liboqs icon indicating copy to clipboard operation
liboqs copied to clipboard

Published 20 hours ago verified publisher icon open-quantum-safe

Update CBOM to CycloneDX 1.6 format

Open planetf1 opened this issue 1 year ago • 0 comments

State of current BOM:

The current BOM at docs/cbom.json mostly validates against the 1.4 spec with just 1 issue

  • metadata.,timestamp value of 2024-03-05T11:49:42.428605 fails with String is not a RFC3339 date-time.

In RFC3339 a time-offset is required, ie can be Z.

Using 2024-03-05T11:49:42.428605Z passes validation.

This change is needed in the tooling that builds/tests the BOM

Improvement to include pointer to schema

Many BOMs include a pointer to the spec ie we could add

  "$schema": "https://raw.githubusercontent.com/IBM/CBOM/main/bom-1.4-cbom-1.0.schema.json#",

Aside - as an alternative, and for testing, the following can be added in .vscode settings:

    "json.schemas": [
        

        {
            "fileMatch": [
                "cbom.json"
            ],
            "url": "https://raw.githubusercontent.com/IBM/CBOM/main/bom-1.4-cbom-1.0.schema.json"
        }
    ]

Cyclone DX 1.6

CBOM is now incorporated into CycloneDX 1.6, but here the schema as evolved a little

We can validate against the new spec - the example below includes the vscode definition:

    "json.schemas": [


        {
            "fileMatch": [
                "cbom.json"
            ],
            "url": "http://cyclonedx.org/schema/bom-1.6.schema.json"
        }
    ]

If $schema is included in the bom, then other tools wouldn't need to explicitly be configured, and should find the schema definition automatically

In CycloneDX 1.6 the following is noted:

  • "bomFormat": "CBOM", -> can only be 'CycloneDX'
  • "type": "crypto-asset", -> 'cryptographic-asset'
  • In algorithmProperties, variant & implementationLevel are not allowed. where the last segment of Variant includes a platform like x86_64 this probably is now best matched to implementationPlatform , whilst implementationLevel is executionEnvironment
  • in cryptoProperties, nistQuantumSecurityLevel is not allowed - it has moved under algorithmProperties
  • "primitive": "blockcipher", -> block-cipher
  • "dependencyType": "uses" - not allowed. there is a new property provides which seems to make sense where an algorithm is provided, whilst just having a dependency presumes uses ..?

Note the above is from a quick scan - need to check in more detail...

@bhess @dstebila I think it would be useful to consider this update now that the 1.6 spec is out, and we're seeing more tooling support CBOM.

Happy to work on some updates if it's helpful - or perhaps you plan to @bhess ?

planetf1 avatar Jul 01 '24 16:07 planetf1