From 2e4c17d0ffca7172b5e6a41b8dddce6327fe00a9 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 18 Mar 2023 23:33:53 -0500 Subject: [PATCH 1/3] Expanded service dataflow support Signed-off-by: Steve Springett --- schema/bom-1.5.proto | 14 +- schema/bom-1.5.schema.json | 53 +++- schema/bom-1.5.xsd | 57 +++- .../test/resources/1.5/valid-saasbom-1.5.json | 272 ++++++++++++++++++ .../resources/1.5/valid-saasbom-1.5.textproto | 173 +++++++++++ .../test/resources/1.5/valid-saasbom-1.5.xml | 230 +++++++++++++++ 6 files changed, 788 insertions(+), 11 deletions(-) create mode 100644 tools/src/test/resources/1.5/valid-saasbom-1.5.json create mode 100644 tools/src/test/resources/1.5/valid-saasbom-1.5.textproto create mode 100644 tools/src/test/resources/1.5/valid-saasbom-1.5.xml diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto index 937ea0e1..d7af4b4a 100644 --- a/schema/bom-1.5.proto +++ b/schema/bom-1.5.proto @@ -122,11 +122,19 @@ message Component { } // Specifies the data classification. -message DataClassification { +message DataClassification { // This is actually the data flow, but unable to change the name due to backward compatability // Specifies the flow direction of the data. DataFlow flow = 1; - // SimpleContent value of element + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. string value = 2; + // Name for the defined data + optional string name = 3; + // Short description of the data content and usage + optional string description = 4; + // The URI, URL, or BOM-Link of the components or services the data came in from + repeated string source = 5; + // The URI, URL, or BOM-Link of the components or services the data is sent to + repeated string destination = 6; } // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. @@ -461,6 +469,8 @@ message Service { repeated Property properties = 14; // Specifies optional release notes. optional ReleaseNotes releaseNotes = 15; + // The name of the trust zone the service resides in. + optional string trustZone = 16; } message Swid { diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index f2f43304..95ab3a6a 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -1145,12 +1145,17 @@ "title": "Crosses Trust Boundary", "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, "data": { "type": "array", "additionalItems": false, - "items": {"$ref": "#/definitions/dataClassification"}, - "title": "Data Classification", - "description": "Specifies the data classification." + "items": {"$ref": "#/definitions/dataFlow"}, + "title": "Data", + "description": "Specifies the data flow, classification, and other relevant information." }, "licenses": { "type": "array", @@ -1192,7 +1197,7 @@ } } }, - "dataClassification": { + "dataFlow": { "type": "object", "title": "Hash Objects", "required": [ @@ -1202,7 +1207,7 @@ "additionalProperties": false, "properties": { "flow": { - "$ref": "#/definitions/dataFlow", + "$ref": "#/definitions/dataFlowDirection", "title": "Directional Flow", "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." }, @@ -1210,10 +1215,46 @@ "type": "string", "title": "Classification", "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "source": { + "type": "array", + "additionalItems": false, + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "additionalItems": false, + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" } } }, - "dataFlow": { + "dataFlowDirection": { "type": "string", "enum": [ "inbound", diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index 357f6fd3..f1887838 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -1544,15 +1544,66 @@ limitations under the License. A value of false indicates that by using the service, a trust boundary is not crossed. + + + The name of the trust zone the service resides in. + + - - + + + + + DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead + + + + Specifies the data classification. + + + + + Specifies the data classification. + + + + + Name for the defined data. + + + + + Short description of the data content and usage. + + + + + The URI, URL, or BOM-Link of the components or services the data came in from. + + + + + + + + + + The URI, URL, or BOM-Link of the components or services the data is sent to. + + + + + + + + + - + diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.json b/tools/src/test/resources/1.5/valid-saasbom-1.5.json new file mode 100644 index 00000000..6a65f00b --- /dev/null +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.json @@ -0,0 +1,272 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-01-10T12:00:00Z", + "component": { + "bom-ref": "acme-stock-application", + "type": "application", + "name": "Acme SaaSBOM Example", + "version": "2022-1" + } + }, + "services": [ + { + "bom-ref": "stock-ticker-service", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Stock Ticker Service", + "version": "2022-1", + "endpoints": [ + "https://example.com/", + "https://example.com/app" + ], + "authenticated": true, + "trustZone": "Acme Public Zone", + "data": [ + { + "classification": "Customer", + "flow": "bi-directional", + "source": [ + "https://0.0.0.0" + ], + "destination": [ + "https://0.0.0.0" + ] + }, + { + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + }, + { + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ] + }, + { + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://example.com/app/swagger" + } + ], + "services": [ + { + "bom-ref": "ms-1.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 1", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-1.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-1.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-2.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 2", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-2.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-2.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-3.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 3", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-3.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "classification": "Public", + "flow": "outbound", + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-3.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-1-pgsql.example.com", + "group": "org.postgresql", + "name": "Postgres", + "version": "14.1", + "description": "Postgres database for Microservice #1", + "endpoints": [ + "https://ms-1-pgsql.example.com:5432" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + } + ] + }, + { + "bom-ref": "s3-example.amazon.com", + "group": "com.amazon", + "name": "S3", + "description": "S3 bucket", + "endpoints": [ + "https://s3-example.amazon.com" + ], + "authenticated": true, + "trustZone": "Public Internet", + "data": [ + { + "classification": "Public", + "flow": "inbound", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ] + } + ] + } + ], + "dependencies": [ + { + "ref": "acme-stock-application", + "dependsOn": [ "stock-ticker-service" ] + }, + { + "ref": "stock-ticker-service", + "dependsOn": [ + "ms-1.example.com", + "ms-2.example.com", + "ms-3.example.com" + ] + }, + { + "ref": "ms-1.example.com", + "dependsOn": [ "ms-1-pgsql.example.com" ] + }, + { + "ref": "ms-2.example.com", + "dependsOn": [ ] + }, + { + "ref": "ms-3.example.com", + "dependsOn": [ "s3-example.amazon.com" ] + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto b/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto new file mode 100644 index 00000000..aff3c88e --- /dev/null +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto @@ -0,0 +1,173 @@ +spec_version: "1.5" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + timestamp { + seconds: 3173618478 + nanos: 3 + } + component { + type: CLASSIFICATION_APPLICATION + bom_ref: "acme-stock-application" + name: "Acme SaaSBOM Example" + version: "2022-1" + } +} +services { + bom_ref: "stock-ticker-service" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Stock Ticker Service" + version:"2022-1" + endpoints: "https://example.com/" + endpoints: "https://example.com/app" + authenticated: true + trustZone: "Acme Public Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Customer" + source: "https://0.0.0.0" + destination: "https://0.0.0.0" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PIFI" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Public" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://example.com/app/swagger" + } + services { + bom_ref: "ms-1.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 1" + version:"2022-1" + endpoints: "https://ms-1.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-1.example.com/swagger" + } + } + services { + bom_ref: "ms-2.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 2" + version:"2022-1" + endpoints: "https://ms-2.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PIFI" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-2.example.com/swagger" + } + } + services { + bom_ref: "ms-3.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 3" + version:"2022-1" + endpoints: "https://ms-3.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Public" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + data { + flow: DATA_FLOW_OUTBOUND + value: "Public" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-3.example.com/swagger" + } + } + services { + bom_ref: "ms-1-pgsql.example.com" + group: "org.postgresql" + name: "Postgres" + version:"14.1" + description: "Postgres database for Microservice #1" + endpoints: "https://ms-1-pgsql.example.com:5432" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + } + } + services { + bom_ref: "s3-example.amazon.com" + group: "com.amazon" + name: "S3" + description: "S3 bucket" + endpoints: "https://s3-example.amazon.com" + authenticated: true + trustZone: "Public Internet" + data { + flow: DATA_FLOW_INBOUND + value: "PII" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + } + } +} +dependencies { + ref: "pkg:maven/com.acme/stock-java-client@1.0.12" + dependencies { + ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + } +} diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.xml b/tools/src/test/resources/1.5/valid-saasbom-1.5.xml new file mode 100644 index 00000000..6145eb52 --- /dev/null +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.xml @@ -0,0 +1,230 @@ + + + + 2021-01-10T12:00:00Z + + Acme SaaSBOM Example + 2022-1 + + + + + + Acme Inc + https://example.com + + com.example + Stock ticker Service + + https://example.com/ + https://example.com/app + + true + Acme Public Zone + + + Customer + + https://0.0.0.0 + + + https://0.0.0.0 + + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + + PIFI + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com + + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + + + + https://example.com/app/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 1 + + https://ms-1.example.com + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com + + + + + + https://ms-1.example.com/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 2 + + https://ms-2.example.com + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + + + https://ms-2.example.com/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 3 + + https://ms-3.example.com + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com + + + + + + https://ms-3.example.com/swagger + + + + + org.postgresql + Postgres + 14.1 + Postgres database for Microservice #1 + + https://ms-1-pgsql.example.com:5432 + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + + + + com.amazon + S3 + S3 bucket + + https://s3-example.amazon.com + + true + Public Internet + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + + + + + + + + + + + + + + + + + + + + + + + From c47884ffa7d905ded4c76edec1d234a492e4387e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 19 Mar 2023 09:53:36 -0500 Subject: [PATCH 2/3] Removed seq min/max. Moved name/description to attributes in XSD. Updated all examples to include name/description. Signed-off-by: Steve Springett --- schema/bom-1.5.xsd | 32 ++++++++++++------- .../test/resources/1.5/valid-saasbom-1.5.json | 22 +++++++++++++ .../resources/1.5/valid-saasbom-1.5.textproto | 22 +++++++++++++ .../test/resources/1.5/valid-saasbom-1.5.xml | 22 ++++++------- 4 files changed, 76 insertions(+), 22 deletions(-) diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index f1887838..f204bbb5 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -1564,22 +1564,12 @@ limitations under the License. Specifies the data classification. - + Specifies the data classification. - - - Name for the defined data. - - - - - Short description of the data content and usage. - - The URI, URL, or BOM-Link of the components or services the data came in from. @@ -1601,6 +1591,26 @@ limitations under the License. + + + + Name for the defined data. + + + + + + + Short description of the data content and usage. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.json b/tools/src/test/resources/1.5/valid-saasbom-1.5.json index 6a65f00b..929d1130 100644 --- a/tools/src/test/resources/1.5/valid-saasbom-1.5.json +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.json @@ -30,6 +30,8 @@ "trustZone": "Acme Public Zone", "data": [ { + "name": "Consumer to Stock Service", + "description": "Traffic to/from consumer to service", "classification": "Customer", "flow": "bi-directional", "source": [ @@ -40,6 +42,8 @@ ] }, { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", "classification": "PII", "flow": "bi-directional", "source": [ @@ -50,6 +54,8 @@ ] }, { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", "classification": "PIFI", "flow": "bi-directional", "source": [ @@ -60,6 +66,8 @@ ] }, { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", "classification": "Public", "flow": "bi-directional", "source": [ @@ -94,6 +102,8 @@ "trustZone": "Acme Private Zone", "data": [ { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", "classification": "PII", "flow": "bi-directional", "source": [ @@ -104,6 +114,8 @@ ] }, { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", "classification": "PII", "flow": "bi-directional", "source": [ @@ -138,6 +150,8 @@ "trustZone": "Acme Private Zone", "data": [ { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", "classification": "PIFI", "flow": "bi-directional", "source": [ @@ -172,6 +186,8 @@ "trustZone": "Acme Private Zone", "data": [ { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", "classification": "Public", "flow": "bi-directional", "source": [ @@ -182,6 +198,8 @@ ] }, { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", "classification": "Public", "flow": "outbound", "destination": [ @@ -209,6 +227,8 @@ "trustZone": "Acme Private Zone", "data": [ { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", "classification": "PII", "flow": "bi-directional", "source": [ @@ -232,6 +252,8 @@ "trustZone": "Public Internet", "data": [ { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", "classification": "Public", "flow": "inbound", "source": [ diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto b/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto index aff3c88e..6b025220 100644 --- a/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto @@ -29,24 +29,32 @@ services { data { flow: DATA_FLOW_BI_DIRECTIONAL value: "Customer" + name: "Consumer to Stock Service", + description: "Traffic to/from consumer to service" source: "https://0.0.0.0" destination: "https://0.0.0.0" } data { flow: DATA_FLOW_BI_DIRECTIONAL value: "PII" + name: "Stock Service to MS-1" + description: "Traffic to/from stock service to microservice-1" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" } data { flow: DATA_FLOW_BI_DIRECTIONAL value: "PIFI" + name: "Stock Service to MS-2" + description: "Traffic to/from stock service to microservice-2" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" } data { flow: DATA_FLOW_BI_DIRECTIONAL value: "Public" + name: "Stock Service to MS-3" + description: "Traffic to/from stock service to microservice-3" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" } @@ -69,12 +77,16 @@ services { data { flow: DATA_FLOW_BI_DIRECTIONAL value: "PII" + name: "Stock Service to MS-1" + description: "Traffic to/from stock service to microservice-1" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" } data { flow: DATA_FLOW_BI_DIRECTIONAL value: "PII" + name: "MS-1 to Database" + description: "Traffic to/from microservice-1 to database" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" } @@ -98,6 +110,8 @@ services { data { flow: DATA_FLOW_BI_DIRECTIONAL value: "PIFI" + name: "Stock Service to MS-2" + description: "Traffic to/from stock service to microservice-2" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" } @@ -121,12 +135,16 @@ services { data { flow: DATA_FLOW_BI_DIRECTIONAL value: "Public" + name: "Stock Service to MS-3" + description: "Traffic to/from stock service to microservice-3" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" } data { flow: DATA_FLOW_OUTBOUND value: "Public" + name: "MS-3 to S3" + description: "Data pushed from microservice-3 to S3 bucket" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" } external_references { @@ -146,6 +164,8 @@ services { data { flow: DATA_FLOW_BI_DIRECTIONAL value: "PII" + name: "MS-1 to Database" + description: "Traffic to/from microservice-1 to database" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" } @@ -161,6 +181,8 @@ services { data { flow: DATA_FLOW_INBOUND value: "PII" + name: "MS-3 to S3" + description: "Data pushed from microservice-3 to S3 bucket" source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" } } diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.xml b/tools/src/test/resources/1.5/valid-saasbom-1.5.xml index 6145eb52..d8101afc 100644 --- a/tools/src/test/resources/1.5/valid-saasbom-1.5.xml +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.xml @@ -22,7 +22,7 @@ true Acme Public Zone - + Customer https://0.0.0.0 @@ -31,7 +31,7 @@ https://0.0.0.0 - + PII urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com @@ -40,7 +40,7 @@ urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com - + PIFI urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com @@ -49,7 +49,7 @@ urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com - + Public urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com @@ -78,7 +78,7 @@ true Acme Private Zone - + PII urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service @@ -87,7 +87,7 @@ urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service - + PII urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com @@ -116,7 +116,7 @@ true Acme Private Zone - + PII urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service @@ -145,7 +145,7 @@ true Acme Private Zone - + PII urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service @@ -154,7 +154,7 @@ urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service - + Public urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com @@ -178,7 +178,7 @@ true Acme Private Zone - + PII urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com @@ -199,7 +199,7 @@ true Public Internet - + Public urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com From 5ca7232014a8e81bf41627fc7d9833f4b918a0f5 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 19 Mar 2023 10:53:20 -0500 Subject: [PATCH 3/3] Renamed proto messages while keeping backward compat. Updated comments. Signed-off-by: Steve Springett --- schema/bom-1.5.proto | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto index d7af4b4a..ce873571 100644 --- a/schema/bom-1.5.proto +++ b/schema/bom-1.5.proto @@ -121,10 +121,10 @@ message Component { optional ReleaseNotes releaseNotes = 24; } -// Specifies the data classification. -message DataClassification { // This is actually the data flow, but unable to change the name due to backward compatability +// Specifies the data flow. +message DataFlow { // Specifies the flow direction of the data. - DataFlow flow = 1; + DataFlowDirection flow = 1; // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. string value = 2; // Name for the defined data @@ -138,7 +138,7 @@ message DataClassification { // This is actually the data flow, but unable to ch } // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. -enum DataFlow { +enum DataFlowDirection { DATA_FLOW_NULL = 0; DATA_FLOW_INBOUND = 1; DATA_FLOW_OUTBOUND = 2; @@ -459,7 +459,7 @@ message Service { optional bool authenticated = 8; // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. optional bool x_trust_boundary = 9; - repeated DataClassification data = 10; + repeated DataFlow data = 10; repeated LicenseChoice licenses = 11; // Provides the ability to document external references related to the service. repeated ExternalReference external_references = 12;