Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

document RFC-9116 via CycloneDX #380

Closed
jkowalleck opened this issue Feb 16, 2024 · 0 comments · Fixed by #381
Closed

document RFC-9116 via CycloneDX #380

jkowalleck opened this issue Feb 16, 2024 · 0 comments · Fixed by #381
Labels
proposed core enhancement

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Feb 16, 2024
edited
Loading

RFC-9116 is

A File Format to Aid in Security Vulnerability Disclosure

Abstract

When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.

see https://datatracker.ietf.org/doc/html/rfc9116
see also https://github.com/securitytxt/security-txt

example document:

Contact: https://hackerone.com/github
Acknowledgments: https://hackerone.com/github/hacktivity
Preferred-Languages: en
Canonical: https://github.com/.well-known/security.txt
Policy: https://bounty.github.com
Hiring: https://github.careers
Expires: 2024-03-17T14:09:14z

Request

Add a type of externalReference that is specific for referencing a document that complies with RFC 9116

suggestion: the enum value should be 'rfc-9116'

Alternatives

  • Store the information statically in the document (registered properties or dedicated first-party-fields)
  • use existing external reference type "security-contact".
    • possible, but could be improved, since the RFC describes a parsable data format, not just arbitrary text written for humans.
@jkowalleck jkowalleck changed the title external reference to a RFC 9116 document document RFC 9116 via CycloneDX Feb 16, 2024
@jkowalleck jkowalleck mentioned this issue Feb 16, 2024
Merged
@jkowalleck jkowalleck linked a pull request Feb 16, 2024 that will close this issue
feat: external reference type for RFC-9116 #381
Merged
@jkowalleck jkowalleck changed the title document RFC 9116 via CycloneDX document RFC-9116 via CycloneDX Feb 16, 2024
stevespringett added a commit that referenced this issue Feb 22, 2024
@stevespringett
feat: external reference type for RFC-9116 (#381)
b5ae1b3 
fixes #380
@jkowalleck jkowalleck mentioned this issue Feb 22, 2024
Merged
stevespringett added a commit that referenced this issue Apr 9, 2024
@stevespringett
[WIP] v1.6 (#323)
c5032b8 
## Added

* Core enhancement: Attestation
([#192](#192) via
[#348](#348))
* Core enhancement: Cryptography Bill of Materials — CBOM
([#171](#171),
[#291](#291) via
[#347](#347))
* Feature to express the URL to source distribution
([#98](#98) via
[#269](#269))
* Feature to express the URL to RFC 9116 compliant documents
([#380](#380) via
[#381](#381))
* Feature to express tags/keywords for services and components (via
[#383](#383))
* Feature to express details for component authors
([#335](#335) via
[#379](#379))
* Feature to express details for component and BOM manufacturer
([#346](#346) via
[#379](#379))
* Feature to express communicate concluded values from observed
evidences ([#411](#411)
via [#412](#412))
* Features to express license acknowledgement
([#407](#407) via
[#408](#408))
* Feature to express environmental consideration information for model
cards ([#396](#396) via
[#395](#395))
* Feature to express the address of organizational entities (via
[#395](#395))
* Feature to express additional component identifiers: Universal Bill Of
Receipts Identifier and Software Heritage persistent IDs
([#413](#413) via
[#414](#414))

## Fixed

* Allow multiple evidence identities by XML/JSON schema
([#272](#272) via
[#359](#359))
  This was already correct via ProtoBuff schema.
* Prevent empty `license` entities by XML schema
([#288](#288) via
[#292](#292))
  This was already correct in JSON/ProtoBuff schema.
* Prevent empty or malformed `property` entities by JSON schema
([#371](#371) via
[#375](#375))
  This was already correct in XML/ProtoBuff schema.
* Allow multiple `licenses` in `Metadata` by ProtoBuff schema
([#264](#264) via
[#401](#401))
  This was already correct in XML/JSON schema.

## Changed

* Allow arbitrary `$schema` values by JSON schema
([#402](#402) via
[#403](#403))
* Increased max length of `versionRange` (via
[`3e01ce6`](3e01ce6))
* Harmonized length of `version` (via
[#417](#417))

## Deprecated

* Data model "Component"'s field `author` was deprecated. (via
[#379](#379))
  Use field `authors` or field `manufacturer` instead.
* Data model "Metadata"'s field `manufacture` was deprecated.
([#346](#346) via
[#379](#379))
  Use "Metadata"'s field `component`'s field `manufacturer` instead. 
  - for XML: `/bom/metadata/component/manufacturer`
  - for JSON: `$.metadata.component.manufacturer`
  - for ProtoBuf: `Bom:metadata.component.manufacturer`

## Documentation

* Centralize version and version-range (via
[#322](#322))
* Streamlined SPDX expression related descriptions (via
[#327](#327))
* Enhanced descriptions of `bom-ref`/`refType`
([#336](#336) via
[#344](#344))
* Enhanced readability of enum documentation in JSON schema
([#361](#361) via
[#362](#362))
* Fixed typo "compliment" -> "complement" (via
[#369](#369))
* Added documentation for enum "ComponentScope"'s values in JSON schema
([#293](#293) via
[`d92e58e`](d92e58e))
  Texts were a taken from the existing ones in XML/ProtoBuff schema.
* Added documentation for enum "TaskType"'s values
([#245](#245) via
[#377](#377))
* Improve documentation for data model "Metadata"'s field `licenses`
([#273](#273) via
[#378](#378))
* Added documentation for enum "MachineLearningApproachType"'s values
([#351](#351) via
[#416](#416))
* Rephrased some texts here and there.

## Test data

* Added test data for newly added use cases
* Added quality assurance for our ProtoBuf schemas
([#384](#384) via
[#385](#385))
@andreas-hilti andreas-hilti mentioned this issue Aug 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
proposed core enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: external reference type for RFC-9116 jkowalleck/fork_CycloneDX-specification
2 participants
@jkowalleck @stevespringett