigation to assist users with their download choices. +The below matrix is meant to visually represent a common matrix, that would be provided through marketing links. + +Versions and Patched Releases: + +- For each major release (`1.0.0`, `2.0.0`, `3.0.0`), there are a set of minor feature releases (`1.1.0`, `1.2.0`) with potential patches (`1.0.1`, `1.0.2`). + Vendors and projects use various forms of versioning, including [SemVer](https://semver.org/), [CalVer](https://calver.org/) and other forms. + SCITT must support any versioning scheme a producer wishes to support. +- In the below examples, not all platforms have patches for a specific major or minor release. + +| Version | Linux Container | Linux Binary | Windows Container | Windows Installer | +| - | - | - | - | - | +| v1.0.0 | [net-monitor:v1.0.0-linux-amd64]() | [net-monitor-v1_0_0.gzip]() | [net-monitor:v1.0.0-win-amd64]() | [net-monitor-v1_0_0.msi]() | +| -- v1.0.1 | [net-monitor:v1.0.1-linux-amd64]() | [net-monitor-v1_0_1.gzip]() | [net-monitor:v1.0.1-win-amd64]() | [net-monitor-v1_0_1.msi]() | +| -- v1.0.2 | [net-monitor:v1.0.2-linux-amd64]() | [net-monitor-v1_0_2.gzip]() | | | +| - v1.1.0 | [net-monitor:v1.1.0-linux-amd64]() | [net-monitor-v1_1_0.gzip]() | [net-monitor:v1.1.0-win-amd64]() | [net-monitor-v1_1_0.msi]() | +| -- v1.1.1 | | | [net-monitor:v1.1.1-win-amd64]() | [net-monitor-v1_1_1.msi]() | +| -- v1.1.2 | | | [net-monitor:v1.1.2-win-amd64]() | [net-monitor-v1_1_2.msi]() | +| - v1.2.0 | [net-monitor:v1.2.0-linux-amd64]() | [net-monitor-v1_2_0.gzip]() | [net-monitor:v1.2.0-win-amd64]() | [net-monitor-v1_2_0.msi]() | +| v2.0.0 | [net-monitor:v2.0.0-linux-amd64]() | [net-monitor-v2_0_0.gzip]() | [net-monitor:v2.0.0-win-amd64]() | [net-monitor-v2_0_0.msi]() | +| - v2.1.0 | [net-monitor:v2.1.0-linux-amd64]() | [net-monitor-v2_1_0.gzip]() | [net-monitor:v2.1.0-win-amd64]() | [net-monitor-v2_1_0.msi]() | +| - v2.1.1 | [net-monitor:v2.1.1-linux-amd64]() | [net-monitor-v2_1_1.gzip]() | | | +| - v2.1.2 | [net-monitor:v2.1.2-linux-amd64]() | [net-monitor-v2_1_2.gzip]() | | | +| - v3-alpha | [net-monitor:v3-alpha-linux-amd64]() | [net-monitor-v3-alpha.gzip]() | [net-monitor:v3-alpha-win-amd64]() | [net-monitor-v3-alpha.msi]() | + +### Questions for Producers + +When software producers wish to publish additional information for their products, how can they: + +- Let consumers know the most recently patched version for a specific platform/architecture release? +- Let consumers know a new version is available? +- Let consumers know an SBOM, VEX, VRF was verifiably published by the publisher? +- Let consumers know a newer version of the SBOM, VEX, VRF was released, _and_ verifiably published by the publisher? + +> _[IETF SCITT Use Cases](https://www.ietf.org/archive/id/draft-ietf-scitt-software-use-cases-01.html#name-identify-statements-and-upd)_ + +## Software Consumer + +[ACME Rockets](./fictitious-companies.md#acme-rockets) consumes the Net Monitor software from Wabbit Networks. +They are currently using their version 1 release, and need to get notified of updates when they're available. + +## Third Party Security Vendor + +[Cosmic Security](./fictitious-companies.md#cosmic-security) evaluates the security posture of its customers, providing 3rd party analysis and validation. + +ACME Rockets subscribes to Cosmic Security to monitor the software they use within their environment. + +## End to End Integration + +ACME Rockets deploys the Cosmic Security products to monitor the software in their environment. +Wabbit Networks publishes their security information through a public SCITT Service. +For each product ACME Rockets consumes, a SCITT Feed Identifier is used to get the latest information about the products. + +Cosmic Security also publishes their perspective of the ACME Rockets software, as well as other vendors and projects. +Cosmic Security publishes the information using a a SCITT Service that provides a series of statements associated with the Feeds of each of their products they consume. + +## References + +Examples of Product Download Pages +- [OpenSCAD](http://openscad.org/downloads.html) + - [Images are currently available for platforms linux/amd64 and linux/arm64](https://hub.docker.com/r/openscad/openscad) +- [Unity](https://unity.com/releases/editor/whats-new/2023.1.10) + - A collection of releases for Windows (`.exe`), Mac (`.pkg`), Linux (.`tar.xz`) diff --git a/examples/fictitious-companies.md b/examples/fictitious-companies.md new file mode 100644 index 0000000..93f4126 --- /dev/null +++ b/examples/fictitious-companies.md @@ -0,0 +1,36 @@ +# Fictitious Companies + +To minimize context switching when reading through SCITT Scenarios, Use Cases and Examples, a set of fictitious companies and personas are used. +The companies and personas aim to represent sets of end-to-end scenarios. + +## Software Producers + +A set of software producers. + +### Wabbit Networks +Wabbit Networks is a software company, specializing in network monitoring software. +They distribute their software as container images and loose binaries for Linux and Windows servers. +As consumers purchase different versions, Wabbit Networks maintain multiple versions of their software, while releasing patched versions. +Over time, some versions become "End of Life" (EOL), where support is no longer supported. +For each version that's marked EOL, a new supported version is provided. + +## Software Consumers + +Various consumers of software from various vendors and open source projects. + +### ACME Rockets + +ACME Rockets consumes the Net Monitor software from Wabbit Networks. +ACME Rockets has multiple environments ranging from common software the use for Human Resources, services from cloud providers and specialized software for their launch systems. +In addition, ACME Rockets manages a set of Satellite services, where they maintain and update the software deployed within the satellites. + +## Third Party Security Vendors + +A set of vendors that provide security perspectives and audits of software products and services. + +### Cosmic Security + +Cosmic Security evaluates software security, providing their customers 3rd party validation. +They specialize in the unique requirements of aerospace companies that have unique challenges, such as how they secure launch systems, manufacturing and the software running in satellite deployments. +The aerospace industry has a network of suppliers and vendors for CAD/CAM, 3D printing, materials and transport services. +In addition to assuring the software run across planetary and orbital environments are secure, they must also assure the documents shared across parties are also genuine. From 2b4c860a2adf7d09ac75e01abab2b5f40db79675 Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 25 Sep 2023 06:15:55 -0700 Subject: [PATCH 05/21] Update readme to reference the example usecase Signed-off-by: steve lasker --- examples/README.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/examples/README.md b/examples/README.md index a21e0d2..4ed7fbd 100644 --- a/examples/README.md +++ b/examples/README.md @@ -7,14 +7,7 @@ nav_order: 110 To support the [SCITT Use Cases][use-cases], the follow examples are illustrated. -## Integrating SCITT With a Build System - -- How to structure SCITT Feeds -- How to correlate each build artifact with previous versions -- How to sign the statements -- Where to store SCITT Receipts - -For this example, we'll use the ___ Github repository +- [Binary Use Case: Multi-Version Product Support, With Third Party Statements of Quality](./feed-binary-usecase.md) [use-cases]: https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/ From a8c0dfe4607996bb1ba1590ad12ac777f9806dbb Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Mon, 25 Sep 2023 22:12:56 -0700 Subject: [PATCH 06/21] Update examples/README.md Co-authored-by: Jon Geater Signed-off-by: Steve Lasker --- examples/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/README.md b/examples/README.md index 4ed7fbd..e1cf19d 100644 --- a/examples/README.md +++ b/examples/README.md @@ -5,7 +5,7 @@ nav_order: 110 --- # Examples -To support the [SCITT Use Cases][use-cases], the follow examples are illustrated. +To support the [SCITT Use Cases][use-cases], the following examples are illustrated. - [Binary Use Case: Multi-Version Product Support, With Third Party Statements of Quality](./feed-binary-usecase.md) From 1d355f9f98c3a66df4673acb9edf2aeedeceb09b Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Mon, 25 Sep 2023 22:13:12 -0700 Subject: [PATCH 07/21] Update examples/feed-binary-usecase.md Co-authored-by: Jon Geater Signed-off-by: Steve Lasker --- examples/feed-binary-usecase.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/feed-binary-usecase.md b/examples/feed-binary-usecase.md index 28e4eb9..a717ee5 100644 --- a/examples/feed-binary-usecase.md +++ b/examples/feed-binary-usecase.md @@ -3,7 +3,7 @@ ## Software Producer [Wabbit Networks](fictitious-companies.md#wabbit-networks) frequently releases their **net-monitor** software. -Their software is distributed as a container images and loose binaries for Linux and Windows servers. +Their software is distributed as container images and loose binaries for Linux and Windows servers. They maintain multiple versions of their software, while releasing patched versions. Wabbit Networks provides SBOMs, VEX Reports with a Vendor Response File (VRF) for each of their releases. From 89500653e3101de176adf0e33902554bf251d1b2 Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Mon, 25 Sep 2023 22:13:37 -0700 Subject: [PATCH 08/21] Update examples/feed-binary-usecase.md Co-authored-by: Jon Geater Signed-off-by: Steve Lasker --- examples/feed-binary-usecase.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/feed-binary-usecase.md b/examples/feed-binary-usecase.md index a717ee5..c74f407 100644 --- a/examples/feed-binary-usecase.md +++ b/examples/feed-binary-usecase.md @@ -7,7 +7,7 @@ Their software is distributed as container images and loose binaries for Linux a They maintain multiple versions of their software, while releasing patched versions. Wabbit Networks provides SBOMs, VEX Reports with a Vendor Response File (VRF) for each of their releases. -They occasionally need to issue new versions of the VRF, as well as updated VEX reports. +They occasionally need to issue new versions of the VRF, as well as updated VEX reports, because even while the software may remain unmodified th vulnerability landscape and Rabbit Networks' understanding of it is constantly evolving. ### The Net Monitor Release Page From 74d6f70344959d27844b72ebe9382eecf3fdee48 Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 25 Sep 2023 06:20:15 -0700 Subject: [PATCH 09/21] Typo fix Signed-off-by: steve lasker --- examples/feed-binary-usecase.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/feed-binary-usecase.md b/examples/feed-binary-usecase.md index c74f407..88b9285 100644 --- a/examples/feed-binary-usecase.md +++ b/examples/feed-binary-usecase.md @@ -7,7 +7,7 @@ Their software is distributed as container images and loose binaries for Linux a They maintain multiple versions of their software, while releasing patched versions. Wabbit Networks provides SBOMs, VEX Reports with a Vendor Response File (VRF) for each of their releases. -They occasionally need to issue new versions of the VRF, as well as updated VEX reports, because even while the software may remain unmodified th vulnerability landscape and Rabbit Networks' understanding of it is constantly evolving. +They occasionally need to issue new versions of the VRF, as well as updated VEX reports, because even while the software may remain unmodified the vulnerability landscape and Wabbit Networks' understanding of it is constantly evolving. ### The Net Monitor Release Page From 2b80c7c45248e89bfd0f1ad9f03c9d36aa316d9a Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 25 Sep 2023 06:23:44 -0700 Subject: [PATCH 10/21] revert _config.yml change Signed-off-by: steve lasker --- _config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_config.yml b/_config.yml index 0a3271b..6bb3b2b 100644 --- a/_config.yml +++ b/_config.yml @@ -17,8 +17,8 @@ title: SCITT - Supply Chain Integrity and Trust # email: your-email@example.com description: >- # this means to ignore newlines until "baseurl:" The Supply Chain Integrity, Transparency and Trust (SCITT) initiative is a set of proposed industry standards for managing the compliance of goods and services across end-to-end supply chains. -baseurl: "/scitt-web" # the subpath of your site, e.g. /blog -# url: "" # the base hostname & protocol for your site, e.g. http://example.com +# baseurl: "/scitt-web" # use this line for local rendering and forked rendering. Revert to below before committing to the upstream project +baseurl: "/" # the subpath of your site, e.g. /blog # twitter_username: SCITT github_username: ietf-scitt From 110dcee8ce9f5eaaa7acf98556d770af55389640 Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 25 Sep 2023 06:25:06 -0700 Subject: [PATCH 11/21] revert _config.yml change Signed-off-by: steve lasker --- _config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/_config.yml b/_config.yml index 6bb3b2b..9b2653a 100644 --- a/_config.yml +++ b/_config.yml @@ -19,6 +19,7 @@ description: >- # this means to ignore newlines until "baseurl:" The Supply Chain Integrity, Transparency and Trust (SCITT) initiative is a set of proposed industry standards for managing the compliance of goods and services across end-to-end supply chains. # baseurl: "/scitt-web" # use this line for local rendering and forked rendering. Revert to below before committing to the upstream project baseurl: "/" # the subpath of your site, e.g. /blog +# url: "" # the base hostname & protocol for your site, e.g. http://example.com # twitter_username: SCITT github_username: ietf-scitt From 2eaafefe767fbecc300a8ffca3ad3401d89a8183 Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 25 Sep 2023 06:26:58 -0700 Subject: [PATCH 12/21] Mmarkdown linting cleanup Signed-off-by: steve lasker --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c11d6d8..e8b74f3 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ title: What Is SCITT permalink: /index nav_order: 0 --- - + # What Is SCITT The **S**upply **C**hain **I**ntegrity, **T**ransparency and **T**rust (SCITT) initiative is a set of proposed [IETF industry standards]({{ site.ietf-scitt }}){:target="_blank"} for managing the compliance of goods and services across end-to-end supply chains. From f067dc6fb7a77b198c19e5a14783968f43355498 Mon Sep 17 00:00:00 2001 From: steve lasker Date: Thu, 28 Sep 2023 14:14:01 -0700 Subject: [PATCH 13/21] fix missing link Signed-off-by: steve lasker --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e8b74f3..a4621ee 100644 --- a/README.md +++ b/README.md @@ -41,4 +41,4 @@ A SCITT instance will persist verifiable claims to its ledger. Any optional evid While a SCITT instance should provide a default storage, there's no limit on what storage services are used. For package managers that support breadths of content types, the evidence may be stored alongside the artifact by which the claim is being made. For package managers that limit the content types to the specific package type, a SCITT instance should provide default storage persistence. -For more info, see: [Supply Chains]({% link supply-chain.md %}) +For more info, see: [Supply Chains](./supply-chain.md) From f6ff9b53ceeaa5632eee9c7de7a882f924642e0b Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Sat, 30 Sep 2023 08:08:22 -0700 Subject: [PATCH 14/21] Update examples/fictitious-companies.md Co-authored-by: A.J. Stein Signed-off-by: Steve Lasker --- examples/fictitious-companies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/fictitious-companies.md b/examples/fictitious-companies.md index 93f4126..e424231 100644 --- a/examples/fictitious-companies.md +++ b/examples/fictitious-companies.md @@ -11,7 +11,7 @@ A set of software producers. Wabbit Networks is a software company, specializing in network monitoring software. They distribute their software as container images and loose binaries for Linux and Windows servers. As consumers purchase different versions, Wabbit Networks maintain multiple versions of their software, while releasing patched versions. -Over time, some versions become "End of Life" (EOL), where support is no longer supported. +Over time, some versions become "End of Life" (EOL), where support is no longer provided. For each version that's marked EOL, a new supported version is provided. ## Software Consumers From 07d5f9802a0afa53907d0a3b10ef087e239a21a0 Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Sat, 30 Sep 2023 08:08:53 -0700 Subject: [PATCH 15/21] Update examples/fictitious-companies.md Co-authored-by: A.J. Stein Signed-off-by: Steve Lasker --- examples/fictitious-companies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/fictitious-companies.md b/examples/fictitious-companies.md index e424231..d7e8cfa 100644 --- a/examples/fictitious-companies.md +++ b/examples/fictitious-companies.md @@ -33,4 +33,4 @@ A set of vendors that provide security perspectives and audits of software produ Cosmic Security evaluates software security, providing their customers 3rd party validation. They specialize in the unique requirements of aerospace companies that have unique challenges, such as how they secure launch systems, manufacturing and the software running in satellite deployments. The aerospace industry has a network of suppliers and vendors for CAD/CAM, 3D printing, materials and transport services. -In addition to assuring the software run across planetary and orbital environments are secure, they must also assure the documents shared across parties are also genuine. +In addition to assuring the software runs across planetary and orbital environments are secure, they must also assure the documents shared across parties are also genuine. From 09cefa163a8a1318bef2cac1f73a47d8836c8a45 Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Sat, 30 Sep 2023 08:09:20 -0700 Subject: [PATCH 16/21] Update examples/feed-binary-usecase.md Co-authored-by: A.J. Stein Signed-off-by: Steve Lasker --- examples/feed-binary-usecase.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/feed-binary-usecase.md b/examples/feed-binary-usecase.md index 88b9285..7753173 100644 --- a/examples/feed-binary-usecase.md +++ b/examples/feed-binary-usecase.md @@ -2,7 +2,7 @@ ## Software Producer -[Wabbit Networks](fictitious-companies.md#wabbit-networks) frequently releases their **net-monitor** software. +[Wabbit Networks](fictitious-companies.md#wabbit-networks) frequently releases their **Net Monitor** software. Their software is distributed as container images and loose binaries for Linux and Windows servers. They maintain multiple versions of their software, while releasing patched versions. From 5de7531bbc7897207f2f5d2d21b151adb2753a66 Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 2 Oct 2023 08:35:33 -0700 Subject: [PATCH 17/21] Add a basic feed example Signed-off-by: steve lasker --- examples/feed-basic-example.md | 117 +++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 examples/feed-basic-example.md diff --git a/examples/feed-basic-example.md b/examples/feed-basic-example.md new file mode 100644 index 0000000..1425273 --- /dev/null +++ b/examples/feed-basic-example.md @@ -0,0 +1,117 @@ +--- +layout: page +title: # Feed Basic Example +parent: Examples +nav_order: 1 +--- + +# Feed Basic Example + +SCITT provides the registration, persistance and querying of a series of Transparent Statements over the life of the Artifact. + +Producers and Third Parties create and register Signed Statements on one or more SCITT Services. And Consumers query one or more SCITT Services for information about software they wish to evaluate. + +To demonstrate how SCITT Implements this workflow a collection of Scenarios and examples are provided using the [SCITT Community API Emulator](https://github.com/scitt-community/scitt-api-emulator) and [SCITT.xyz](https://scitt.xyz) + +## Scenario: Series of Transparent Statements Over the Life of an Artifact + +As a producer publishes a software artifact, they make a SCITT Feed available to provide a series of statements about the Artifact. + +For this example, we'll use the [Wabbit Networks](./fictitious-companies.md#wabbit-networks) Network Monitor Software. +Using SCITT Terminology, the Artifact is a specific versioned release of the net-monitor binary. +And a Feed is created to provide the series of Statements about the Artifact. + +Put simply, a Feed represents a specific Artifact, with a series of statements placed on the Feed. + +**Note:** _For the examples below, the contents of statements are opaque to the SCITT Service. +The SCITT Service doesn't parse or understand what an SBOM, VEX, Patch, New Version is. +The Transparent Statements have a `contentType` that enables clients to parse the specific content types._ + +1. On January 1, 2023 Wabbit Networks publishes V1 of their Net-Monitor software, targeting Linux environments +2. At the time of release, Wabbit Networks publishes SBOMs in both SPDX and Cyclone DX Formats, as well as a Security Scan Result from [Cosmic Security](./fictitious-companies.md#cosmic-security) +3. As time progresses, and new issues are discovered about components used within the build and release of the net-monitor binary, Wabbit Networks releases updated Scan Reports and updated VEX reports +4. As new patches are released, Wabbit Networks updates the Feed with information that informs of the new patched version, which is likely a new Feed +5. As new versions are released, Wabbit Networks updates the relevant Feeds of the new versions, which are likely new Feeds +6. As versions become out of support, Wabbit Networks publishes statements to the feed, indicating End of Support, (also known as EOL) +7. As Wabbit Networks as third parties provide security reviews each Feed, the third party may submit their Signed Statement (the security review) to each Feed + +## Overview of the Steps + +Ultimately, a Feed is the identifier used to query a series of statements about an Artifact. + +A few constructs are assumed: + +- A Feed should be owned by the issuer of the artifact +- Other parties may reference the same Feed, making additional statements, signed with their identity + - Other parties, if permitted by the registration policy of the publishers SCITT instance, may publish Signed Statements to the same Feed + - To enable autonomy, other parties may publish Signed Statements to a different SCITT instance, about the same Feed +- From a SCITT perspective, the Feed ID is a string as trying to solve the one global unique identifier for software, hardware, content and other types is beyond the scope of SCITT +- Consumers need to be able to find the Feed ID, based on nothing more than having reference to the artifact they wish to discover information +- As SCITT supports Signed Statements, issued by an Identity, the following proposal uses the Identity of the Signed Statement as the Identity associated with the Feed + +This does leave open the question, what is the content of Signed Statement that defines the Feed? + +1. It could be the binary the Feed is based upon +1. It could be an empty Statement that is simply used as the anchor for the feed, where the binary is subsequently added as one of the many contents associated with the Feed + +### Binary in the Feed Identifier + +In this scenario, the net-monitor binary is the content of the Statement used to initiate the Feed ID. + +The benefits include a bit of simplicity as there's less abstraction as the binary=the feed. + +1. Create a Signed Statement that identifies the Feed Id + + ```sh + --content-type application/octet-stream + --payload "@net-monitor" + --identity + --Feed + --Reg_Info content-hash: # used for subsequent querying + ``` + +2. Register the signed statement to the SCITT Instance +3. Capture the Entry ID as the Feed ID + +As a result, there is one Transparent Statement on the append-only ledger representing the binary and the Feed. + +Subsequent statements, such as the SBOMs, VEX and Scan Reports use the above Feed ID + +### Empty Statement as the Feed Identifier + +In this scenario, a statement is created that effectively has no content. +While content could be created, it infers the SCITT Service would need to understand the `contentType` of the Statement. + +The benefits of this approach is the Feed isn't tied to a specific binary or file. +This supports additional scenarios where someone is either tracking physical goods, or a document, (contract), which may change over time. + +**Note:** _By abstracting the Feed ID from a specific file, the application layer can query for specific content types, allowing a document to evolve over time. +The consumer could ask if `` is the latest version, and the service could provide the version history of that `contentType` (to elaborate in the document scenario)._ + +1. Create a Signed Statement that identifies the Feed Id + + ```sh + --contentType application/scitt/feed # maybe + --payload + --identity + --Feed + --Reg_Info name: # used for subsequent querying + ``` + +1. Register the signed statement to the SCITT Instance, representing the Feed ID +1. Capture the Entry ID as the Feed ID +1. Create a Signed Statement for the root artifact: the `net-monitor` v1 binary _(similar to step 1 of above [Binary in the Feed Identifier](#binary-in-the-feed-identifier) )_ + + ```sh + --content-type application/octet-stream + --payload "@net-monitor" + --identity + --Feed + --Reg_Info content-hash: # used for subsequent querying + ``` + +1. Register the Signed Statement, with the Feed Id + +As a result, there are Two Transparent Statements on the append-only ledger representing the Feed, and the first entry representing a file on the Feed. + +Subsequent statements, such as modifications to the file (contract updates, scans of human wet/digital signatures), redirects to newer versions, updated contractual submission dates, use the above Feed ID From cc998081d3c90a7f9ee5ded07f2bcf429e8596bd Mon Sep 17 00:00:00 2001 From: steve lasker Date: Mon, 2 Oct 2023 08:44:14 -0700 Subject: [PATCH 18/21] Ordering of docs Signed-off-by: steve lasker --- examples/feed-basic-example.md | 2 +- examples/feed-binary-usecase.md | 7 +++++++ examples/feed-requirements.md | 25 +++++++++++++++++++++++++ examples/fictitious-companies.md | 7 +++++++ 4 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 examples/feed-requirements.md diff --git a/examples/feed-basic-example.md b/examples/feed-basic-example.md index 1425273..3ecee11 100644 --- a/examples/feed-basic-example.md +++ b/examples/feed-basic-example.md @@ -2,7 +2,7 @@ layout: page title: # Feed Basic Example parent: Examples -nav_order: 1 +nav_order: 20 --- # Feed Basic Example diff --git a/examples/feed-binary-usecase.md b/examples/feed-binary-usecase.md index 7753173..4aec3de 100644 --- a/examples/feed-binary-usecase.md +++ b/examples/feed-binary-usecase.md @@ -1,3 +1,10 @@ +--- +layout: page +title: # Binary Use Case +parent: Examples +nav_order: 10 +--- + # Binary Use Case ## Software Producer diff --git a/examples/feed-requirements.md b/examples/feed-requirements.md new file mode 100644 index 0000000..f28b160 --- /dev/null +++ b/examples/feed-requirements.md @@ -0,0 +1,25 @@ +--- +layout: page +title: # Feed Requirements +parent: Examples +nav_order: 5 +--- + +# Feed Requirements + +1. Ability to associate a collection of statements to a root artifact + -. When submitting an SBOM, Vex, Statement of Quality, Recommendation for a new version, all need a simple id to associate them to a common artifact. +1. To know a specific identity created the unique Feed ID + - If **Wabbit Networks** creates a feed ID of `abc-123`, other parties should know they're making additional statements to that unique ID + - **BadCo** shouldn't be able to create an alternate version of `abc-123` that fools other parties to submitting statements + - The determination that **Wabbit Networks** is a good entity and **BadCo** is a bad entity is outside the scope of SCITT + - SCITT should prohibit the creation of Feed IDs that can be duped by another entity +1. Feeds produce a lineage of statements about a root artifact. The root artifact is arbitrary and may not be a specific file or asset + - A binary may be versioned over time, and the producer may decide to store different platform/architecture based versions on different feeds + - A document that is edited over time, may be kept on the same feed to see it's changes over time +1. Feeds are not unique to a location. **Wabbit Networks** may host a feed for their net-monitor software + - Cosmic Security independently evaluates software, providing a rating + They offer a SCITT Service with statements of quality to other products and projects. On the Cosmic Security scitt instance, the have a Feed-ID from **Wabbit Networks** + - The SCITT Transparent Statements are signed by Cosmic Security + - ACME Rockets can consume the software from Wabbit Networks, and statements of quality from Cosmic Security. They associate them by the Feed-Id + - ACME Rockets chooses to trust statements from Cosmic Security diff --git a/examples/fictitious-companies.md b/examples/fictitious-companies.md index d7e8cfa..0db35c8 100644 --- a/examples/fictitious-companies.md +++ b/examples/fictitious-companies.md @@ -1,3 +1,10 @@ +--- +layout: page +title: # Fictitious Companies +parent: Examples +nav_order: 100 +--- + # Fictitious Companies To minimize context switching when reading through SCITT Scenarios, Use Cases and Examples, a set of fictitious companies and personas are used. From 0ab33d2b8820195bb592584cf21c9a7a67c23e6c Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Mon, 9 Oct 2023 10:07:44 -0700 Subject: [PATCH 19/21] Update examples/feed-basic-example.md Co-authored-by: Henk Birkholz Signed-off-by: Steve Lasker --- examples/feed-basic-example.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/feed-basic-example.md b/examples/feed-basic-example.md index 3ecee11..e2005f9 100644 --- a/examples/feed-basic-example.md +++ b/examples/feed-basic-example.md @@ -11,7 +11,7 @@ SCITT provides the registration, persistance and querying of a series of Transpa Producers and Third Parties create and register Signed Statements on one or more SCITT Services. And Consumers query one or more SCITT Services for information about software they wish to evaluate. -To demonstrate how SCITT Implements this workflow a collection of Scenarios and examples are provided using the [SCITT Community API Emulator](https://github.com/scitt-community/scitt-api-emulator) and [SCITT.xyz](https://scitt.xyz) +To demonstrate how SCITT Implements this workflow, a collection of scenarios and examples are provided using the [SCITT Community API Emulator](https://github.com/scitt-community/scitt-api-emulator) and [SCITT.xyz](https://scitt.xyz) ## Scenario: Series of Transparent Statements Over the Life of an Artifact From b78488997a0ffad74c898843fd272ae155a64b03 Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Mon, 9 Oct 2023 10:12:07 -0700 Subject: [PATCH 20/21] Update examples/feed-basic-example.md Co-authored-by: Henk Birkholz Signed-off-by: Steve Lasker --- examples/feed-basic-example.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/feed-basic-example.md b/examples/feed-basic-example.md index e2005f9..de04a0b 100644 --- a/examples/feed-basic-example.md +++ b/examples/feed-basic-example.md @@ -41,7 +41,7 @@ Ultimately, a Feed is the identifier used to query a series of statements about A few constructs are assumed: -- A Feed should be owned by the issuer of the artifact +- A Feed should is defined by the issuer of the artifact - Other parties may reference the same Feed, making additional statements, signed with their identity - Other parties, if permitted by the registration policy of the publishers SCITT instance, may publish Signed Statements to the same Feed - To enable autonomy, other parties may publish Signed Statements to a different SCITT instance, about the same Feed From 6e59a062303d11438821dcc61e02f40e5ae32166 Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Mon, 9 Oct 2023 10:12:59 -0700 Subject: [PATCH 21/21] Apply suggestions from code review Co-authored-by: Henk Birkholz Signed-off-by: Steve Lasker --- examples/feed-basic-example.md | 6 +++--- examples/fictitious-companies.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/feed-basic-example.md b/examples/feed-basic-example.md index de04a0b..7a33f82 100644 --- a/examples/feed-basic-example.md +++ b/examples/feed-basic-example.md @@ -42,9 +42,9 @@ Ultimately, a Feed is the identifier used to query a series of statements about A few constructs are assumed: - A Feed should is defined by the issuer of the artifact -- Other parties may reference the same Feed, making additional statements, signed with their identity - - Other parties, if permitted by the registration policy of the publishers SCITT instance, may publish Signed Statements to the same Feed - - To enable autonomy, other parties may publish Signed Statements to a different SCITT instance, about the same Feed +- Other parties can reference the same Feed, making additional statements, signed with their identity + - Other parties, if permitted by the registration policy of the publishers SCITT instance, can publish Signed Statements to the same Feed + - To enable autonomy, other parties can publish Signed Statements to a different SCITT instance, about the same Feed - From a SCITT perspective, the Feed ID is a string as trying to solve the one global unique identifier for software, hardware, content and other types is beyond the scope of SCITT - Consumers need to be able to find the Feed ID, based on nothing more than having reference to the artifact they wish to discover information - As SCITT supports Signed Statements, issued by an Identity, the following proposal uses the Identity of the Signed Statement as the Identity associated with the Feed diff --git a/examples/fictitious-companies.md b/examples/fictitious-companies.md index 0db35c8..553397b 100644 --- a/examples/fictitious-companies.md +++ b/examples/fictitious-companies.md @@ -7,7 +7,7 @@ nav_order: 100 # Fictitious Companies -To minimize context switching when reading through SCITT Scenarios, Use Cases and Examples, a set of fictitious companies and personas are used. +To minimize context switching when reading through SCITT scenarios, Use Cases and Examples, a set of fictitious companies and personas are used. The companies and personas aim to represent sets of end-to-end scenarios. ## Software Producers