From d8b912e5ae94f769c191de429b4305d8a31ad8b3 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 22 Feb 2024 20:36:08 +0100 Subject: [PATCH 01/12] wip Signed-off-by: Jan Kowalleck --- buf.yaml | 19 ++++ schema/bom-1.6.proto | 238 ++++++++++++++++++++++++------------------- 2 files changed, 155 insertions(+), 102 deletions(-) create mode 100644 buf.yaml diff --git a/buf.yaml b/buf.yaml new file mode 100644 index 00000000..54340787 --- /dev/null +++ b/buf.yaml @@ -0,0 +1,19 @@ +# This is the config for "Buf" - a ProtocolBuffer linter/checker/more +# see https://buf.build/docs/configuration/v1/buf-yaml + +version: v1 +lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint + use: + - DEFAULT # https://buf.build/docs/lint/rules#default + except: + # directory/file layout does not match the recommendation/framework of the tool + - DIRECTORY_SAME_PACKAGE # https://buf.build/docs/lint/rules#directory_same_package + - PACKAGE_DIRECTORY_MATCH # https://buf.build/docs/lint/rules#package_lower_snake_case + - FILE_LOWER_SNAKE_CASE # https://buf.build/docs/lint/rules#file_lower_snake_case + # we do not stick to the following best-practices and recommendations: + # (this shall be fixed with the upcoming CycloneDX v2.0 release + - PACKAGE_VERSION_SUFFIX # https://buf.build/docs/lint/rules#package_version_suffix + - FIELD_LOWER_SNAKE_CASE # https://buf.build/docs/lint/rules#field_lower_snake_case + allow_comment_ignores: true + # breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking + # use: \ No newline at end of file diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d1a02573..300b6703 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -162,6 +162,7 @@ message DataFlow { } // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "DATA_FLOW_DIRECTION_" enum DataFlowDirection { DATA_FLOW_NULL = 0; DATA_FLOW_INBOUND = 1; @@ -399,6 +400,7 @@ message OrganizationalEntityOrContact { } } +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "LICENSING_TYPE_ENUM_" enum LicensingTypeEnum { LICENSING_TYPE_NULL = 0; // A license that grants use of software solely for the purpose of education or research. @@ -732,6 +734,7 @@ message EvidenceOccurrences { optional string additionalContext = 6; } +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "EVIDENCE_FIELD_TYPE_" enum EvidenceFieldType { EVIDENCE_FIELD_NULL = 0; EVIDENCE_FIELD_GROUP = 1; @@ -924,6 +927,7 @@ message VulnerabilityAnalysis { enum ImpactAnalysisState { // An undefined impact analysis state + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback IMPACT_ANALYSIS_STATE_NULL = 0; // The vulnerability has been remediated. IMPACT_ANALYSIS_STATE_RESOLVED = 1; @@ -941,6 +945,7 @@ enum ImpactAnalysisState { enum ImpactAnalysisJustification { // An undefined impact analysis justification + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; // The code has been removed or tree-shaked. IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; @@ -989,8 +994,9 @@ message VulnerabilityAffectedVersions { optional VulnerabilityAffectedStatus status = 3; } +// The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. enum VulnerabilityAffectedStatus { - // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; @@ -1120,6 +1126,7 @@ message ModelCard { } enum ModelParameterApproachType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED = 1; MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING = 2; @@ -1175,6 +1182,7 @@ message DataGovernance { enum ComponentDataType { // Any type of code, code snippet, or data-as-code + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 COMPONENT_DATA_TYPE_SOURCE_CODE = 0; // Parameters or settings that may be used by other components. COMPONENT_DATA_TYPE_CONFIGURATION = 1; @@ -1333,6 +1341,7 @@ message Workspace { optional Volume volume = 12; enum AccessMode { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 ACCESS_MODE_READ_ONLY = 0; ACCESS_MODE_READ_WRITE = 1; ACCESS_MODE_READ_WRITE_ONCE = 2; @@ -1361,6 +1370,7 @@ message Volume { repeated Property properties = 8; enum VolumeMode { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 VOLUME_MODE_FILESYSTEM = 0; VOLUME_MODE_BLOCK = 1; } @@ -1394,6 +1404,7 @@ message Trigger { repeated OutputType outputs = 12; enum TriggerType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 TRIGGER_TYPE_MANUAL = 0; TRIGGER_TYPE_API = 1; TRIGGER_TYPE_WEBHOOK = 2; @@ -1453,7 +1464,9 @@ message OutputType { // Additional properties of the output data. repeated Property properties = 7; + // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "OUTPUT_TYPE_TYPE_" enum OutputTypeType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 OUTPUT_TYPE_ARTIFACT = 0; OUTPUT_TYPE_ATTESTATION = 1; OUTPUT_TYPE_LOG = 2; @@ -1482,6 +1495,7 @@ message Condition { enum TaskType { // A task that copies software or data used to accomplish other tasks in the workflow. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 TASK_TYPE_COPY = 0; // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. TASK_TYPE_CLONE = 1; @@ -1715,87 +1729,101 @@ message Definition { message CryptoProperties { enum CryptoAssetType { - CRYPTO_ASSET_TYPE_ALGORITHM = 0; - CRYPTO_ASSET_TYPE_CERTIFICATE = 1; - CRYPTO_ASSET_TYPE_PROTOCOL = 2; - CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 3; + // Default + CRYPTO_ASSET_TYPE_UNSPECIFIED = 0; + CRYPTO_ASSET_TYPE_ALGORITHM = 1; + CRYPTO_ASSET_TYPE_CERTIFICATE = 2; + CRYPTO_ASSET_TYPE_PROTOCOL = 3; + CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 4; } message AlgorithmProperties { enum CryptoPrimitive { - CRYPTO_PRIMITIVE_DRBG = 0; - CRYPTO_PRIMITIVE_MAC = 1; - CRYPTO_PRIMITIVE_BLOCK_CIPHER = 2; - CRYPTO_PRIMITIVE_STREAM_CIPHER = 3; - CRYPTO_PRIMITIVE_SIGNATURE = 4; - CRYPTO_PRIMITIVE_HASH = 5; - CRYPTO_PRIMITIVE_PKE = 6; - CRYPTO_PRIMITIVE_XOF = 7; - CRYPTO_PRIMITIVE_KDF = 8; - CRYPTO_PRIMITIVE_KEY_AGREE = 9; - CRYPTO_PRIMITIVE_KEM = 10; - CRYPTO_PRIMITIVE_AE = 11; - CRYPTO_PRIMITIVE_COMBINER = 12; - CRYPTO_PRIMITIVE_OTHER = 13; - CRYPTO_PRIMITIVE_UNKNOWN = 14; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_PRIMITIVE_UNKNOWN = 0; + // none of the following + CRYPTO_PRIMITIVE_OTHER = 1; + CRYPTO_PRIMITIVE_DRBG = 2; + CRYPTO_PRIMITIVE_MAC = 3; + CRYPTO_PRIMITIVE_BLOCK_CIPHER = 4; + CRYPTO_PRIMITIVE_STREAM_CIPHER = 5; + CRYPTO_PRIMITIVE_SIGNATURE = 6; + CRYPTO_PRIMITIVE_HASH = 7; + CRYPTO_PRIMITIVE_PKE = 8; + CRYPTO_PRIMITIVE_XOF = 9; + CRYPTO_PRIMITIVE_KDF = 10; + CRYPTO_PRIMITIVE_KEY_AGREE = 11; + CRYPTO_PRIMITIVE_KEM = 12; + CRYPTO_PRIMITIVE_AE = 13; + CRYPTO_PRIMITIVE_COMBINER = 14; } enum CryptoExecutionEnvironment { - CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 0; - CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 1; - CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 2; - CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 3; - CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 4; - CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 5; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 0; + // none of the following + CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 1; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 2; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 3; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 4; + CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 5; } enum CryptoImplementationPlatform { - CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 0; - CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 1; - CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 2; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 3; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 4; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 5; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 6; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 7; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 8; - CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 9; - CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 10; - CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 11; - CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 12; - CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 13; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 0; + // none of the following + CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 1; + CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 2; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 3; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 4; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 5; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 6; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 7; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 8; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 9; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 10; + CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 11; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 12; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 13; } enum CryptoAlgorithmMode { - CRYPTO_ALGORITHM_MODE_CBC = 0; - CRYPTO_ALGORITHM_MODE_ECB = 1; - CRYPTO_ALGORITHM_MODE_CCM = 2; - CRYPTO_ALGORITHM_MODE_GCM = 3; - CRYPTO_ALGORITHM_MODE_CFB = 4; - CRYPTO_ALGORITHM_MODE_OFB = 5; - CRYPTO_ALGORITHM_MODE_CTR = 6; - CRYPTO_ALGORITHM_MODE_OTHER = 7; - CRYPTO_ALGORITHM_MODE_UNKNOWN = 8; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_ALGORITHM_MODE_UNKNOWN = 0; + // none of the following + CRYPTO_ALGORITHM_MODE_OTHER = 1; + CRYPTO_ALGORITHM_MODE_CBC = 2; + CRYPTO_ALGORITHM_MODE_ECB = 3; + CRYPTO_ALGORITHM_MODE_CCM = 4; + CRYPTO_ALGORITHM_MODE_GCM = 5; + CRYPTO_ALGORITHM_MODE_CFB = 6; + CRYPTO_ALGORITHM_MODE_OFB = 7; + CRYPTO_ALGORITHM_MODE_CTR = 8; } enum CryptoAlgorithmPadding { - CRYPTO_ALGORITHM_PADDING_PKCS5 = 0; - CRYPTO_ALGORITHM_PADDING_PKCS7 = 1; - CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 2; - CRYPTO_ALGORITHM_PADDING_OAEP = 3; - CRYPTO_ALGORITHM_PADDING_RAW = 4; - CRYPTO_ALGORITHM_PADDING_OTHER = 5; - CRYPTO_ALGORITHM_PADDING_UNKNOWN = 6; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_ALGORITHM_PADDING_UNKNOWN = 0; + // none of the following + CRYPTO_ALGORITHM_PADDING_OTHER = 1; + CRYPTO_ALGORITHM_PADDING_PKCS5 = 2; + CRYPTO_ALGORITHM_PADDING_PKCS7 = 3; + CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 4; + CRYPTO_ALGORITHM_PADDING_OAEP = 5; + CRYPTO_ALGORITHM_PADDING_RAW = 6; } enum CryptoAlgorithmFunction { - CRYPTO_ALGORITHM_FUNCTION_GENERATE = 0; - CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 1; - CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 2; - CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 3; - CRYPTO_ALGORITHM_FUNCTION_DIGEST = 4; - CRYPTO_ALGORITHM_FUNCTION_TAG = 5; - CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 6; - CRYPTO_ALGORITHM_FUNCTION_SIGN = 7; - CRYPTO_ALGORITHM_FUNCTION_VERIFY = 8; - CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 9; - CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 10; - CRYPTO_ALGORITHM_FUNCTION_OTHER = 11; - CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 12; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 0; + // none of the following + CRYPTO_ALGORITHM_FUNCTION_OTHER = 1; + CRYPTO_ALGORITHM_FUNCTION_GENERATE = 2; + CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 3; + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 4; + CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 5; + CRYPTO_ALGORITHM_FUNCTION_DIGEST = 6; + CRYPTO_ALGORITHM_FUNCTION_TAG = 7; + CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 8; + CRYPTO_ALGORITHM_FUNCTION_SIGN = 9; + CRYPTO_ALGORITHM_FUNCTION_VERIFY = 10; + CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 11; + CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 12; } // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). optional CryptoPrimitive primitive = 1; @@ -1840,33 +1868,37 @@ message CryptoProperties { } // end of CertificateProperties message RelatedCryptoMaterialProperties { enum CryptoRelatedType { - CRYPTO_RELATED_TYPE_PRIVATE_KEY = 0; - CRYPTO_RELATED_TYPE_PUBLIC_KEY = 1; - CRYPTO_RELATED_TYPE_SECRET_KEY = 2; - CRYPTO_RELATED_TYPE_KEY = 3; - CRYPTO_RELATED_TYPE_CIPHERTEXT = 4; - CRYPTO_RELATED_TYPE_SIGNATURE = 5; - CRYPTO_RELATED_TYPE_DIGEST = 6; - CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 7; - CRYPTO_RELATED_TYPE_NONCE = 8; - CRYPTO_RELATED_TYPE_SEED = 9; - CRYPTO_RELATED_TYPE_SALT = 10; - CRYPTO_RELATED_TYPE_SHARED_SECRET = 11; - CRYPTO_RELATED_TYPE_TAG = 12; - CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 13; - CRYPTO_RELATED_TYPE_PASSWORD = 14; - CRYPTO_RELATED_TYPE_CREDENTIAL = 15; - CRYPTO_RELATED_TYPE_TOKEN = 16; - CRYPTO_RELATED_TYPE_OTHER = 17; - CRYPTO_RELATED_TYPE_UNKNOWN = 18; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_RELATED_TYPE_UNKNOWN = 0; + // none of the following + CRYPTO_RELATED_TYPE_OTHER = 1; + CRYPTO_RELATED_TYPE_PRIVATE_KEY = 2; + CRYPTO_RELATED_TYPE_PUBLIC_KEY = 3; + CRYPTO_RELATED_TYPE_SECRET_KEY = 4; + CRYPTO_RELATED_TYPE_KEY = 5; + CRYPTO_RELATED_TYPE_CIPHERTEXT = 6; + CRYPTO_RELATED_TYPE_SIGNATURE = 7; + CRYPTO_RELATED_TYPE_DIGEST = 8; + CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 9; + CRYPTO_RELATED_TYPE_NONCE = 10; + CRYPTO_RELATED_TYPE_SEED = 11; + CRYPTO_RELATED_TYPE_SALT = 12; + CRYPTO_RELATED_TYPE_SHARED_SECRET = 13; + CRYPTO_RELATED_TYPE_TAG = 14; + CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 15; + CRYPTO_RELATED_TYPE_PASSWORD = 16; + CRYPTO_RELATED_TYPE_CREDENTIAL = 17; + CRYPTO_RELATED_TYPE_TOKEN = 18; } enum CryptoRelatedState { - CRYPTO_RELATED_STATE_PRE_ACTIVATION = 0; - CRYPTO_RELATED_STATE_ACTIVE = 1; - CRYPTO_RELATED_STATE_SUSPENDED = 2; - CRYPTO_RELATED_STATE_DEACTIVATED = 3; - CRYPTO_RELATED_STATE_COMPROMISED = 4; - CRYPTO_RELATED_STATE_DESTROYED = 5; + // Default + CRYPTO_RELATED_STATE_UNSPECIFIED = 0; + CRYPTO_RELATED_STATE_PRE_ACTIVATION = 1; + CRYPTO_RELATED_STATE_ACTIVE = 2; + CRYPTO_RELATED_STATE_SUSPENDED = 3; + CRYPTO_RELATED_STATE_DEACTIVATED = 4; + CRYPTO_RELATED_STATE_COMPROMISED = 5; + CRYPTO_RELATED_STATE_DESTROYED = 6; } message CryptoRelatedSecuredBy { // Specifies the mechanism by which the cryptographic asset is secured by. Examples include HSM, TPM, SGX, Software, and None @@ -1901,14 +1933,16 @@ message CryptoProperties { } // end of RelatedCryptoMaterialProperties message ProtocolProperties { enum CryptoProtocolType { - CRYPTO_PROTOCOL_TYPE_TLS = 0; - CRYPTO_PROTOCOL_TYPE_SSH = 1; - CRYPTO_PROTOCOL_TYPE_IPSEC = 2; - CRYPTO_PROTOCOL_TYPE_IKE = 3; - CRYPTO_PROTOCOL_TYPE_SSTP = 4; - CRYPTO_PROTOCOL_TYPE_WPA = 5; - CRYPTO_PROTOCOL_TYPE_OTHER = 6; - CRYPTO_PROTOCOL_TYPE_UNKNOWN = 7; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value + CRYPTO_PROTOCOL_TYPE_UNKNOWN = 0; + // none of the following + CRYPTO_PROTOCOL_TYPE_OTHER = 1; + CRYPTO_PROTOCOL_TYPE_TLS = 2; + CRYPTO_PROTOCOL_TYPE_SSH = 3; + CRYPTO_PROTOCOL_TYPE_IPSEC = 4; + CRYPTO_PROTOCOL_TYPE_IKE = 5; + CRYPTO_PROTOCOL_TYPE_SSTP = 6; + CRYPTO_PROTOCOL_TYPE_WPA = 7; } message CryptoProtocolCipherSuite { // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM From 16366a04a075f1bd8ffe6e610d651efb5ed0c19c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 13:20:02 +0100 Subject: [PATCH 02/12] wip Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 264 ++++++++++++++++++++++++------------------- 1 file changed, 148 insertions(+), 116 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 300b6703..c26340f5 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -46,6 +46,7 @@ message Bom { } enum Classification { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` CLASSIFICATION_NULL = 0; // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. CLASSIFICATION_APPLICATION = 1; @@ -164,6 +165,7 @@ message DataFlow { // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "DATA_FLOW_DIRECTION_" enum DataFlowDirection { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` DATA_FLOW_NULL = 0; DATA_FLOW_INBOUND = 1; DATA_FLOW_OUTBOUND = 2; @@ -200,6 +202,7 @@ message ExternalReference { enum ExternalReferenceType { // Use this if no other types accurately describe the purpose of the external reference + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `other` is our fallback, doubling `unspecified` EXTERNAL_REFERENCE_TYPE_OTHER = 0; // Version Control System EXTERNAL_REFERENCE_TYPE_VCS = 1; @@ -284,6 +287,7 @@ enum ExternalReferenceType { } enum HashAlg { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` HASH_ALG_NULL = 0; HASH_ALG_MD_5 = 1; HASH_ALG_SHA_1 = 2; @@ -317,6 +321,7 @@ message IdentifiableAction { } enum IssueClassification { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` ISSUE_CLASSIFICATION_NULL = 0; // A fault, flaw, or bug in software ISSUE_CLASSIFICATION_DEFECT = 1; @@ -402,6 +407,7 @@ message OrganizationalEntityOrContact { // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "LICENSING_TYPE_ENUM_" enum LicensingTypeEnum { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` LICENSING_TYPE_NULL = 0; // A license that grants use of software solely for the purpose of education or research. LICENSING_TYPE_ACADEMIC = 1; @@ -471,6 +477,7 @@ message Lifecycles { enum LifecyclePhase { // BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema LIFECYCLE_PHASE_DESIGN = 0; // BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use. LIFECYCLE_PHASE_PRE_BUILD = 1; @@ -509,6 +516,7 @@ message OrganizationalEntity { } enum PatchClassification { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` PATCH_CLASSIFICATION_NULL = 0; // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch PATCH_CLASSIFICATION_UNOFFICIAL = 1; @@ -630,6 +638,7 @@ message Property { enum Aggregate { // The relationship completeness is not specified. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `not specified` is our fallback, doubling `unspecified` AGGREGATE_NOT_SPECIFIED = 0; // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. AGGREGATE_COMPLETE = 1; @@ -736,6 +745,7 @@ message EvidenceOccurrences { // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "EVIDENCE_FIELD_TYPE_" enum EvidenceFieldType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` EVIDENCE_FIELD_NULL = 0; EVIDENCE_FIELD_GROUP = 1; EVIDENCE_FIELD_NAME = 2; @@ -747,6 +757,7 @@ enum EvidenceFieldType { } enum EvidenceTechnique { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema EVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS = 0; EVIDENCE_TECHNIQUE_BINARY_ANALYSIS = 1; EVIDENCE_TECHNIQUE_MANIFEST_ANALYSIS = 2; @@ -868,6 +879,7 @@ message VulnerabilityRating { } enum Severity { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` SEVERITY_UNKNOWN = 0; SEVERITY_CRITICAL = 1; SEVERITY_HIGH = 2; @@ -879,6 +891,7 @@ enum Severity { enum ScoreMethod { // An undefined score method + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` SCORE_METHOD_NULL = 0; // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ SCORE_METHOD_CVSSV2 = 1; @@ -927,7 +940,7 @@ message VulnerabilityAnalysis { enum ImpactAnalysisState { // An undefined impact analysis state - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` IMPACT_ANALYSIS_STATE_NULL = 0; // The vulnerability has been remediated. IMPACT_ANALYSIS_STATE_RESOLVED = 1; @@ -945,7 +958,7 @@ enum ImpactAnalysisState { enum ImpactAnalysisJustification { // An undefined impact analysis justification - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; // The code has been removed or tree-shaked. IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; @@ -968,6 +981,8 @@ enum ImpactAnalysisJustification { } enum VulnerabilityResponse { + // unspecified value + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` VULNERABILITY_RESPONSE_NULL = 0; VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; @@ -996,7 +1011,8 @@ message VulnerabilityAffectedVersions { // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. enum VulnerabilityAffectedStatus { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // It is unknown (or unspecified) whether the given version is affected. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; @@ -1126,7 +1142,7 @@ message ModelCard { } enum ModelParameterApproachType { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED = 1; MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING = 2; @@ -1182,7 +1198,7 @@ message DataGovernance { enum ComponentDataType { // Any type of code, code snippet, or data-as-code - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema COMPONENT_DATA_TYPE_SOURCE_CODE = 0; // Parameters or settings that may be used by other components. COMPONENT_DATA_TYPE_CONFIGURATION = 1; @@ -1341,7 +1357,7 @@ message Workspace { optional Volume volume = 12; enum AccessMode { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema ACCESS_MODE_READ_ONLY = 0; ACCESS_MODE_READ_WRITE = 1; ACCESS_MODE_READ_WRITE_ONCE = 2; @@ -1370,7 +1386,7 @@ message Volume { repeated Property properties = 8; enum VolumeMode { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema VOLUME_MODE_FILESYSTEM = 0; VOLUME_MODE_BLOCK = 1; } @@ -1404,7 +1420,7 @@ message Trigger { repeated OutputType outputs = 12; enum TriggerType { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema TRIGGER_TYPE_MANUAL = 0; TRIGGER_TYPE_API = 1; TRIGGER_TYPE_WEBHOOK = 2; @@ -1466,7 +1482,7 @@ message OutputType { // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "OUTPUT_TYPE_TYPE_" enum OutputTypeType { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema OUTPUT_TYPE_ARTIFACT = 0; OUTPUT_TYPE_ATTESTATION = 1; OUTPUT_TYPE_LOG = 2; @@ -1495,7 +1511,7 @@ message Condition { enum TaskType { // A task that copies software or data used to accomplish other tasks in the workflow. - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- actually, value 0 is reserved for fallbacks ... this shall be fixed in v2.0 + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema TASK_TYPE_COPY = 0; // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. TASK_TYPE_CLONE = 1; @@ -1729,7 +1745,7 @@ message Definition { message CryptoProperties { enum CryptoAssetType { - // Default + // ProtoBuff's default value CRYPTO_ASSET_TYPE_UNSPECIFIED = 0; CRYPTO_ASSET_TYPE_ALGORITHM = 1; CRYPTO_ASSET_TYPE_CERTIFICATE = 2; @@ -1738,92 +1754,104 @@ message CryptoProperties { } message AlgorithmProperties { enum CryptoPrimitive { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_PRIMITIVE_UNKNOWN = 0; - // none of the following - CRYPTO_PRIMITIVE_OTHER = 1; - CRYPTO_PRIMITIVE_DRBG = 2; - CRYPTO_PRIMITIVE_MAC = 3; - CRYPTO_PRIMITIVE_BLOCK_CIPHER = 4; - CRYPTO_PRIMITIVE_STREAM_CIPHER = 5; - CRYPTO_PRIMITIVE_SIGNATURE = 6; - CRYPTO_PRIMITIVE_HASH = 7; - CRYPTO_PRIMITIVE_PKE = 8; - CRYPTO_PRIMITIVE_XOF = 9; - CRYPTO_PRIMITIVE_KDF = 10; - CRYPTO_PRIMITIVE_KEY_AGREE = 11; - CRYPTO_PRIMITIVE_KEM = 12; - CRYPTO_PRIMITIVE_AE = 13; - CRYPTO_PRIMITIVE_COMBINER = 14; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_PRIMITIVE_UNSPECIFIED = 0; + // The primitive is not known + CRYPTO_PRIMITIVE_UNKNOWN = 1; + // Another primitive type - none of the following + CRYPTO_PRIMITIVE_OTHER = 2; + CRYPTO_PRIMITIVE_DRBG = 3; + CRYPTO_PRIMITIVE_MAC = 4; + CRYPTO_PRIMITIVE_BLOCK_CIPHER = 5; + CRYPTO_PRIMITIVE_STREAM_CIPHER = 6; + CRYPTO_PRIMITIVE_SIGNATURE = 7; + CRYPTO_PRIMITIVE_HASH = 8; + CRYPTO_PRIMITIVE_PKE = 9; + CRYPTO_PRIMITIVE_XOF = 10; + CRYPTO_PRIMITIVE_KDF = 11; + CRYPTO_PRIMITIVE_KEY_AGREE = 12; + CRYPTO_PRIMITIVE_KEM = 13; + CRYPTO_PRIMITIVE_AE = 14; + CRYPTO_PRIMITIVE_COMBINER = 15; } enum CryptoExecutionEnvironment { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 0; - // none of the following - CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 1; - CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 2; - CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 3; - CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 4; - CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 5; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_EXECUTION_ENVIRONMENT_UNSPECIFIED = 0; + // The execution environment is not known + CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 1; + // Another implementation environment - none of the following + CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 2; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 3; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 4; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 5; + CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 6; } enum CryptoImplementationPlatform { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 0; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_IMPLEMENTATION_PLATFORM_UNSPECIFIED = 0; + // the platform is not known + CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 1; // none of the following - CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 1; - CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 2; - CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 3; - CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 4; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 5; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 6; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 7; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 8; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 9; - CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 10; - CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 11; - CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 12; - CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 13; + CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 2; + CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 3; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 4; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 5; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 6; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 7; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 8; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 9; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 10; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 11; + CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 12; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 13; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 14; } enum CryptoAlgorithmMode { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_ALGORITHM_MODE_UNKNOWN = 0; - // none of the following - CRYPTO_ALGORITHM_MODE_OTHER = 1; - CRYPTO_ALGORITHM_MODE_CBC = 2; - CRYPTO_ALGORITHM_MODE_ECB = 3; - CRYPTO_ALGORITHM_MODE_CCM = 4; - CRYPTO_ALGORITHM_MODE_GCM = 5; - CRYPTO_ALGORITHM_MODE_CFB = 6; - CRYPTO_ALGORITHM_MODE_OFB = 7; - CRYPTO_ALGORITHM_MODE_CTR = 8; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_MODE_UNSPECIFIED = 0; + // The mode of operation is not known + CRYPTO_ALGORITHM_MODE_UNKNOWN = 1; + // Another mode of operation - none of the following + CRYPTO_ALGORITHM_MODE_OTHER = 2; + CRYPTO_ALGORITHM_MODE_CBC = 3; + CRYPTO_ALGORITHM_MODE_ECB = 4; + CRYPTO_ALGORITHM_MODE_CCM = 5; + CRYPTO_ALGORITHM_MODE_GCM = 6; + CRYPTO_ALGORITHM_MODE_CFB = 7; + CRYPTO_ALGORITHM_MODE_OFB = 8; + CRYPTO_ALGORITHM_MODE_CTR = 9; } enum CryptoAlgorithmPadding { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_ALGORITHM_PADDING_UNKNOWN = 0; - // none of the following - CRYPTO_ALGORITHM_PADDING_OTHER = 1; - CRYPTO_ALGORITHM_PADDING_PKCS5 = 2; - CRYPTO_ALGORITHM_PADDING_PKCS7 = 3; - CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 4; - CRYPTO_ALGORITHM_PADDING_OAEP = 5; - CRYPTO_ALGORITHM_PADDING_RAW = 6; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_PADDING_UNSPECIFIED = 0; + // The padding scheme is not known + CRYPTO_ALGORITHM_PADDING_UNKNOWN = 1; + // Another padding scheme - none of the following + CRYPTO_ALGORITHM_PADDING_OTHER = 2; + CRYPTO_ALGORITHM_PADDING_PKCS5 = 3; + CRYPTO_ALGORITHM_PADDING_PKCS7 = 4; + CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 5; + CRYPTO_ALGORITHM_PADDING_OAEP = 6; + CRYPTO_ALGORITHM_PADDING_RAW = 7; } enum CryptoAlgorithmFunction { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 0; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_FUNCTION_UNSPECIFIED = 0; + // meaning "there is some, but it is unclear which one" + CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 1; // none of the following - CRYPTO_ALGORITHM_FUNCTION_OTHER = 1; - CRYPTO_ALGORITHM_FUNCTION_GENERATE = 2; - CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 3; - CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 4; - CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 5; - CRYPTO_ALGORITHM_FUNCTION_DIGEST = 6; - CRYPTO_ALGORITHM_FUNCTION_TAG = 7; - CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 8; - CRYPTO_ALGORITHM_FUNCTION_SIGN = 9; - CRYPTO_ALGORITHM_FUNCTION_VERIFY = 10; - CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 11; - CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 12; + CRYPTO_ALGORITHM_FUNCTION_OTHER = 2; + CRYPTO_ALGORITHM_FUNCTION_GENERATE = 3; + CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 4; + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 5; + CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 6; + CRYPTO_ALGORITHM_FUNCTION_DIGEST = 7; + CRYPTO_ALGORITHM_FUNCTION_TAG = 8; + CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 9; + CRYPTO_ALGORITHM_FUNCTION_SIGN = 10; + CRYPTO_ALGORITHM_FUNCTION_VERIFY = 11; + CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 12; + CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 13; } // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). optional CryptoPrimitive primitive = 1; @@ -1868,27 +1896,29 @@ message CryptoProperties { } // end of CertificateProperties message RelatedCryptoMaterialProperties { enum CryptoRelatedType { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_RELATED_TYPE_UNKNOWN = 0; - // none of the following - CRYPTO_RELATED_TYPE_OTHER = 1; - CRYPTO_RELATED_TYPE_PRIVATE_KEY = 2; - CRYPTO_RELATED_TYPE_PUBLIC_KEY = 3; - CRYPTO_RELATED_TYPE_SECRET_KEY = 4; - CRYPTO_RELATED_TYPE_KEY = 5; - CRYPTO_RELATED_TYPE_CIPHERTEXT = 6; - CRYPTO_RELATED_TYPE_SIGNATURE = 7; - CRYPTO_RELATED_TYPE_DIGEST = 8; - CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 9; - CRYPTO_RELATED_TYPE_NONCE = 10; - CRYPTO_RELATED_TYPE_SEED = 11; - CRYPTO_RELATED_TYPE_SALT = 12; - CRYPTO_RELATED_TYPE_SHARED_SECRET = 13; - CRYPTO_RELATED_TYPE_TAG = 14; - CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 15; - CRYPTO_RELATED_TYPE_PASSWORD = 16; - CRYPTO_RELATED_TYPE_CREDENTIAL = 17; - CRYPTO_RELATED_TYPE_TOKEN = 18; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_RELATED_TYPE_UNSPECIFIED = 0; + // The type of cryptographic asset is not known. + CRYPTO_RELATED_TYPE_UNKNOWN = 1; + // Another type of cryptographic asset - none of the following + CRYPTO_RELATED_TYPE_OTHER = 2; + CRYPTO_RELATED_TYPE_PRIVATE_KEY = 3; + CRYPTO_RELATED_TYPE_PUBLIC_KEY = 4; + CRYPTO_RELATED_TYPE_SECRET_KEY = 5; + CRYPTO_RELATED_TYPE_KEY = 6; + CRYPTO_RELATED_TYPE_CIPHERTEXT = 7; + CRYPTO_RELATED_TYPE_SIGNATURE = 8; + CRYPTO_RELATED_TYPE_DIGEST = 9; + CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 10; + CRYPTO_RELATED_TYPE_NONCE = 11; + CRYPTO_RELATED_TYPE_SEED = 12; + CRYPTO_RELATED_TYPE_SALT = 13; + CRYPTO_RELATED_TYPE_SHARED_SECRET = 14; + CRYPTO_RELATED_TYPE_TAG = 15; + CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 16; + CRYPTO_RELATED_TYPE_PASSWORD = 17; + CRYPTO_RELATED_TYPE_CREDENTIAL = 18; + CRYPTO_RELATED_TYPE_TOKEN = 19; } enum CryptoRelatedState { // Default @@ -1933,16 +1963,18 @@ message CryptoProperties { } // end of RelatedCryptoMaterialProperties message ProtocolProperties { enum CryptoProtocolType { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- we use the well-known case "unknown" as our default value - CRYPTO_PROTOCOL_TYPE_UNKNOWN = 0; - // none of the following - CRYPTO_PROTOCOL_TYPE_OTHER = 1; - CRYPTO_PROTOCOL_TYPE_TLS = 2; - CRYPTO_PROTOCOL_TYPE_SSH = 3; - CRYPTO_PROTOCOL_TYPE_IPSEC = 4; - CRYPTO_PROTOCOL_TYPE_IKE = 5; - CRYPTO_PROTOCOL_TYPE_SSTP = 6; - CRYPTO_PROTOCOL_TYPE_WPA = 7; + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_PROTOCOL_TYPE_UNSPECIFIED = 0; + // The protocol type is not known + CRYPTO_PROTOCOL_TYPE_UNKNOWN = 1; + // Another protocol type - none of the following + CRYPTO_PROTOCOL_TYPE_OTHER = 2; + CRYPTO_PROTOCOL_TYPE_TLS = 3; + CRYPTO_PROTOCOL_TYPE_SSH = 4; + CRYPTO_PROTOCOL_TYPE_IPSEC = 5; + CRYPTO_PROTOCOL_TYPE_IKE = 6; + CRYPTO_PROTOCOL_TYPE_SSTP = 7; + CRYPTO_PROTOCOL_TYPE_WPA = 8; } message CryptoProtocolCipherSuite { // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM From f7206878b335e06203ae59aa6b4c5b618012b662 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 13:27:32 +0100 Subject: [PATCH 03/12] finished protobuf lint config Signed-off-by: Jan Kowalleck --- buf.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/buf.yaml b/buf.yaml index 54340787..dc679c64 100644 --- a/buf.yaml +++ b/buf.yaml @@ -14,6 +14,12 @@ lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint # (this shall be fixed with the upcoming CycloneDX v2.0 release - PACKAGE_VERSION_SUFFIX # https://buf.build/docs/lint/rules#package_version_suffix - FIELD_LOWER_SNAKE_CASE # https://buf.build/docs/lint/rules#field_lower_snake_case + ignore_only: + DEFAULT: # https://buf.build/docs/lint/rules#default + # exising schema files may not stick to the rules -- this is acknowledged. + - schema/bom-1.5.proto + - schema/bom-1.4.proto + - schema/bom-1.3.proto allow_comment_ignores: true # breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking # use: \ No newline at end of file From e629d2e15780c47a1f5129751c3e9ee55f636546 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 13:29:04 +0100 Subject: [PATCH 04/12] docs Signed-off-by: Jan Kowalleck --- buf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buf.yaml b/buf.yaml index dc679c64..8327e967 100644 --- a/buf.yaml +++ b/buf.yaml @@ -11,7 +11,7 @@ lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint - PACKAGE_DIRECTORY_MATCH # https://buf.build/docs/lint/rules#package_lower_snake_case - FILE_LOWER_SNAKE_CASE # https://buf.build/docs/lint/rules#file_lower_snake_case # we do not stick to the following best-practices and recommendations: - # (this shall be fixed with the upcoming CycloneDX v2.0 release + # (shall be fixed with v2.0 of this very schema) - PACKAGE_VERSION_SUFFIX # https://buf.build/docs/lint/rules#package_version_suffix - FIELD_LOWER_SNAKE_CASE # https://buf.build/docs/lint/rules#field_lower_snake_case ignore_only: From aa54e57125da5646700c4e7e90b42e9bec55a9de Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 13:29:20 +0100 Subject: [PATCH 05/12] docs Signed-off-by: Jan Kowalleck --- buf.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/buf.yaml b/buf.yaml index 8327e967..33be6671 100644 --- a/buf.yaml +++ b/buf.yaml @@ -1,6 +1,5 @@ # This is the config for "Buf" - a ProtocolBuffer linter/checker/more # see https://buf.build/docs/configuration/v1/buf-yaml - version: v1 lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint use: From bdadbba3c64816eab8c8869a1546e08ce148e0c2 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 13:29:44 +0100 Subject: [PATCH 06/12] docs Signed-off-by: Jan Kowalleck --- buf.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/buf.yaml b/buf.yaml index 33be6671..13711c3d 100644 --- a/buf.yaml +++ b/buf.yaml @@ -16,9 +16,9 @@ lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint ignore_only: DEFAULT: # https://buf.build/docs/lint/rules#default # exising schema files may not stick to the rules -- this is acknowledged. - - schema/bom-1.5.proto - - schema/bom-1.4.proto - - schema/bom-1.3.proto + - "schema/bom-1.5.proto" + - "schema/bom-1.4.proto" + - "schema/bom-1.3.proto" allow_comment_ignores: true # breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking # use: \ No newline at end of file From 8503f10fb699d3fa2c6816bc5fd60624d97e2e69 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 13:32:34 +0100 Subject: [PATCH 07/12] docs Signed-off-by: Jan Kowalleck --- buf.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/buf.yaml b/buf.yaml index 13711c3d..4336f9a1 100644 --- a/buf.yaml +++ b/buf.yaml @@ -19,6 +19,6 @@ lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint - "schema/bom-1.5.proto" - "schema/bom-1.4.proto" - "schema/bom-1.3.proto" - allow_comment_ignores: true - # breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking - # use: \ No newline at end of file + allow_comment_ignores: true # the so-called "baseline" is done by annotating exceptions +# breaking: # https://buf.build/docs/configuration/v1/buf-yaml#breaking +# use: \ No newline at end of file From 96a4a635db8775c13a648199c0d583ba01c96d62 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 14:05:31 +0100 Subject: [PATCH 08/12] CT Signed-off-by: Jan Kowalleck --- .github/workflows/test_proto.yml | 24 ++++++++++++++++++++++ proto-test/*.textproto | 0 tools/src/test/proto-test.sh | 34 +++++++++++++++++++++++++++----- 3 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/test_proto.yml create mode 100644 proto-test/*.textproto diff --git a/.github/workflows/test_proto.yml b/.github/workflows/test_proto.yml new file mode 100644 index 00000000..8dfd1d35 --- /dev/null +++ b/.github/workflows/test_proto.yml @@ -0,0 +1,24 @@ +# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions + +name: CT ProtoBuf + +on: + push: + branches: ['master', 'main'] + pull_request: + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + test: + timeout-minutes: 30 + runs-on: ubuntu-latest + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@v4 + - name: run tests + run: tools/src/test/proto-test.sh \ No newline at end of file diff --git a/proto-test/*.textproto b/proto-test/*.textproto new file mode 100644 index 00000000..e69de29b diff --git a/tools/src/test/proto-test.sh b/tools/src/test/proto-test.sh index fa3377aa..894954df 100755 --- a/tools/src/test/proto-test.sh +++ b/tools/src/test/proto-test.sh @@ -1,6 +1,30 @@ #!/usr/bin/env bash -mkdir -p proto-test -for filename in resources/1.3/*.textproto; -do - protoc --proto_path=../../../schema/ --encode=cyclonedx.v1_3.Bom bom-1.3-SNAPSHOT.proto < $filename | protoc --proto_path=../../../schema/ --decode=cyclonedx.v1_3.Bom bom-1.3-SNAPSHOT.proto > proto-test/${filename##*/} -done; \ No newline at end of file +set -ex + +if [[ -n "$CI" ]] +then + LOG_FORMAT="github-actions" +else + LOG_FORMAT="json" +fi + +# lint protobuf schema files +docker run \ + --volume "$(pwd):/workspace" \ + --workdir /workspace \ + bufbuild/buf:1.29.0 \ + lint --error-format "$LOG_FORMAT" + +# check protobuf schema files for breaking changes +# docker run \ +# --volume "$(pwd):/workspace" \ +# --workdir /workspace \ +# bufbuild/buf:1.29.0 \ +# breaking + +# test all examples against the schema files +# mkdir -p proto-test +# for filename in resources/1.3/*.textproto; +# do +# protoc --proto_path=../../../schema/ --encode=cyclonedx.v1_3.Bom bom-1.3-SNAPSHOT.proto < $filename | protoc --proto_path=../../../schema/ --decode=cyclonedx.v1_3.Bom bom-1.3-SNAPSHOT.proto > proto-test/${filename##*/} +# done \ No newline at end of file From d5a060a87a079c2625eedfcb49c24c5eab5fd68d Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 14:09:26 +0100 Subject: [PATCH 09/12] test negatives Signed-off-by: Jan Kowalleck --- buf.yaml | 2 +- tools/src/test/proto-test.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/buf.yaml b/buf.yaml index 4336f9a1..bb994b49 100644 --- a/buf.yaml +++ b/buf.yaml @@ -16,7 +16,7 @@ lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint ignore_only: DEFAULT: # https://buf.build/docs/lint/rules#default # exising schema files may not stick to the rules -- this is acknowledged. - - "schema/bom-1.5.proto" + # - "schema/bom-1.5.proto" - "schema/bom-1.4.proto" - "schema/bom-1.3.proto" allow_comment_ignores: true # the so-called "baseline" is done by annotating exceptions diff --git a/tools/src/test/proto-test.sh b/tools/src/test/proto-test.sh index 894954df..3f5ba8e3 100755 --- a/tools/src/test/proto-test.sh +++ b/tools/src/test/proto-test.sh @@ -13,7 +13,7 @@ docker run \ --volume "$(pwd):/workspace" \ --workdir /workspace \ bufbuild/buf:1.29.0 \ - lint --error-format "$LOG_FORMAT" + lint --error-format "$LOG_FORMAT" --debug # check protobuf schema files for breaking changes # docker run \ From f9e276708701cbee24bf9f1a5f377f3f592a61f5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 14:12:05 +0100 Subject: [PATCH 10/12] test Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 1 - 1 file changed, 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index c26340f5..bd1ec190 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -477,7 +477,6 @@ message Lifecycles { enum LifecyclePhase { // BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use. - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema LIFECYCLE_PHASE_DESIGN = 0; // BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use. LIFECYCLE_PHASE_PRE_BUILD = 1; From a2d4c727254f9f5328a43fcfa1d73e2e5ce343f4 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 14:16:00 +0100 Subject: [PATCH 11/12] test Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index bd1ec190..6129950e 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -477,6 +477,7 @@ message Lifecycles { enum LifecyclePhase { // BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema LIFECYCLE_PHASE_DESIGN = 0; // BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use. LIFECYCLE_PHASE_PRE_BUILD = 1; @@ -1774,7 +1775,6 @@ message CryptoProperties { CRYPTO_PRIMITIVE_COMBINER = 15; } enum CryptoExecutionEnvironment { - // ProtoBuff's default value -- it differs from "unknown" CRYPTO_EXECUTION_ENVIRONMENT_UNSPECIFIED = 0; // The execution environment is not known CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 1; From 12955e9898bb3d65d9c214a01c4433fd1897e760 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 23 Feb 2024 14:18:42 +0100 Subject: [PATCH 12/12] test Signed-off-by: Jan Kowalleck --- buf.yaml | 2 +- schema/bom-1.6.proto | 1 - tools/src/test/proto-test.sh | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/buf.yaml b/buf.yaml index bb994b49..4336f9a1 100644 --- a/buf.yaml +++ b/buf.yaml @@ -16,7 +16,7 @@ lint: # https://buf.build/docs/configuration/v1/buf-yaml#lint ignore_only: DEFAULT: # https://buf.build/docs/lint/rules#default # exising schema files may not stick to the rules -- this is acknowledged. - # - "schema/bom-1.5.proto" + - "schema/bom-1.5.proto" - "schema/bom-1.4.proto" - "schema/bom-1.3.proto" allow_comment_ignores: true # the so-called "baseline" is done by annotating exceptions diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 6129950e..91d2fe3f 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1775,7 +1775,6 @@ message CryptoProperties { CRYPTO_PRIMITIVE_COMBINER = 15; } enum CryptoExecutionEnvironment { - CRYPTO_EXECUTION_ENVIRONMENT_UNSPECIFIED = 0; // The execution environment is not known CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 1; // Another implementation environment - none of the following diff --git a/tools/src/test/proto-test.sh b/tools/src/test/proto-test.sh index 3f5ba8e3..ce4b35c0 100755 --- a/tools/src/test/proto-test.sh +++ b/tools/src/test/proto-test.sh @@ -13,7 +13,7 @@ docker run \ --volume "$(pwd):/workspace" \ --workdir /workspace \ bufbuild/buf:1.29.0 \ - lint --error-format "$LOG_FORMAT" --debug + lint --error-format "$LOG_FORMAT" --verbose --debug # check protobuf schema files for breaking changes # docker run \