-
-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clarify use of "provenance" as it relates to NIST vs SLSA,etc #26
Comments
Agreed. The term provenance has been misused over the past few years. It is important to note that the CycloneDX use of the term aligns to NIST, MITRE, OWASP, and the Oxford/Cambridge definition of the word. CycloneDX is not intentionally aligned to NIST, rather, it is aligned to the common use of the term used in global supply chains. The SBOM guide currently has a section of provenance which reads:
Additionally, it has a definition of the term:
Are there any suggestions on how to improve the clarity of the term? |
So I think that the current content is very good- however, I think we could improve it by calling out the lack of consistency in the term's use. We'll need to do this delicately as we don't want it to be a judgement of any particular use, but for folks who are new to the space, or more used to a different definition- a relative definition (defining "our" provenance as it relates to the "other" provenance) can help people who read the current definition and wonder why they have lingering confusion. Let me know if that makes sense!
|
during the specification meeting, when reviewing the Terms and Definitions, it was called out that the usage of "provenance" is very specific to NIST and differs from the SLSA,etc definition. while the spec is not a good place for this information, the guide is likely a place to call this out as it will likely help clarify the term, esp for people coming from the supplychain security space who may be more familiar with the SLSA definition.
The text was updated successfully, but these errors were encountered: