From 1962322d5fcdc153524e80e65d3a5e48172135e3 Mon Sep 17 00:00:00 2001 From: anthonyharrison Date: Sat, 22 Feb 2025 20:45:40 +0000 Subject: [PATCH 01/10] feat: Add support for TLP marking in metadata (fixes #595) Signed-off-by: anthonyharrison --- schema/bom-1.7.proto | 15 ++++++ schema/bom-1.7.schema.json | 24 +++++++++ schema/bom-1.7.xsd | 49 +++++++++++++++++++ .../invalid-metadata-distribution-1.7.json | 11 +++++ .../1.7/invalid-metadata-distribution-1.7.xml | 7 +++ .../1.7/valid-metadata-distribution-1.7.json | 11 +++++ .../valid-metadata-distribution-1.7.textproto | 9 ++++ .../1.7/valid-metadata-distribution-1.7.xml | 7 +++ 8 files changed, 133 insertions(+) create mode 100644 tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json create mode 100644 tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml create mode 100644 tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json create mode 100644 tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto create mode 100644 tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 2f1aaf0d..5cb6a5ec 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -514,6 +514,8 @@ message Metadata { repeated Lifecycles lifecycles = 9; // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. optional OrganizationalEntity manufacturer = 10; + // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes. + optional Tlp distribution = 11; } message Lifecycles { @@ -675,6 +677,19 @@ message Swid { optional string url = 7; } +enum Tlp { + // Default + CLEAR = 0; + // Limited distribution but can be shared within a community. + GREEN = 1; + // Limited distribution but can be shared within an organization and with clients + AMBER = 2; + // Limited distribution but can be shared within an organization. + AMBER+STRICT = 3; + // Restricted distribution to individual recipients and must not be shared. + RED = 4; +} + // Specifies a tool (manual or automated). message Tool { // DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index e1dd5b1d..988ec578 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -712,9 +712,33 @@ "title": "Properties", "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} + }, + "distribution": { + "title": "Distribution", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes.", + "$ref": "#/definitions/tlpClassification" } } }, + "tlpClassification": { + "type" : "string", + "title": "Traffic Light Protocol (TLP) Classification", + "description": "The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information. The default classification is CLEAR", + "enum": [ + "AMBER", + "AMBER+STRICT", + "GREEN", + "RED", + "CLEAR" + ], + "meta:enum": { + "AMBER": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization and with clients.", + "AMBER+STRICT": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization.", + "GREEN": "The BOM is subject to limited disclosure, and recipients can share the BOM within their community but not via publicly accessible channels.", + "RED": "The BOM is subject to restricted distribution to individual recipients only and must not be shared.", + "CLEAR": "The BOM is not subject to any restrictions as regards the sharing of the information within the BOM." + } + }, "tool": { "type": "object", "title": "Tool", diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 594d2bfb..c2b7403d 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -256,6 +256,12 @@ limitations under the License. Formal registration is optional. + + + The Traffic Light Protocol (TLP) classification that controls the sharing and distribution + of the component that the BOM describes. + + @@ -390,6 +396,49 @@ limitations under the License. + + + + + + The BOM is not subject to any restrictions as regards the sharing of the information within the BOM. + + + + + + + The BOM is subject to limited disclosure, and recipients can share the BOM within their community + but not via publicly accessible channels. + + + + + + + The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know + basis within their organization and with clients. + + + + + + + The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know + basis within their organization. + + + + + + + The BOM is subject to restricted distribution to individual recipients only and must not be shared. + + + + + + Information about the automated or manual tool used diff --git a/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json new file mode 100644 index 00000000..0506bd53 --- /dev/null +++ b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json @@ -0,0 +1,11 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "distribution": "Unrestricted" + }, + "components": [] +} diff --git a/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml new file mode 100644 index 00000000..89543039 --- /dev/null +++ b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml @@ -0,0 +1,7 @@ + + + + Unrestricted + + + diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json new file mode 100644 index 00000000..e04219d3 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json @@ -0,0 +1,11 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "distribution": "CLEAR" + }, + "components": [] +} diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto new file mode 100644 index 00000000..baecc437 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto @@ -0,0 +1,9 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.7" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + distribution: CLEAR +} diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml new file mode 100644 index 00000000..14fd3238 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml @@ -0,0 +1,7 @@ + + + + CLEAR + + + From 925f5f90e272b9003123e834697781adc587a75f Mon Sep 17 00:00:00 2001 From: anthonyharrison Date: Sun, 23 Feb 2025 10:25:23 +0000 Subject: [PATCH 02/10] feat: Add support for TLP marking in metadata (fixes #595) Signed-off-by: anthonyharrison --- schema/bom-1.7.proto | 2 +- schema/bom-1.7.schema.json | 4 ++-- schema/bom-1.7.xsd | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 5cb6a5ec..c63e9113 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -685,7 +685,7 @@ enum Tlp { // Limited distribution but can be shared within an organization and with clients AMBER = 2; // Limited distribution but can be shared within an organization. - AMBER+STRICT = 3; + AMBER_AND_STRICT = 3; // Restricted distribution to individual recipients and must not be shared. RED = 4; } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 988ec578..66d7b586 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -726,14 +726,14 @@ "description": "The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information. The default classification is CLEAR", "enum": [ "AMBER", - "AMBER+STRICT", + "AMBER_AND_STRICT", "GREEN", "RED", "CLEAR" ], "meta:enum": { "AMBER": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization and with clients.", - "AMBER+STRICT": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization.", + "AMBER_AND_STRICT": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization.", "GREEN": "The BOM is subject to limited disclosure, and recipients can share the BOM within their community but not via publicly accessible channels.", "RED": "The BOM is subject to restricted distribution to individual recipients only and must not be shared.", "CLEAR": "The BOM is not subject to any restrictions as regards the sharing of the information within the BOM." diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index c2b7403d..e50c1160 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -421,7 +421,7 @@ limitations under the License. - + The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know From 55425e53527d2945a72c64636c89fec7876901f9 Mon Sep 17 00:00:00 2001 From: anthonyharrison Date: Sun, 23 Feb 2025 15:12:18 +0000 Subject: [PATCH 03/10] feat: Add support for TLP marking in metadata - fix protobuf enum (fixes #595) Signed-off-by: anthonyharrison --- schema/bom-1.7.proto | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index c63e9113..1cf028b2 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -679,15 +679,15 @@ message Swid { enum Tlp { // Default - CLEAR = 0; + TLP_CLEAR = 0; // Limited distribution but can be shared within a community. - GREEN = 1; + TLP_GREEN = 1; // Limited distribution but can be shared within an organization and with clients - AMBER = 2; + TLP_AMBER = 2; // Limited distribution but can be shared within an organization. - AMBER_AND_STRICT = 3; + TLP_AMBER_AND_STRICT = 3; // Restricted distribution to individual recipients and must not be shared. - RED = 4; + TLP_RED = 4; } // Specifies a tool (manual or automated). From d3d243f4e9418e20303962809d568e6000b6407e Mon Sep 17 00:00:00 2001 From: anthonyharrison Date: Sun, 23 Feb 2025 17:58:42 +0000 Subject: [PATCH 04/10] feat: Add support for TLP marking in metadata - add default values and documentation (fixes #595) Signed-off-by: anthonyharrison --- schema/bom-1.7.proto | 5 +++-- schema/bom-1.7.schema.json | 1 + schema/bom-1.7.xsd | 10 +++++++++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 1cf028b2..78b520e1 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -677,9 +677,10 @@ message Swid { optional string url = 7; } +// The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. The default classification is `TLP_CLEAR` enum Tlp { - // Default - TLP_CLEAR = 0; + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `TLP_CLEAR` is our fallback, the default. + TLP_CLEAR_UNSPECIFIED = 0; // Limited distribution but can be shared within a community. TLP_GREEN = 1; // Limited distribution but can be shared within an organization and with clients diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 66d7b586..eaa0254b 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -722,6 +722,7 @@ }, "tlpClassification": { "type" : "string", + "default": "CLEAR", "title": "Traffic Light Protocol (TLP) Classification", "description": "The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information. The default classification is CLEAR", "enum": [ diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index e50c1160..9e53ce60 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -396,7 +396,15 @@ limitations under the License. - + + + + The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification + system for identifying the potential risk associated with artefact, including whether it is subject to certain + types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. + The default classification is CLEAR. + + From 5708d61d8300904dd91d80ee814193b0ab9bada5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 24 Feb 2025 16:25:36 +0100 Subject: [PATCH 05/10] `TLP_CLEAR_UNSPECIFIED` -> `TLP_CLEAR` Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 78b520e1..38df54bb 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -680,7 +680,7 @@ message Swid { // The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. The default classification is `TLP_CLEAR` enum Tlp { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `TLP_CLEAR` is our fallback, the default. - TLP_CLEAR_UNSPECIFIED = 0; + TLP_CLEAR = 0; // Limited distribution but can be shared within a community. TLP_GREEN = 1; // Limited distribution but can be shared within an organization and with clients From 98d888da511f283331888c7f91a90dcc24cbe38a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 6 Mar 2025 11:15:32 +0100 Subject: [PATCH 06/10] fixed schema and docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 18 ++++++++++-------- schema/bom-1.7.schema.json | 20 ++++++++++---------- schema/bom-1.7.xsd | 23 +++++++++-------------- 3 files changed, 29 insertions(+), 32 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 38df54bb..8566579a 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -515,7 +515,7 @@ message Metadata { // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. optional OrganizationalEntity manufacturer = 10; // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes. - optional Tlp distribution = 11; + optional TlpClassification distribution = 11; } message Lifecycles { @@ -677,17 +677,19 @@ message Swid { optional string url = 7; } -// The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. The default classification is `TLP_CLEAR` -enum Tlp { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `TLP_CLEAR` is our fallback, the default. +// Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. +//The default classification is "CLEAR" +enum TlpClassification { + // The information is not subject to any restrictions as regards the sharing. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- "CLEAR" is our fallback, the default. TLP_CLEAR = 0; - // Limited distribution but can be shared within a community. + // The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels. TLP_GREEN = 1; - // Limited distribution but can be shared within an organization and with clients + // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients. TLP_AMBER = 2; - // Limited distribution but can be shared within an organization. + // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization. TLP_AMBER_AND_STRICT = 3; - // Restricted distribution to individual recipients and must not be shared. + // The information is subject to restricted distribution to individual recipients only and must not be shared. TLP_RED = 4; } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index eaa0254b..26cf607a 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -721,23 +721,23 @@ } }, "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", "type" : "string", "default": "CLEAR", - "title": "Traffic Light Protocol (TLP) Classification", - "description": "The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information. The default classification is CLEAR", "enum": [ + "CLEAR", + "GREEN", "AMBER", "AMBER_AND_STRICT", - "GREEN", - "RED", - "CLEAR" + "RED" ], "meta:enum": { - "AMBER": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization and with clients.", - "AMBER_AND_STRICT": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization.", - "GREEN": "The BOM is subject to limited disclosure, and recipients can share the BOM within their community but not via publicly accessible channels.", - "RED": "The BOM is subject to restricted distribution to individual recipients only and must not be shared.", - "CLEAR": "The BOM is not subject to any restrictions as regards the sharing of the information within the BOM." + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." } }, "tool": { diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 9e53ce60..7bfaeac4 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -256,7 +256,7 @@ limitations under the License. Formal registration is optional. - + The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes. @@ -396,51 +396,46 @@ limitations under the License. - + - The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification - system for identifying the potential risk associated with artefact, including whether it is subject to certain - types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. - The default classification is CLEAR. + Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. + The default classification is "CLEAR" - The BOM is not subject to any restrictions as regards the sharing of the information within the BOM. + The information is not subject to any restrictions as regards the sharing. - The BOM is subject to limited disclosure, and recipients can share the BOM within their community - but not via publicly accessible channels. + The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels. - The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know - basis within their organization and with clients. + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients. - The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know - basis within their organization. + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization. - The BOM is subject to restricted distribution to individual recipients only and must not be shared. + The information is subject to restricted distribution to individual recipients only and must not be shared. From dbd3c436db499eabcbf46a5f74f0afef6418cdff Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 6 Mar 2025 11:17:06 +0100 Subject: [PATCH 07/10] tests: fix examples Signed-off-by: Jan Kowalleck --- .../src/test/resources/1.7/valid-metadata-distribution-1.7.json | 2 +- .../resources/1.7/valid-metadata-distribution-1.7.textproto | 2 +- .../src/test/resources/1.7/valid-metadata-distribution-1.7.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json index e04219d3..54411553 100644 --- a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json +++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json @@ -5,7 +5,7 @@ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "metadata": { - "distribution": "CLEAR" + "distribution": "RED" }, "components": [] } diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto index baecc437..6ccf04f3 100644 --- a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto @@ -5,5 +5,5 @@ spec_version: "1.7" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" metadata { - distribution: CLEAR + distribution: TLP_RED } diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml index 14fd3238..3666b382 100644 --- a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml +++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml @@ -1,7 +1,7 @@ - CLEAR + RED From 636eb43e768bbfd643dcfe358a8e16ea7e581092 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 6 Mar 2025 11:27:53 +0100 Subject: [PATCH 08/10] style fixes Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 10 +++++----- .../1.7/valid-metadata-distribution-1.7.textproto | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 8566579a..9c2e61b8 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -682,15 +682,15 @@ message Swid { enum TlpClassification { // The information is not subject to any restrictions as regards the sharing. // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- "CLEAR" is our fallback, the default. - TLP_CLEAR = 0; + TLP_CLASSIFICATION_CLEAR = 0; // The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels. - TLP_GREEN = 1; + TLP_CLASSIFICATION_GREEN = 1; // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients. - TLP_AMBER = 2; + TLP_CLASSIFICATION_AMBER = 2; // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization. - TLP_AMBER_AND_STRICT = 3; + TLP_CLASSIFICATION_AMBER_AND_STRICT = 3; // The information is subject to restricted distribution to individual recipients only and must not be shared. - TLP_RED = 4; + TLP_CLASSIFICATION_RED = 4; } // Specifies a tool (manual or automated). diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto index 6ccf04f3..e32c0456 100644 --- a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto @@ -5,5 +5,5 @@ spec_version: "1.7" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" metadata { - distribution: TLP_RED + distribution: TLP_CLASSIFICATION_RED } From 3da8e47705f65ac9f2ca0fdbedc31d563b7e2085 Mon Sep 17 00:00:00 2001 From: anthonyharrison Date: Thu, 6 Mar 2025 19:27:16 +0000 Subject: [PATCH 09/10] feat: Add support for TLP marking in metadata - correct TLP description (fixes #595) Signed-off-by: anthonyharrison --- schema/bom-1.7.proto | 4 ++-- schema/bom-1.7.schema.json | 4 ++-- schema/bom-1.7.xsd | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 38df54bb..b93ae61a 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -514,7 +514,7 @@ message Metadata { repeated Lifecycles lifecycles = 9; // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. optional OrganizationalEntity manufacturer = 10; - // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes. + // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes. optional Tlp distribution = 11; } @@ -677,7 +677,7 @@ message Swid { optional string url = 7; } -// The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. The default classification is `TLP_CLEAR` +// The Traffic Light Protocol (TLP) classification for the data that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. The default classification is `TLP_CLEAR` enum Tlp { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `TLP_CLEAR` is our fallback, the default. TLP_CLEAR = 0; diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index eaa0254b..d8bca5b4 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -715,7 +715,7 @@ }, "distribution": { "title": "Distribution", - "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes.", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.", "$ref": "#/definitions/tlpClassification" } } @@ -724,7 +724,7 @@ "type" : "string", "default": "CLEAR", "title": "Traffic Light Protocol (TLP) Classification", - "description": "The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information. The default classification is CLEAR", + "description": "The Traffic Light Protocol (TLP) classification for the data that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information. The default classification is CLEAR", "enum": [ "AMBER", "AMBER_AND_STRICT", diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 9e53ce60..4386bf5d 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -259,7 +259,7 @@ limitations under the License. The Traffic Light Protocol (TLP) classification that controls the sharing and distribution - of the component that the BOM describes. + of the data that the BOM describes. @@ -399,7 +399,7 @@ limitations under the License. - The Traffic Light Protocol (TLP) classification for the component that the BOM describes. TLP is a classification + The Traffic Light Protocol (TLP) classification for the data that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. The default classification is CLEAR. From ed5fa845d2742640418afbb675c8dfec7eaa5b39 Mon Sep 17 00:00:00 2001 From: anthonyharrison Date: Thu, 6 Mar 2025 19:51:17 +0000 Subject: [PATCH 10/10] feat: Add support for TLP marking in metadata - correct TLP description (fixes #595) Signed-off-by: anthonyharrison --- schema/bom-1.7.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 9c2e61b8..488f5315 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -514,7 +514,7 @@ message Metadata { repeated Lifecycles lifecycles = 9; // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. optional OrganizationalEntity manufacturer = 10; - // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes. + // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes. optional TlpClassification distribution = 11; }