From 3ad56b01170853b8912fac539b6a6efd8beb0b4d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 22 Feb 2024 18:02:35 -0600 Subject: [PATCH] Content update --- SBOM/en/0x10-Introduction.md | 8 ++++---- SBOM/en/0x30-Use_Cases.md | 7 ++++--- SBOM/en/0x51-External-References.md | 8 ++++++++ 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/SBOM/en/0x10-Introduction.md b/SBOM/en/0x10-Introduction.md index a362a7d..f1579ae 100644 --- a/SBOM/en/0x10-Introduction.md +++ b/SBOM/en/0x10-Introduction.md @@ -105,8 +105,8 @@ defined in HBOMs, SBOMs, and SaaSBOMs. ### Cryptography Bill of Materials (CBOM) A Cryptography Bill of Materials (CBOM) describes cryptographic assets and their dependencies. Discovering, managing, and reporting on cryptographic assets is necessary as the first step on the migration journey to quantum-safe systems -and applications. Cryptography is typically buried deep within components that are used to compose and build systems -and applications. As part of an agile cryptographic approach, organizations should seek to understand what cryptographic +and applications. Cryptography is typically buried deep within components used to compose and build systems and +applications. As part of an agile cryptographic approach, organizations should seek to understand what cryptographic assets they are using and facilitate the assessment of the risk posture to provide a starting point for mitigation. ### Operations Bill of Materials (OBOM) @@ -144,8 +144,8 @@ component. VEX allows software vendors and other parties to communicate the expl providing clarity on the vulnerabilities that pose a risk and the ones that do not. ### CycloneDX Attestations (CDXA) -CycloneDX Attestations enable organizations to communicate security standards, claims and evidence about security -requirements, and attestations to the veracity and completeness of those claims. CycloneDX Attestations is a way to +CycloneDX Attestations enable organizations to communicate security standards, claims, and evidence about security +requirements, and attestations to the veracity and completeness of those claims. CycloneDX Attestations is a way to manage "compliance as code." ### Common Release Notes Format diff --git a/SBOM/en/0x30-Use_Cases.md b/SBOM/en/0x30-Use_Cases.md index f2e92b6..11ff273 100644 --- a/SBOM/en/0x30-Use_Cases.md +++ b/SBOM/en/0x30-Use_Cases.md @@ -67,11 +67,12 @@ CycloneDX is capable of describing the following types of components: |------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Application | Component | A software application | | Container | Component | A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. | +| Cryptographic Asset | Component | A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. | | Data | Component | A collection of discrete values that convey information. | | Device | Component | A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. | | Device Driver | Component | A special type of software that operates or controls a particular type of device. | | File | Component | A computer file. | -| Firmware | Component | A special type of software that provides low-level control over a device's hardware. | +| Firmware | Component | A special type of software that provides low-level control over a device's hardware. | | Framework | Component | A software framework | | Library | Component | A software library. Many third-party and open source reusable components are libraries. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED. | | Machine Learning Model | Component | A model based on training data that can make predictions or decisions without being explicitly programmed to do so. | @@ -86,8 +87,8 @@ CycloneDX is capable of describing the following types of components: > the inventory of software and constituent parts. -Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods of identity -including: +Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods to assert +identity including: - Coordinates: The combination of the group, name, and version fields form the coordinates of a component. - Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located regardless of what vendor, project, or ecosystem the packages belongs to. diff --git a/SBOM/en/0x51-External-References.md b/SBOM/en/0x51-External-References.md index a4aa1bc..47dc42a 100644 --- a/SBOM/en/0x51-External-References.md +++ b/SBOM/en/0x51-External-References.md @@ -23,6 +23,7 @@ External references provide an extensible and data-rich method of forming relati | chat | Real-time chat platform | | documentation | Documentation, guides, or how-to instructions | | support | Community or commercial support | +| source-distribution | The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type. | | distribution | Direct or repository download location | | distribution-intake | The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary | | license | The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness | @@ -31,6 +32,10 @@ External references provide an extensible and data-rich method of forming relati | release-notes | URL to release notes | | security-contact | Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT | | model-card | A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets | +| log | A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. | +| configuration | Parameters or settings that may be used by other components or services. | +| evidence | Information used to substantiate a claim. | +| formulation | Describes how a component or service was manufactured or deployed. | | attestation | Human or machine-readable statements containing facts, evidence, or testimony | | threat-model | An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format | | adversary-model | The defined assumptions, goals, and capabilities of an adversary | @@ -49,6 +54,9 @@ External references provide an extensible and data-rich method of forming relati | evidence | Data collected through various forms of extraction or analysis | | formulation | The observed or declared formulas for how components or services were manufactured or deployed | | poam | Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". | +| electronic-signature | An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. | +| digital-signature | A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. | +| rfc-9116 | Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) | | other | Use this if no other types accurately describe the purpose of the external reference | The following are example external references applied to a component: