Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional external references #178

Closed
stevespringett opened this issue Jan 23, 2023 · 1 comment · Fixed by #189
Closed

Add additional external references #178

stevespringett opened this issue Jan 23, 2023 · 1 comment · Fixed by #189
Assignees
@stevespringett
Labels
proposed core enhancement request for comment RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted
Milestone
1.5

Comments

@stevespringett
Copy link
Member

stevespringett commented Jan 23, 2023
edited
Loading

Additional external references are planned and include:

  • attestation
    • Human or machine readable attestation
  • threat-model
    • Current threat model, DFD, etc, including any human readable model, or machine readable model (eg. OTM)
  • distribution-intake
    • Where something was published to. This is often the same as distribution however, ASF and others have dedicated publishing processes
  • vulnerability-assertion
    • NIST Vulnerability Disclosure Reports (VDR)
  • exploitability-statement
    • VEX (or whatever this will be called in the future)
  • pentest-report
    • Results from a penetration test
  • static-analysis-report
    • Code quality static analysis, SAST reports, SARIF, etc
  • dynamic-analysis-report
    • Runtime (dynamic analysis) reports including DAST, fuzzing, etc
  • component-analysis-report
    • Reports for Software Composition Analysis (SCA), Containers, IaC, and other components
  • maturity-report
    • Describes how mature development practices are (BSIMM, OWASP SAMM, NIST SSDF, etc)
  • certification-report
    • Includes appstore certifications, ISO certifications (eg. 27001), SOC2, etc

Excluded from this list are external references that already have tickets or are part of other work planned for v1.5
@stevespringett stevespringett added this to the 1.5 milestone Jan 23, 2023
@stevespringett stevespringett self-assigned this Jan 23, 2023
@stevespringett
Copy link
Member Author

Also need to add:

  • codified-infrastructure
    • Infrastructure as Code (IaC) including Terraform and other forms of codified infrastructure

@stevespringett stevespringett mentioned this issue Mar 10, 2023
Merged
@stevespringett stevespringett linked a pull request Mar 10, 2023 that will close this issue
Added additional external references #189
Merged
@stevespringett stevespringett added the RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration label Mar 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stevespringett stevespringett

Labels
proposed core enhancement request for comment RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted
Projects
None yet
Milestone
1.5
Development

Successfully merging a pull request may close this issue.

Added additional external references CycloneDX/specification
1 participant
@stevespringett