-
-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Steve Springett <steve@springett.us>
- Loading branch information
1 parent
38cc6f2
commit ddf60b6
Showing
80 changed files
with
49,912 additions
and
4,366 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
# Page settings | ||
layout: document | ||
keywords: application security, software security, software bill of material, SBOM, BOM, open source, supply chain, specification, spdx, license, package url, purl, cpe | ||
comments: false | ||
banner: false | ||
|
||
# Hero section | ||
title: Attestations (CDXA) | ||
window_title: CycloneDX - Attestations (CDXA) | ||
description: Attestations (CDXA) | ||
|
||
# Micro navigation | ||
micro_nav: false | ||
|
||
# Breadcrumbs | ||
breadcrumbs: | ||
- title: CYCLONEDX | ||
- title: GETTING STARTED | ||
- title: CAPABILITIES | ||
|
||
# Page navigation | ||
|
||
--- | ||
|
||
# CycloneDX Attestations (CDXA) | ||
|
||
<!-- without this hack, the dropdown menu has issues due to h1 and h2 happening right after each other --> | ||
|
||
<div id="capabilities-section"> | ||
<p class="large-quote">Machine-readable statements of claims, evidence, and testimony in compliance with standards</p> | ||
{% include capabilities-stack.html %} | ||
</div> | ||
|
||
CycloneDX is a full-stack bill of materials standard supporting entire runtime environments consisting of hardware, | ||
firmware, containers, operating systems, applications and their libraries. Coupled with the ability to specify configuration | ||
makes CycloneDX ideal for Operational Bill of Materials. OBOM is a security behavior defined in [BSIMM](https://www.bsimm.com/) | ||
and similar maturity models. | ||
|
||
CycloneDX properties provide a mechanism to store configuration on a per-component and per-service basis inside a BOM. | ||
The specification also provides a mechanism to store URLs to documentation, including configuration management systems. | ||
|
||
## Independent OBOM and SBOM | ||
Inventory described in a SBOM will typically remain static until such time the inventory changes. | ||
However, operational information may be dynamic and subject to change. Therefore, it is recommended to decouple | ||
the OBOM from the SBOM. This allows OBOM information to be updated without having to create and track additional SBOMs. | ||
|
||
![Independent SBOM and OBOM Document](../../theme/assets/images/obom-sbom.svg){: width="500" } | ||
|
||
## High-Level Object Model | ||
![CycloneDX Object Model Swimlane](../../theme/assets/images/CycloneDX-Object-Model-Swimlane.svg){: width="900"} | ||
|
||
## References | ||
|
||
* [BSIMM SE3.6 - Enhance application inventory with operations bill of materials](https://www.bsimm.com/framework/deployment/software-environment.html) | ||
|
||
## Examples | ||
|
||
BOMs demonstrating OBOM capabilities can be found at | ||
[https://github.com/CycloneDX/bom-examples](https://github.com/CycloneDX/bom-examples) | ||
|
||
## Additional Capabilities | ||
{% include capabilities-selection.html %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
# Page settings | ||
layout: document | ||
keywords: application security, software security, software bill of material, SBOM, BOM, open source, supply chain, specification, spdx, license, package url, purl, cpe | ||
comments: false | ||
banner: false | ||
|
||
# Hero section | ||
title: Cryptography Bill of Materials (CBOM) | ||
window_title: CycloneDX - Cryptography Bill of Materials (CBOM) | ||
description: Cryptography Bill of Materials (CBOM) | ||
|
||
# Micro navigation | ||
micro_nav: false | ||
|
||
breadcrumbs: | ||
- title: CYCLONEDX | ||
- title: GETTING STARTED | ||
- title: CAPABILITIES | ||
- title: CBOM | ||
|
||
# Page navigation | ||
|
||
--- | ||
|
||
# Cryptography Bill of Materials (CBOM) | ||
|
||
<!-- without this hack, the dropdown menu has issues due to h1 and h2 happening right after each other --> | ||
|
||
<div id="capabilities-section"> | ||
<p class="large-quote">Discover, manage and report on cryptography in preparation for quantum safe systems and applications</p> | ||
{% include capabilities-stack.html %} | ||
</div> | ||
|
||
A Cryptography Bill of Materials (CBOM) describes cryptographic assets and their dependencies. Discovering, managing, | ||
and reporting on cryptographic assets is necessary as the first step on the migration journey to quantum-safe systems | ||
and applications. Cryptography is typically buried deep within components used to compose and build systems and | ||
applications. As part of an agile cryptographic approach, organizations should seek to understand what cryptographic | ||
assets they are using and facilitate the assessment of the risk posture to provide a starting point for mitigation. | ||
|
||
## BOM With Embedded Cryptographic Assets | ||
CycloneDX supports embedding cryptographic assets into existing SBOM or HBOMs. Leveraging this approach has the benefit | ||
in that the dependency graph can include all software and hardware components, their dependencies, and which | ||
components provide various cryptographic capabilities. | ||
|
||
![BOM With Embedded CBOM](../../theme/assets/images/embedded-cbom.svg){: width="205" } | ||
|
||
## Independent SBOM and CBOM | ||
To facilitate cryptographic agility, independent SBOM/HBOM and CBOM may be leveraged and optionally specify the | ||
configuration made to enable or disable cryptographic features and functions. | ||
|
||
![Independent SBOM and CBOM Document](../../theme/assets/images/cbom-sbom.svg){: width="500" } | ||
|
||
## High-Level Object Model | ||
![CycloneDX Object Model Swimlane](../../theme/assets/images/CycloneDX-Object-Model-Swimlane.svg){: width="900"} | ||
|
||
## Examples | ||
|
||
BOMs demonstrating CBOM capabilities can be found at | ||
[https://github.com/CycloneDX/bom-examples](https://github.com/CycloneDX/bom-examples) | ||
|
||
## Additional Capabilities | ||
{% include capabilities-selection.html %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.