Content update

CycloneDX · Mar 25, 2024 · 7538b2f · 7538b2f
1 parent 74b87ed
commit 7538b2f
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 30 deletions.
diff --git a/SBOM/en/0x02-Preface.md b/SBOM/en/0x02-Preface.md
@@ -1,14 +1,26 @@
 # Preface
 
-Secure supply chains are the foundational building block of modern cyber security. Without being able to describe a system’s components in a machine-consumable way, organizations and software consumers are in the dark if they are at risk of exploitation of known defects or vulnerabilities.
-
-Innovation drives the evolution of Software Bill of Materials (SBOM). I was lucky enough to attend one of the meetings held between the CycloneDX and SPDX teams at a Linux Foundation conference moderated by the fine folks at CISA. The drivers for CycloneDX 1.5 include improvements in interoperability and transparency.
-
-Software authors, from hobbyists to software vendors, can quickly adopt CycloneDX in their tooling, producing artifacts that will help consumers understand and manage the risk of the multitude of software that most organizations rely on daily.
-
-A few years ago, I was involved in a project to review 1700 business-critical applications in 90 days for known software vulnerabilities. If the organization had access to CycloneDX SBOMs, this would have been a trivial task, time that could have been more usefully spent on remediation rather than discovery. Sadly, most of the time was spent working out what software had old faulty components rather than addressing the very real risk of known software vulnerabilities. We were plagued with false positives from the tooling we used simply because scanning software without SBOMs is a heuristic-driven discovery process that is inefficient and wastes a great deal of time we didn’t have. SBOMs resolve these issues, reduce costs, and reduce risk to all involved.
-
-I commend the CycloneDX team for a highly polished revision of their standard, one that evolves the state of the art.
+Welcome to the Authoritative Guide series by the OWASP Foundation and OWASP CycloneDX. In this series, we aim to
+provide comprehensive insights and practical guidance, ensuring that security professionals, developers, and
+organizations alike have access to the latest best practices and methodologies.
+
+At the heart of the OWASP Foundation lies a commitment to inclusivity and openness. We firmly believe that everyone
+deserves a seat at the table when it comes to shaping the future of cybersecurity standards. Our collaborative
+model fosters an environment where diverse perspectives converge to drive innovation and excellence.
+
+In line with this ethos, the OWASP Foundation has partnered with Ecma International to create an inclusive,
+community-driven ecosystem for security standards development. This collaboration empowers individuals to contribute
+their expertise and insights, ensuring that standards like CycloneDX reflect the collective wisdom of the global
+cybersecurity community.
+
+One standout example of this model is OWASP CycloneDX, which is on track to becoming an Ecma International
+standard through Technical Committee 54 (TC54). By leveraging the strengths of both organizations, CycloneDX is poised
+to become a cornerstone of security best practices, providing organizations with a universal standard for software and
+system transparency.
+
+As you embark on your journey through this Authoritative Guide, we encourage you to engage actively with the content
+and join us in shaping the future of cybersecurity standards. Together, we can build a safer and more resilient digital
+world for all.
 
 ---
 

diff --git a/SBOM/en/0x30-Use_Cases.md b/SBOM/en/0x30-Use_Cases.md
@@ -89,13 +89,12 @@ CycloneDX is capable of describing the following types of components:
 CycloneDX supports multiple methods to assert identity including:
 
 - Coordinates: The combination of the group, name, and version fields form the coordinates of a component.
-- Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located regardless of what vendor, project, or ecosystem the packages belongs to. 
-- SWID: Software ID (SWID) as defined in [ISO/IEC 19770-2:2015](https://www.iso.org/standard/65666.html) is used primarily to identify installed software.
+- Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located.
 - CPE: The [Common Platform Enumeration](https://nvd.nist.gov/products/cpe) (CPE) specification was designed for operating systems, applications, and hardware devices. CPE is maintained by the NVD.
+- SWID: Software ID (SWID) as defined in [ISO/IEC 19770-2:2015](https://www.iso.org/standard/65666.html) is used primarily to identify installed software.
+- OmniBOR: The [OmniBOR](https://omnibor.io/) Artifact ID is capable of identifying every source code file incorporated into each built artifact.
+- SWHID: A [Software Heritage ID](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html) is a unique identifier assigned to software artifacts to facilitate their identification, tracking, and preservation.
 
-Assertion of identity can also be substantiated in the form of evidence, which includes the methods and techniques used 
-during analysis, the confidence, and the tool(s) that performed the analysis. Refer to the "Evidence" chapter for more
-information.
 
 The following example illustrates component identity in CycloneDX.
 
@@ -107,6 +106,8 @@ The following example illustrates component identity in CycloneDX.
   "version": "1.0.0",
   "cpe": "cpe:2.3:a:acme:awesome:1.0.0:*:*:*:*:*:*:*",
   "purl": "pkg:maven/com.example/[email protected]",
+  "omnibor": "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+  "swhid": "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2",
   "swid": {
     "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_1.0.0",
     "name": "Acme Awesome Library",
@@ -123,9 +124,10 @@ The following example illustrates component identity in CycloneDX.
 CycloneDX also supports several identifiers specific to hardware devices. Refer to https://cyclonedx.org/capabilities/hbom/
 for more information.
 
-<div style="page-break-after: always; visibility: hidden">
-\newpage
-</div>
+Assertion of identity can also be substantiated in the form of evidence, which includes the methods and techniques used
+during analysis, the confidence, and the tool(s) that performed the analysis. Refer to the "Evidence" chapter for more
+information.
+
 
 ## Vulnerability Management
 CycloneDX is ideal for vulnerability management and impact analysis through the support of comprehensive inventory and

diff --git a/SBOM/en/0x40-BOM_Coverage_Maturity_Quality.md b/SBOM/en/0x40-BOM_Coverage_Maturity_Quality.md
@@ -91,3 +91,7 @@ capability of CycloneDX. Identity evidence consists of:
 
 Together, the BOM Maturity Model and native features of CycloneDX can be leveraged to form a high-quality, high-confidence
 assessment of SBOM quality.
+
+<div style="page-break-after: always; visibility: hidden">
+\newpage
+</div>
diff --git a/SBOM/en/0x45-Cryptographic_Components.md b/SBOM/en/0x45-Cryptographic_Components.md
@@ -18,6 +18,19 @@ primitive is discovered to be vulnerable or no longer complies with policies and
 As part of an agile cryptographic approach, organizations should seek to understand what cryptographic assets they are
 using and facilitate the assessment of the risk posture to provide a starting point for mitigation.
 
+The following is a high-level architecture illustrating how cryptographic assets are implemented in CycloneDX.
+
+![CBOM Component Architecture](../../CBOM/en/images/CBOM-Component-Architecture.svg)
+
+Organizations should consider including cryptographic assets in their SBOMs and optionally producing a BOM specific for
+cryptographic material, otherwise known as a Cryptographic Bill of Material (CBOM).
+
+Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
+CycloneDX for cryptographic use cases.
+
+<div style="page-break-after: always; visibility: hidden">
+\newpage
+</div>
 
 ### Algorithm Example
 A cryptographic algorithm is added in the components array of the BOM. The examples below list the algorithm
@@ -47,12 +60,6 @@ AES-128-GCM.
 ]
 ```
 
-Organizations should consider including cryptographic assets in their SBOMs and optionally producing a BOM specific for
-cryptographic material, otherwise known as a Cryptographic Bill of Material (CBOM).
-
-Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
-CycloneDX for cryptographic use cases.
-
 <div style="page-break-after: always; visibility: hidden">
 \newpage
 </div>
diff --git a/SBOM/en/0x49-Licenses.md b/SBOM/en/0x49-Licenses.md
@@ -1,5 +1,5 @@
 # License Compliance
-CycloneDX can be used for open-source and commercial license compliance. By leveraging the licensing capabilities of
+CycloneDX facilitates open-source and commercial license compliance. By leveraging the licensing capabilities of
 CycloneDX, organizations can identify any licenses that may be incompatible or require specific compliance obligations,
 such as attribution or sharing of source code.
 
@@ -136,6 +136,31 @@ intellectual property use cases. Whereas Software Asset Management (SAM) is prim
 and procurement use cases. OWASP CycloneDX has extensive support for both and can be applied to any component or service
 within a BOM.
 
+## Security and Quality Considerations for Tracking Commercial Licenses
+
+When a commercial software license expires or the software has reached its licensed limits, a cascading series of 
+events may occur, leading to security and quality issues, posing significant risks to users and systems. One of the 
+immediate concerns is the denial of service, where the software ceases to function. If the software is part of a 
+larger system, the entirety of the system may be at risk. Moreover, expired or exceeded licenses may trigger altered
+application behavior, as certain features or functionalities tied to the license may become disabled or restricted. 
+This alteration can introduce instability, unexpected errors, or even malicious behavior, potentially compromising 
+the integrity and confidentiality of data.
+
+Expired licenses may lead to being abruptly cut off from essential updates, patches, and support channels provided 
+by the software vendor. This leaves systems vulnerable to newly discovered vulnerabilities and exploits, as security
+patches may no longer be available. Without access to ongoing support, users are left without recourse in the event 
+of technical glitches or critical issues, leading to prolonged downtime and increased susceptibility to cyberattacks.
+Thus, ensuring software licenses remain current is vital for maintaining both the security and quality of software 
+systems.
+
+Providing commercial license information in CycloneDX BOMs offers a comprehensive solution to these challenges. 
+By including license details within BOMs, software consumers gain transparency into the licensing status of 
+components used within a software application. This transparency facilitates effective license management, 
+enabling organizations to track and monitor license expiration dates and renewal requirements. Consequently, 
+software consumers can proactively address license expirations, ensuring uninterrupted access to critical 
+support services, including software updates and security patches. Overall, integrating commercial license 
+information into CycloneDX BOMs enhances security, quality, and compliance across the software supply chain.
+
 <div style="page-break-after: always; visibility: hidden">
 \newpage
 </div>
diff --git a/SBOM/en/0x50-Relationships.md b/SBOM/en/0x50-Relationships.md
@@ -71,9 +71,7 @@ A general dependency graph is unspecified deep and capable of representing both
 
 ![Sample Dependency Graph](images/dependency-graph.svg)
 
-<div style="page-break-after: always; visibility: hidden">
-\newpage
-</div>
+
 
 The dependency graph above can be codified with the following:
 
@@ -118,12 +116,16 @@ As of CycloneDX v1.6, there are two types of dependencies: dependsOn and provide
 The dependency type, dependsOn, is leveraged by classic SBOMs to define a complete graph of direct and transitive
 dependencies. However, for cryptographic and similar assets, "provides" allows for many additional use cases.
 
-![Dependencies](../../CBOM/en/images/dependencies.svg)
+<div style="page-break-after: always; visibility: hidden">
+\newpage
+</div>
 
-The example shows an application (nginx) that uses the libssl cryptographic library. This library implements the 
-TLSv1.2 protocol. The relationship between the application, the library and the protocol can be expressed by using the 
+The following example shows an application (nginx) that uses the libssl cryptographic library. This library implements the
+TLSv1.2 protocol. The relationship between the application, the library and the protocol can be expressed by using the
 dependencies properties of the SBOM standard.
 
+![Dependencies](../../CBOM/en/images/dependencies.svg)
+
 Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
 CycloneDX for cryptographic use cases.