[1.7] - Updates from CBOM working group #657
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Steve Springett <[email protected]>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work ---- TODO / progress - [x] JSON schema - [ ] XML schema - [ ] ProtoBugf schema <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Basil Hess <[email protected]>
- Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
- Extends cryptography-defs.json list with algorithms from PKCS11 - Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive
Signed-off-by: Nicklas Körtge <[email protected]>
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional paremeter with literal separator
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
…phy-defs.schema.json
This PR will add a python script that can be used to generate an enum-object for the cyclonedx json schema that reflects algorithm families defined in `cryptography-defs.json`.
The following rules apply for the patterns:
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional parameter with literal separator
<!--
Thank you for taking the time to develop and contribute a core
enhancement or fix for a defect!
We kindly request that you create pull requests only for things that
have been discussed in a ticket first; exceptions may be made for
spelling or grammar fixes.
Read more about the process here:
https://cyclonedx.org/participate/standardization-process/#working-model
Please have the related ticket/issue ID ready.
If there is none, feel free to create a new ticket:
https://github.com/CycloneDX/specification/issues/new/choose
-->
<!--
Please provide a brief description of what this pull request intends to
do and which ticket it fixes/closes.
Example:
> As discussed in ticket #485, this PR adds Streebog to the hash
algorithm enum.
>
> fixes #485
In case this is for a spelling or grammar improvement, please provide a
brief description.
Example:
> Fixe typo: color(AE) -> colour(BE)
-->
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Nicklas Körtge <[email protected]>
Signed-off-by: Nicklas Körtge <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
force-pushed
the
1.7-dev-cryptography
branch
from
6ed75da to
b9423d7
Compare
Background: Some people from the community approached me last year, and they complained about unexpected breaking changes in the CycloneDX PB schema - which basically rendered all their efforts for interoperability useless. |
|
@stevespringett , what do you think about #677 ? this will remove any breaking changes in the PB implementations. |
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
requested changes
Sep 3, 2025
There was a problem hiding this comment.
remove the word "optional" where possible. the information which fields are optional are clearly visible in the schema.
see #649 (comment) and #616 (comment)
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Steve Springett <[email protected]>
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Steve Springett <[email protected]>
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Steve Springett <[email protected]>
Iteration over the crypto definitions, extending the list with more algorithms. No changes to the schema. <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
… for ProtoBuf (#677) removed breaking changes in Protocol Buffer schema regarding CBOM changes caused by #657 (comment)
jkowalleck
changed the title
jkowalleck
approved these changes
Sep 7, 2025
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
approved these changes
Sep 7, 2025
This was referenced Sep 7, 2025
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The cryptography working group has received feedback from real-world usage and have made enhancements to the CBOM specificaiton:
CryptoProperties.AlgorithmProperties.CryptoPrimitivegot a new case "key-wrap".CryptoProperties.AlgorithmProperties.algorithmFamilyCryptoProperties.AlgorithmProperties.ellipticCurveCryptoProperties.AlgorithmProperties.curveCryptoProperties.CertificateProperties.serialNumberCryptoProperties.CertificateProperties.certificateFileExtensionCryptoProperties.CertificateProperties.certificateExtensionCryptoProperties.CertificateProperties.signatureAlgorithmRefCryptoProperties.CertificateProperties.subjectPublicKeyRefCryptoProperties.CertificateProperties.fingerprintCryptoProperties.CertificateProperties.certificateStateCryptoProperties.CertificateProperties.creationDateCryptoProperties.CertificateProperties.activationDateCryptoProperties.CertificateProperties.deactivationDateCryptoProperties.CertificateProperties.revocationDateCryptoProperties.CertificateProperties.destructionDateCryptoProperties.CertificateProperties.certificateExtensionsCryptoProperties.CertificateProperties.relatedCryptographicAssetsCryptoProperties.RelatedCryptoMaterialProperties.algorithmRefCryptoProperties.RelatedCryptoMaterialProperties.fingerprintCryptoProperties.RelatedCryptoMaterialProperties.relatedCryptographicAssetsCryptoProperties.ProtocolProperties.CryptoProtocolTypegot new cases:DTLS,QUIC,AKA,AKA_PRIME,PRINS,5G_AKACryptoProperties.ProtocolProperties.CryptoProtocolCipherSuite.tlsGroupsCryptoProperties.ProtocolProperties.CryptoProtocolCipherSuite.tlsSignatureSchemesCryptoProperties.CertificateProperties.relatedCryptographicAssetsCloses #569
RFC notice sent 2025-07-26
This RFC will be open for 4 weeks. At the end of the RFC period the CycloneDX community will vote, by lazy consensus, to accept or reject the proposal.
RFC period end: 2025-08-23
TODO/DONE