Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.6 #323

Merged
merged 285 commits into from
Apr 9, 2024
Merged

v1.6 #323

merged 285 commits into from
Apr 9, 2024

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Oct 15, 2023
edited
Loading

Added

  • Core enhancement: Attestation (#192 via #348)
  • Core enhancement: Cryptography Bill of Materials — CBOM (#171, #291 via #347)
  • Feature to express the URL to source distribution (#98 via #269)
  • Feature to express the URL to RFC 9116 compliant documents (#380 via #381)
  • Feature to express tags/keywords for services and components (via #383)
  • Feature to express details for component authors (#335 via #379)
  • Feature to express details for component and BOM manufacturer (#346 via #379)
  • Feature to express communicate concluded values from observed evidences (#411 via #412)
  • Features to express license acknowledgement (#407 via #408)
  • Feature to express environmental consideration information for model cards (#396 via #395)
  • Feature to express the address of organizational entities (via #395)
  • Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs (#413 via #414)

Fixed

  • Allow multiple evidence identities by XML/JSON schema (#272 via #359)
    This was already correct via ProtoBuff schema.
  • Prevent empty license entities by XML schema (#288 via #292)
    This was already correct in JSON/ProtoBuff schema.
  • Prevent empty or malformed property entities by JSON schema (#371 via #375)
    This was already correct in XML/ProtoBuff schema.
  • Allow multiple licenses in Metadata by ProtoBuff schema (#264 via #401)
    This was already correct in XML/JSON schema.

Changed

  • Allow arbitrary $schema values by JSON schema (#402 via #403)
  • Increased max length of versionRange (via 3e01ce6)
  • Harmonized length of version (via #417)

Deprecated

  • Data model "Component"'s field author was deprecated. (via #379)
    Use field authors or field manufacturer instead.
  • Data model "Metadata"'s field manufacture was deprecated. (#346 via #379)
    Use "Metadata"'s field component's field manufacturer instead.
    • for XML: /bom/metadata/component/manufacturer
    • for JSON: $.metadata.component.manufacturer
    • for ProtoBuf: Bom:metadata.component.manufacturer

Documentation

  • Centralize version and version-range (via #322)
  • Streamlined SPDX expression related descriptions (via #327)
  • Enhanced descriptions of bom-ref/refType (#336 via #344)
  • Enhanced readability of enum documentation in JSON schema (#361 via #362)
  • Fixed typo "compliment" -> "complement" (via #369)
  • Added documentation for enum "ComponentScope"'s values in JSON schema (#293 via d92e58e)
    Texts were a taken from the existing ones in XML/ProtoBuff schema.
  • Added documentation for enum "TaskType"'s values (#245 via #377)
  • Improve documentation for data model "Metadata"'s field licenses (#273 via #378)
  • Added documentation for enum "MachineLearningApproachType"'s values (#351 via #416)
  • Rephrased some texts here and there.

Test data

  • Added test data for newly added use cases
  • Added quality assurance for our ProtoBuf schemas (#384 via #385)

@jkowalleck jkowalleck added this to the 1.6 milestone Oct 15, 2023
jkowalleck and others added 19 commits October 15, 2023 13:08
@jkowalleck
chore: generate docs for v1.6
da1286b 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Merge branch 'master' into 1.6-dev
ec1b169
@jkowalleck
chore: generate docs for v1.6
5d8c05b 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@bhess
Merges detectionContext properties with component evidence
8d1c9a4 
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@jkowalleck
refactor: centralize version and version-range
92ae29e 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@bhess
remove remaining confidenceLevel
29373d7 
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@stevespringett
Corrected strict schema violations
17019b0 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Merge branch '1.6-dev-cbom' into bhe-cbom-evidence
fae707b
@stevespringett
Merges detectionContext properties with component evidence (#325)
419d536 
This PR follows our CBOM WG call from Oct 12. It removes the
`detectionContext` property from components and merges them with
`componentEvidence`. The following properties are added to evidence:
- `lineNumber`
- `offset`
- `symbol`
- `additionalContext`

The plan is to make a separate proposal/PR for `keyword`

The PR also removes the extra fields for confidence levels since they
are already covered by `componentEvidence`.

Tagging @stevespringett @n1ckl0sk0rtge @mrutkows
@stevespringett
CBOM: merges relatedCryptoMaterial and key asset types (#313)
5af5623 
This addresses the use case described in
IBM/CBOM#31:
- Expiry and life cycle of any relatedCryptoMaterial (e.g. keys, tokens,
password) should be expressible.

This is done by merging the "key" asset type and "relatedCryptoMaterial"
to "relatedCryptoMaterial", which contains the needed properties.
@stevespringett
refactor: centralize version and version-range (#322)
a8d1c65 
goal: improve documentation by consolidating elements regarding
"version".
pure refactoring, no new functionality was added, nor removed, nor
changed.


- [x] consolidate `version`
- [x] consolidate `range`
- [x] rename `range` definition to `version-range`
- [x] add more examples
- [x] review rendered documentation
@jkowalleck
tests: enable more tests for v1.6
6dac012 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
docs: improve SPDX expression docs
ad6f39d 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@stevespringett
docs: improve SPDX expression docs (#327)
9a95cff
@bhess
CBOM: adds 'parameterSetIdentifier' property, replacing 'variant'
dd517f6 
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@stevespringett
CBOM: adds 'parameterSetIdentifier' property, replacing 'variant' (#339)
779121c 
The new property 'parameterSetIdentifier' replaces 'variant' and
contains information about the parameter set identifying an algorithm.
This can be, for example, the key length (in AES), the digest length (in
SHA2), or the hash algorithm used internally (in SLH-DSA / FIPS205). The
"description" field contains some examples.

This PR is motivated by IBM/CBOM#37 and
intends to address its use case.

Tagging @stevespringett, @n1ckl0sk0rtge, @mrutkows, @GeroDittmann
Description and minor field updates
d39b039 
Signed-off-by: steve.springett <steve.springett@servicenow.com>
@andreas-hilti
Move comment to description
38950ae 
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
@stevespringett
Move comment to description (#344)
d309ee9 
Move comment in `$comment` to description for increased visibility.

Closes: #336
@jkowalleck jkowalleck linked an issue Nov 27, 2023 that may be closed by this pull request
Show comments of JSON Schema in Documentation #336
Closed
jkowalleck and others added 8 commits November 28, 2023 19:07
@jkowalleck
Merge branch '1.6-dev' into 1.6-dev-cbom
77ab457
@jkowalleck
Merge branch '1.6-dev' into 1.6-dev-attestations
e8ae437
@bhess
Review description fields of 'algorithmProperties'
224f756 
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@jkowalleck
Review description fields of 'algorithmProperties' (#350)
cbc6ee5 
Reviews the description fields and addresses my TODOs.
@stevespringett
Added key to enum
ad47938 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Commits as of last meeting
800ad2a 
Signed-off-by: Steve Springett <steve@springett.us>
@bhess
add 'combiner' as primitive
32ffcc0 
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@stevespringett
Support for hybrids/combiners: add 'combiner' as primitive (#353)
915c7cc 
Adds 'combiner' as enum entry in 'primitive'.

Addresses the use case when combinations of (e.g.) classical crypto like
RSA is used together with QSC like Dilithium. An entry of this primitive
allows to express the combiner used. Adding dependencies to
RSA/Dilithium then allows to express the algorithms used in the
combiner. Note: "combiners" are also known as "hybrids", but this term
can be ambiguous so I prefer the term combiner.
@stevespringett
Minor doc updates - titles, descriptions, etc
c8d57a4 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Minor doc updates
176f1e4 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Correct property that included space
494661a 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Clarification of descriptions
f34a832 
Signed-off-by: Steve Springett <steve@springett.us>
madpah
madpah reviewed Apr 5, 2024
View reviewed changes
schema/bom-1.6.xsd Outdated Show resolved Hide resolved
madpah
madpah reviewed Apr 5, 2024
View reviewed changes
schema/bom-1.6.xsd Outdated Show resolved Hide resolved
@jkowalleck jkowalleck marked this pull request as ready for review April 5, 2024 10:54
@jkowalleck jkowalleck requested a review from a team as a code owner April 5, 2024 10:54
madpah
madpah reviewed Apr 5, 2024
View reviewed changes
schema/bom-1.6.xsd Outdated
<xs:annotation>
<xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst</xs:documentation>
</xs:annotation>
</xs:element>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong place annotated.

@madpah
Copy link

madpah commented Apr 5, 2024

@jkowalleck - .cryptoProperties.assetType is optional currently in XSD - see here:
<xs:element name="assetType" minOccurs="0" maxOccurs="1">

Which leaves the entirety of .cryptoProperties optional, which seems incorrect to me.

@madpah
Copy link

madpah commented Apr 5, 2024

@jkowalleck - .cryptoProperties.protocolProperties.version has no type in the XSD here, but is defined as a String under the JSON schema:

<xs:element name="version" minOccurs="0" maxOccurs="1">

@madpah
Copy link

madpah commented Apr 5, 2024

@jkowalleck .cryptoProperties.protocolProperties.ikev2TransformTypes.esn is defined a boolean occurring 0 or more times in XSD, but as an optional (singular) boolean in JSON schema.

See XSD here
<xs:element name="esn" type="xs:boolean" minOccurs="0" maxOccurs="unbounded">

@stevespringett
Correcting optional state for crypto assetType
2bb8bae 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Copy link
Member

@jkowalleck - .cryptoProperties.assetType is optional currently in XSD - see here: <xs:element name="assetType" minOccurs="0" maxOccurs="1">

Which leaves the entirety of .cryptoProperties optional, which seems incorrect to me.

@madpah thanks. This has been corrected in 2bb8bae

@stevespringett
Explicit string type correction
f5d959b 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Copy link
Member

@jkowalleck - .cryptoProperties.protocolProperties.version has no type in the XSD here, but is defined as a String under the JSON schema:

<xs:element name="version" minOccurs="0" maxOccurs="1">

@madpah Not really an issue, but I did make this explicit in f5d959b

@stevespringett
Corrected maxOccurs with esn
d278e70 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Copy link
Member

@jkowalleck .cryptoProperties.protocolProperties.ikev2TransformTypes.esn is defined a boolean occurring 0 or more times in XSD, but as an optional (singular) boolean in JSON schema.

See XSD here <xs:element name="esn" type="xs:boolean" minOccurs="0" maxOccurs="unbounded">

@madpah Nice catch. Corrected in d278e70

prabhu and others added 2 commits April 6, 2024 21:54
@prabhu
Updated dependency attribute docs
6c88ab9 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@stevespringett
Updated dependency attribute docs (#421)
b5c550e
@stevespringett
Updates to online docs
b3ea018 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updated SPDX license list to 3.23
4017ce4 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett stevespringett merged commit c5032b8 into master Apr 9, 2024
8 checks passed
@stevespringett stevespringett deleted the 1.6-dev branch April 9, 2024 05:13
@jkowalleck jkowalleck changed the title [WIP] v1.6 v1.6 Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prabhu prabhu prabhu left review comments

@bhess bhess bhess left review comments

@mrutkows mrutkows mrutkows left review comments

@madpah madpah madpah left review comments

@stevespringett stevespringett stevespringett approved these changes

Assignees
No one assigned
Labels
chore: QA A chore related to Quality Assurance defect documentation proposed core enhancement test-data related to test-resources and -data
Projects
None yet
Milestone
1.6
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@jkowalleck @stevespringett @prabhu @madpah @bhess @mrutkows @andreas-hilti @tsjensen @msymons @idunbarh