Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecated tool in favor of components and services used as tools #198

Merged
merged 3 commits into from
Apr 24, 2023
Merged

Deprecated tool in favor of components and services used as tools #198

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e06981d
Deprecated tool in favor of components and services used as tools. Ad…
stevespringett Mar 24, 2023
6de0ebe
Updated json and xml schemas to account for tool usage in vulnerabili…
stevespringett Mar 24, 2023
bba0493
Added missing services to tools in test cases
stevespringett Mar 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 16 additions & 11 deletions schema/bom-1.5.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@ message Metadata {
// The date and time (timestamp) when the document was created.
optional google.protobuf.Timestamp timestamp = 1;
// The tool(s) used in the creation of the BOM.
repeated Tool tools = 2;
optional Tool tools = 2;
// The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.
repeated OrganizationalContact authors = 3;
// The component that the BOM describes.
Expand Down Expand Up @@ -482,15 +482,20 @@ message Swid {

// Specifies a tool (manual or automated).
message Tool {
// The vendor of the tool used to create the BOM.
optional string vendor = 1;
// The name of the tool used to create the BOM.
optional string name = 2;
// The version of the tool used to create the BOM.
optional string version = 3;
repeated Hash hashes = 4;
// Provides the ability to document external references related to the tool.
repeated ExternalReference external_references = 5;
// DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM.
optional string vendor = 1 [deprecated = true];
// DEPRECATED - DO NOT USE - The name of the tool used to create the BOM.
optional string name = 2 [deprecated = true];
// DEPRECATED - DO NOT USE - The version of the tool used to create the BOM.
optional string version = 3 [deprecated = true];
// DEPRECATED - DO NOT USE
repeated Hash hashes = 4 [deprecated = true];
// DEPRECATED - DO NOT USE - Provides the ability to document external references related to the tool.
repeated ExternalReference external_references = 5 [deprecated = true];
// A list of software and hardware components used as tools
repeated Component components = 6;
// A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services.
repeated Service services = 7;
}

// Specifies a property
Expand Down Expand Up @@ -595,7 +600,7 @@ message Vulnerability {
// Individuals or organizations credited with the discovery of the vulnerability.
optional VulnerabilityCredits credits = 14;
// The tool(s) used to identify, confirm, or score the vulnerability.
repeated Tool tools = 15;
optional Tool tools = 15;
// An assessment of the impact and exploitability of the vulnerability.
optional VulnerabilityAnalysis analysis = 16;
// affects
Expand Down
78 changes: 67 additions & 11 deletions schema/bom-1.5.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,11 +137,39 @@
"description": "The date and time (timestamp) when the BOM was created."
},
"tools": {
"type": "array",
"title": "Creation Tools",
"description": "The tool(s) used in the creation of the BOM.",
"additionalItems": false,
"items": {"$ref": "#/definitions/tool"}
"oneOf": [
{
"type": "object",
"title": "Creation Tools",
"description": "The tool(s) used in the creation of the BOM.",
"additionalProperties": false,
"properties": {
"components": {
"type": "array",
"additionalItems": false,
stevespringett marked this conversation as resolved.
Show resolved Hide resolved
"items": {"$ref": "#/definitions/component"},
"uniqueItems": true,
"title": "Components",
"description": "A list of software and hardware components used as tools"
},
"services": {
"type": "array",
"additionalItems": false,
stevespringett marked this conversation as resolved.
Show resolved Hide resolved
"items": {"$ref": "#/definitions/service"},
"uniqueItems": true,
"title": "Services",
"description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."
}
}
},
{
"type": "array",
"title": "Creation Tools (legacy)",
"description": "[Deprecated] The tool(s) used in the creation of the BOM.",
"additionalItems": false,
"items": {"$ref": "#/definitions/tool"}
}
]
},
"authors" :{
"type": "array",
Expand Down Expand Up @@ -183,7 +211,7 @@
"tool": {
"type": "object",
"title": "Tool",
"description": "Information about the automated or manual tool used",
"description": "[Deprecated] - DO NOT USE. This will be removed in a future version. This will be removed in a future version. Use component or service instead. Information about the automated or manual tool used",
jkowalleck marked this conversation as resolved.
Show resolved Hide resolved
"additionalProperties": false,
"properties": {
"vendor": {
Expand Down Expand Up @@ -1735,11 +1763,39 @@
}
},
"tools": {
"type": "array",
"title": "Creation Tools",
"description": "The tool(s) used to identify, confirm, or score the vulnerability.",
"additionalItems": false,
"items": {"$ref": "#/definitions/tool"}
"oneOf": [
{
"type": "object",
"title": "Tools",
"description": "The tool(s) used to identify, confirm, or score the vulnerability.",
"additionalProperties": false,
"properties": {
"components": {
"type": "array",
"additionalItems": false,
"items": {"$ref": "#/definitions/component"},
"uniqueItems": true,
"title": "Components",
"description": "A list of software and hardware components used as tools"
},
"services": {
"type": "array",
"additionalItems": false,
"items": {"$ref": "#/definitions/service"},
"uniqueItems": true,
"title": "Services",
"description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."
}
}
},
{
"type": "array",
"title": "Tools (legacy)",
"description": "[Deprecated] The tool(s) used to identify, confirm, or score the vulnerability.",
"additionalItems": false,
"items": {"$ref": "#/definitions/tool"}
}
]
},
"analysis": {
"type": "object",
Expand Down
48 changes: 42 additions & 6 deletions schema/bom-1.5.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,27 @@ limitations under the License.
<xs:documentation>The tool(s) used in the creation of the BOM.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="tool" minOccurs="0" type="bom:toolType"/>
</xs:sequence>
<xs:choice>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="tool" minOccurs="0" type="bom:toolType">
<xs:annotation>
<xs:documentation>DEPRECATED. Use tools\components or tools\services instead.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>A list of software and hardware components used as tools.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>A list of services used as tools.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="authors" minOccurs="0" maxOccurs="1">
Expand Down Expand Up @@ -2169,9 +2187,27 @@ limitations under the License.
<xs:documentation>The tool(s) used to identify, confirm, or score the vulnerability.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="tool" minOccurs="0" type="bom:toolType"/>
</xs:sequence>
<xs:choice>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="tool" minOccurs="0" type="bom:toolType">
<xs:annotation>
<xs:documentation>DEPRECATED. Use tools\components or tools\services instead.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>A list of software and hardware components used as tools.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>A list of services used as tools.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="analysis" minOccurs="0" maxOccurs="1">
Expand Down
53 changes: 37 additions & 16 deletions tools/src/test/resources/1.5/valid-metadata-tool-1.5.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,44 @@
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "Awesome Vendor",
"name": "Awesome Tool",
"version": "9.1.2",
"hashes": [
{
"alg": "SHA-1",
"content": "25ed8e31b995bb927966616df2a42b979a2717f0"
"tools": {
"components": [
{
"type": "application",
"group": "Awesome Vendor",
"name": "Awesome Tool",
"version": "9.1.2",
"hashes": [
{
"alg": "SHA-1",
"content": "25ed8e31b995bb927966616df2a42b979a2717f0"
},
{
"alg": "SHA-256",
"content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
}
]
}
],
"services": [
{
"provider": {
"name": "Acme Org",
"url": [
"https://example.com"
]
},
{
"alg": "SHA-256",
"content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
}
]
}
]
"group": "com.example",
"name": "Acme Signing Server",
"description": "Signs artifacts",
"endpoints": [
"https://example.com/sign",
"https://example.com/verify",
"https://example.com/tsa"
]
}
]
}
},
"components": []
}
37 changes: 28 additions & 9 deletions tools/src/test/resources/1.5/valid-metadata-tool-1.5.textproto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,35 @@ version: 1
serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
metadata {
tools {
vendor: "Awesome Vendor"
name: "Awesome Tool"
version: "9.1.2"
hashes {
alg: HASH_ALG_SHA_1
value: "25ed8e31b995bb927966616df2a42b979a2717f0"
components {
type: CLASSIFICATION_APPLICATION
group: "Awesome Vendor"
name: "Awesome Tool"
version: "9.1.2"
hashes {
alg: HASH_ALG_SHA_1
value: "25ed8e31b995bb927966616df2a42b979a2717f0"
}
hashes {
alg: HASH_ALG_SHA_256
value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
}
}
hashes {
alg: HASH_ALG_SHA_256
value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
services {
provider: {
name: "Acme Org",
url: [
"https://example.com"
]
},
group: "com.example",
name: "Acme Signing Server",
description: "Signs artifacts",
endpoints: [
"https://example.com/sign",
"https://example.com/verify",
"https://example.com/tsa"
]
}
}
}
20 changes: 11 additions & 9 deletions tools/src/test/resources/1.5/valid-metadata-tool-1.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,17 @@
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
<metadata>
<tools>
<tool>
<vendor>Awesome Vendor</vendor>
<name>Awesome Tool</name>
<version>9.1.2</version>
<hashes>
<hash alg="SHA-1">25ed8e31b995bb927966616df2a42b979a2717f0</hash>
<hash alg="SHA-256">a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df</hash>
</hashes>
</tool>
<components>
<component type="application">
<group>Awesome Vendor</group>
<name>Awesome Tool</name>
<version>9.1.2</version>
<hashes>
<hash alg="SHA-1">25ed8e31b995bb927966616df2a42b979a2717f0</hash>
<hash alg="SHA-256">a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df</hash>
</hashes>
</component>
</components>
stevespringett marked this conversation as resolved.
Show resolved Hide resolved
</tools>
</metadata>
<components />
Expand Down
26 changes: 26 additions & 0 deletions tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "Awesome Vendor",
"name": "Awesome Tool",
"version": "9.1.2",
"hashes": [
{
"alg": "SHA-1",
"content": "25ed8e31b995bb927966616df2a42b979a2717f0"
},
{
"alg": "SHA-256",
"content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
}
]
}
]
},
"components": []
}
18 changes: 18 additions & 0 deletions tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.textproto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
spec_version: "1.5"
version: 1
serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
metadata {
tools {
vendor: "Awesome Vendor"
name: "Awesome Tool"
version: "9.1.2"
hashes {
alg: HASH_ALG_SHA_1
value: "25ed8e31b995bb927966616df2a42b979a2717f0"
}
hashes {
alg: HASH_ALG_SHA_256
value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
}
}
}
Loading