From cffc0044d81be73730a829057761133fb4b10586 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 8 Feb 2024 13:05:09 +0100 Subject: [PATCH 1/5] feat: component manufacturer Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 695b1d2d..4efbef5c 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -678,8 +678,8 @@ "$ref": "#/definitions/component" }, "manufacture": { - "title": "Manufacture", - "description": "The organization that manufactured the component that the BOM describes.", + "title": "Manufacturer", + "description": "The organization that manufactured the CycloneDX document (the \"manufacturer\", although the property is misspelled).\nThis may be different from the manufacturer of the component that the CycloneDX document describes.", "$ref": "#/definitions/organizationalEntity" }, "supplier": { @@ -860,6 +860,11 @@ "title": "BOM Reference", "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, + "manufacture": { + "title": "Manufacturer", + "description": "The organization that manufactured the component (the \"manufacturer\", although the property is misspelled).\nThis may be different from the manufacturer of the component.", + "$ref": "#/definitions/organizationalEntity" + }, "supplier": { "title": "Component Supplier", "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", From ad0c37b520598ba2d6f170481b3f31c67a19e9f6 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 8 Feb 2024 13:51:59 +0100 Subject: [PATCH 2/5] feat: component manufacturer Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 11 ++++++++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 89991875..001e1766 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -444,7 +444,7 @@ message Metadata { repeated OrganizationalContact authors = 3; // The component that the BOM describes. optional Component component = 4; - // The organization that manufactured the component that the BOM describes. + // The organization that manufactured the CycloneDX document. This may be different from the manufacurer of the component that the CycloneDX document describes. optional OrganizationalEntity manufacture = 5; // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 4efbef5c..89c17617 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -862,7 +862,7 @@ }, "manufacture": { "title": "Manufacturer", - "description": "The organization that manufactured the component (the \"manufacturer\", although the property is misspelled).\nThis may be different from the manufacturer of the component.", + "description": "The organization that manufactured the component (the \"manufacturer\", although the property is misspelled).", "$ref": "#/definitions/organizationalEntity" }, "supplier": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index c3c9b230..16ec9f26 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -214,7 +214,11 @@ limitations under the License. - The organization that manufactured the component that the BOM describes. + + The organization that manufactured the CycloneDX document (the "manufacturer", although the + element is misspelled). + This may be different from the manufacturer of the component that the CycloneDX document describes. + @@ -470,6 +474,11 @@ limitations under the License. + + + The organization that manufactured the component (the "manufacturer", although the property is misspelled). + + The organization that supplied the component. The supplier may often From 5e28d9422ffb07dade1fe8243844c0b8279a9955 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 8 Feb 2024 14:45:26 +0100 Subject: [PATCH 3/5] protobuff and examples Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 ++ tools/src/test/resources/1.6/valid-bom-1.6.json | 13 +++++++++++++ .../src/test/resources/1.6/valid-bom-1.6.textproto | 9 +++++++++ tools/src/test/resources/1.6/valid-bom-1.6.xml | 9 +++++++++ 4 files changed, 33 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 001e1766..145683e2 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -141,6 +141,8 @@ message Component { optional ComponentData data = 26; // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. optional CryptoProperties cryptoProperties = 27; + // The organization that manufactured the component (the "manufacturer", although the property is misspelled). + optional OrganizationalEntity manufacture = 28; } // Specifies the data flow. diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json index 994f726f..eb873f2d 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.json +++ b/tools/src/test/resources/1.6/valid-bom-1.6.json @@ -142,6 +142,19 @@ }, { "type": "library", + "manufacture": { + "name": "ACME, Inc.", + "url": [ + "https://acme.org/manufacturing" + ], + "contact": [ + { + "name": "ACME Manufacturing", + "email": "manufacturing@acme.org", + "phone": "800-555-13372" + } + ] + }, "supplier": { "name": "Example, Inc.", "url": [ diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto index 3e81e348..8f5f4770 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto @@ -141,6 +141,15 @@ components { group: "org.example" name: "mylibrary" version: "1.0.0" + manufacture { + name: "Acme Inc." + url: "https://acme.org/manufacturing" + contact { + name: "ACME Manufacturing" + email: "manufacturing@acme.org" + phone: "800-555-13372" + } + } } dependencies { ref: "pkg:npm/acme/component@1.0.0" diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.xml b/tools/src/test/resources/1.6/valid-bom-1.6.xml index fc1904d3..e5fa25e8 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.xml +++ b/tools/src/test/resources/1.6/valid-bom-1.6.xml @@ -106,6 +106,15 @@ + + Acme Inc. + https://acme.org/manufacturing + + ACME Manufacturing + manufacturing@acme.org + 800-555-13372 + + Example Inc. https://example.com From 2f9cd0dda85c2b704a2f86177ddbe8ba4aebcfce Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 8 Feb 2024 14:51:14 +0100 Subject: [PATCH 4/5] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 145683e2..66f21f83 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -141,7 +141,7 @@ message Component { optional ComponentData data = 26; // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. optional CryptoProperties cryptoProperties = 27; - // The organization that manufactured the component (the "manufacturer", although the property is misspelled). + // The organization that manufactured the component (the "manufacturer", although the field is misspelled). optional OrganizationalEntity manufacture = 28; } @@ -446,7 +446,7 @@ message Metadata { repeated OrganizationalContact authors = 3; // The component that the BOM describes. optional Component component = 4; - // The organization that manufactured the CycloneDX document. This may be different from the manufacurer of the component that the CycloneDX document describes. + // The organization that manufactured the CycloneDX document (the "manufacturer", although the field is misspelled). This may be different from the manufacurer of the component that the CycloneDX document describes. optional OrganizationalEntity manufacture = 5; // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; From 7fb26b77c050e5536feab757b96d972d5db16f1f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 8 Feb 2024 14:55:34 +0100 Subject: [PATCH 5/5] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.6.xsd | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 16ec9f26..4deaf08b 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -215,8 +215,7 @@ limitations under the License. - The organization that manufactured the CycloneDX document (the "manufacturer", although the - element is misspelled). + The organization that manufactured the CycloneDX document (the "manufacturer", although the element is misspelled). This may be different from the manufacturer of the component that the CycloneDX document describes. @@ -476,7 +475,7 @@ limitations under the License. - The organization that manufactured the component (the "manufacturer", although the property is misspelled). + The organization that manufactured the component (the "manufacturer", although the element is misspelled).