Skip to content

Add tea-collection external reference type #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: 1.7-dev
Choose a base branch
from
Draft

Add tea-collection external reference type #634

wants to merge 1 commit into from

Conversation

ppkarwasz
Copy link
Contributor

@ppkarwasz ppkarwasz commented May 5, 2025
edited
Loading

Adds a new type to reference a TEA Collection object. A Transparency Exchange API Collection for the most part is a replacement of the externalReferences object, but provides a versioned and modifiable view of all security-related documents for a given CycloneDX Component.

The easiest way to integrate a TEA Collection into CycloneDX is to introduce a new type of externalReference that points:

Closes #633

Note: This PR is a draft until beta1 of the Transparency Exchange API is published.

@ppkarwasz
Add tea-collection external reference type
094130b 
Adds a new type to reference a [TEA Collection object](https://github.com/CycloneDX/transparency-exchange-api/blob/main/tea-collection/tea-collection.md).

A Transparency Exchange API Collection for the most part is a replacement of the `externalReferences` object, but provides a **versioned** and modifiable view of all security-related documents for a given CycloneDX Component.

Signed-off-by: Piotr P. Karwasz <[email protected]>
@oej
Copy link

oej commented May 5, 2025

Why not a TEI ?

@oej oej mentioned this pull request May 5, 2025
Open
@ppkarwasz
Copy link
Contributor Author

Why not a TEI ?

Using the TEI doesn't seem very practical in this context:

  • If we provide the URL to the (latest) TEA Collection (https://example.com/tea/v1/release/3f92c28c-13c9-4e32-8d5b-5f8ae77ef265/collection) only one TEA API call is required to see all documents.
  • If we provide the URL to the TEA Component Release (https://example.com/tea/v1/release/3f92c28c-13c9-4e32-8d5b-5f8ae77ef265) a client can easily retrieve the TEA Collection by appending /collection.
  • If we use the TEI some complex logic must be used to find the right TEA Collection object, since a client will need to find:
    1. The appropriate TEA Component. For a software package this can be done by comparing PURLs, for a hardware device I don't know.
    2. The appropriate TEA Component Release. Again, it is not very clear how to find the appropriate one.

Certainly using TEI would be more stable if the URL of the TEA Service changes, but the logic to implement its usage seems quite complex.

@stevespringett stevespringett added this to the 1.7 milestone May 5, 2025
@ppkarwasz ppkarwasz mentioned this pull request May 16, 2025
Open
@ppkarwasz ppkarwasz mentioned this pull request Jun 6, 2025
Open
@jkowalleck jkowalleck linked an issue Jun 7, 2025 that may be closed by this pull request
[FEATURE]: Reference Transparency Exchange API Collection #633
Open
@ppkarwasz ppkarwasz mentioned this pull request Jun 19, 2025
Open
@stevespringett
Copy link
Member

Do we have a final decision on if this should be a TEI or TEA collection? Is it too early to include in CycloneDX v1.7?

@ppkarwasz
Copy link
Contributor Author

Yes, I think we can postpone this PR until we smooth out some details about the TEI.

@stevespringett stevespringett modified the milestones: 1.7, 2.0 Aug 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
proposed core enhancement
Projects
None yet
Milestone
2.0
Development

Successfully merging this pull request may close these issues.

[FEATURE]: Reference Transparency Exchange API Collection
3 participants
@ppkarwasz @oej @stevespringett