SCITT Usage Examples

README.md

@@ -41,4 +41,4 @@ A SCITT instance will persist verifiable claims to its ledger. Any optional evid
 
 While a SCITT instance should provide a default storage, there's no limit on what storage services are used. For package managers that support breadths of content types, the evidence may be stored alongside the artifact by which the claim is being made. For package managers that limit the content types to the specific package type, a SCITT instance should provide default storage persistence.
 
-For more info, see: [Supply Chains]({% link supply-chain.md %})
+For more info, see: [Supply Chains](./supply-chain.md)

examples/README.md

@@ -0,0 +1,13 @@
+---
+layout: page
+title:  "SCITT Use Case Examples"
+nav_order: 110
+---
+# Examples
+
+To support the [SCITT Use Cases][use-cases], the following examples are illustrated.
+
+- [Binary Use Case: Multi-Version Product Support, With Third Party Statements of Quality](./feed-binary-usecase.md)
+
+[use-cases]:       https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/
+

examples/feed-binary-usecase.md

@@ -0,0 +1,76 @@
+# Binary Use Case
+
+## Software Producer
+
+[Wabbit Networks](fictitious-companies.md#wabbit-networks) frequently releases their **net-monitor** software.
+Their software is distributed as container images and loose binaries for Linux and Windows servers.
+They maintain multiple versions of their software, while releasing patched versions.
+
+Wabbit Networks provides SBOMs, VEX Reports with a Vendor Response File (VRF) for each of their releases.
+They occasionally need to issue new versions of the VRF, as well as updated VEX reports, because even while the software may remain unmodified the vulnerability landscape and Wabbit Networks' understanding of it is constantly evolving.
+
+### The Net Monitor Release Page
+
+Due to the complexity of different versions, platforms, architectures and product lines, companies and projects typically use marketing based navigation to assist users with their download choices.
+The below matrix is meant to visually represent a common matrix, that would be provided through marketing links.
+
+Versions and Patched Releases:
+
+- For each major release (`1.0.0`, `2.0.0`, `3.0.0`), there are a set of minor feature releases (`1.1.0`, `1.2.0`) with potential patches (`1.0.1`, `1.0.2`).  
+  <Note:> Vendors and projects use various forms of versioning, including [SemVer](https://semver.org/), [CalVer](https://calver.org/) and other forms.
+  SCITT must support any versioning scheme a producer wishes to support.
+- In the below examples, not all platforms have patches for a specific major or minor release.
+
+| Version | Linux Container | Linux Binary | Windows Container | Windows Installer |
+| - | - | - | - | - |
+| v1.0.0 | [net-monitor:v1.0.0-linux-amd64]() | [net-monitor-v1_0_0.gzip]() | [net-monitor:v1.0.0-win-amd64]() | [net-monitor-v1_0_0.msi]() |
+| -- v1.0.1 | [net-monitor:v1.0.1-linux-amd64]() | [net-monitor-v1_0_1.gzip]() | [net-monitor:v1.0.1-win-amd64]() | [net-monitor-v1_0_1.msi]() |
+| -- v1.0.2 | [net-monitor:v1.0.2-linux-amd64]() | [net-monitor-v1_0_2.gzip]() |  |  |
+| - v1.1.0 | [net-monitor:v1.1.0-linux-amd64]() | [net-monitor-v1_1_0.gzip]() | [net-monitor:v1.1.0-win-amd64]() | [net-monitor-v1_1_0.msi]() |
+| -- v1.1.1 |  |  | [net-monitor:v1.1.1-win-amd64]() | [net-monitor-v1_1_1.msi]() |
+| -- v1.1.2 |  |  | [net-monitor:v1.1.2-win-amd64]() | [net-monitor-v1_1_2.msi]() |
+| - v1.2.0 | [net-monitor:v1.2.0-linux-amd64]() | [net-monitor-v1_2_0.gzip]() | [net-monitor:v1.2.0-win-amd64]() | [net-monitor-v1_2_0.msi]() |
+| v2.0.0 | [net-monitor:v2.0.0-linux-amd64]() | [net-monitor-v2_0_0.gzip]() | [net-monitor:v2.0.0-win-amd64]() | [net-monitor-v2_0_0.msi]() |
+| - v2.1.0 | [net-monitor:v2.1.0-linux-amd64]() | [net-monitor-v2_1_0.gzip]() | [net-monitor:v2.1.0-win-amd64]() | [net-monitor-v2_1_0.msi]() |
+| - v2.1.1 | [net-monitor:v2.1.1-linux-amd64]() | [net-monitor-v2_1_1.gzip]() | | |
+| - v2.1.2 | [net-monitor:v2.1.2-linux-amd64]() | [net-monitor-v2_1_2.gzip]() | | |
+| - v3-alpha | [net-monitor:v3-alpha-linux-amd64]() | [net-monitor-v3-alpha.gzip]() | [net-monitor:v3-alpha-win-amd64]() | [net-monitor-v3-alpha.msi]() |
+
+### Questions for Producers
+
+When software producers wish to publish additional information for their products, how can they:
+
+- Let consumers know the most recently patched version for a specific platform/architecture release?
+- Let consumers know a new version is available?
+- Let consumers know an SBOM, VEX, VRF was verifiably published by the publisher?
+- Let consumers know a newer version of the SBOM, VEX, VRF was released, _and_ verifiably published by the publisher?
+
+> _[IETF SCITT Use Cases](https://www.ietf.org/archive/id/draft-ietf-scitt-software-use-cases-01.html#name-identify-statements-and-upd)_
+
+## Software Consumer
+
+[ACME Rockets](./fictitious-companies.md#acme-rockets) consumes the Net Monitor software from Wabbit Networks.
+They are currently using their version 1 release, and need to get notified of updates when they're available.
+
+## Third Party Security Vendor
+
+[Cosmic Security](./fictitious-companies.md#cosmic-security) evaluates the security posture of its customers, providing 3rd party analysis and validation.
+
+ACME Rockets subscribes to Cosmic Security to monitor the software they use within their environment.
+
+## End to End Integration
+
+ACME Rockets deploys the Cosmic Security products to monitor the software in their environment.
+Wabbit Networks publishes their security information through a public SCITT Service.
+For each product ACME Rockets consumes, a SCITT Feed Identifier is used to get the latest information about the products.
+
+Cosmic Security also publishes their perspective of the ACME Rockets software, as well as other vendors and projects.
+Cosmic Security publishes the information using a a SCITT Service that provides a series of statements associated with the Feeds of each of their products they consume.
+
+## References
+
+Examples of Product Download Pages
+- [OpenSCAD](http://openscad.org/downloads.html)
+  - [Images are currently available for platforms linux/amd64 and linux/arm64](https://hub.docker.com/r/openscad/openscad)
+- [Unity](https://unity.com/releases/editor/whats-new/2023.1.10)
+  - A collection of releases for Windows (`.exe`), Mac (`.pkg`), Linux (.`tar.xz`)

examples/fictitious-companies.md

@@ -0,0 +1,36 @@
+# Fictitious Companies
+
+To minimize context switching when reading through SCITT Scenarios, Use Cases and Examples, a set of fictitious companies and personas are used.
+The companies and personas aim to represent sets of end-to-end scenarios.
+
+## Software Producers
+
+A set of software producers.
+
+### Wabbit Networks
+Wabbit Networks is a software company, specializing in network monitoring software.
+They distribute their software as container images and loose binaries for Linux and Windows servers.
+As consumers purchase different versions, Wabbit Networks maintain multiple versions of their software, while releasing patched versions.
+Over time, some versions become "End of Life" (EOL), where support is no longer supported.
+For each version that's marked EOL, a new supported version is provided.
+
+## Software Consumers
+
+Various consumers of software from various vendors and open source projects.
+
+### ACME Rockets
+
+ACME Rockets consumes the Net Monitor software from Wabbit Networks.
+ACME Rockets has multiple environments ranging from common software the use for Human Resources, services from cloud providers and specialized software for their launch systems.
+In addition, ACME Rockets manages a set of Satellite services, where they maintain and update the software deployed within the satellites.
+
+## Third Party Security Vendors
+
+A set of vendors that provide security perspectives and audits of software products and services.
+
+### Cosmic Security
+
+Cosmic Security evaluates software security, providing their customers 3rd party validation.
+They specialize in the unique requirements of aerospace companies that have unique challenges, such as how they secure launch systems, manufacturing and the software running in satellite deployments.
+The aerospace industry has a network of suppliers and vendors for CAD/CAM, 3D printing, materials and transport services.
+In addition to assuring the software run across planetary and orbital environments are secure, they must also assure the documents shared across parties are also genuine.