From bd15afd87044d9656c5efccd9e9b4c7a832aa0a9 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 7 May 2024 08:45:36 -0500 Subject: [PATCH] Support v1.6 bindings for new S&C standards Attestations (#86) * Support v1.6 bindings for new S&C Standards Definitions and Declarations Signed-off-by: Matt Rutkowski * Finalize JSON schema struct definitions for Standards Declarations Signed-off-by: Matt Rutkowski * Finalize JSON schema struct definitions for Standards Defintions Signed-off-by: Matt Rutkowski * Finalize JSON schema struct definitions for Standards Defintions Signed-off-by: Matt Rutkowski --------- Signed-off-by: Matt Rutkowski --- schema/cyclonedx.go | 3 + schema/cyclonedx_declarations.go | 138 +++++++++++++++++++++++++++++++ schema/cyclonedx_definitions.go | 60 ++++++++++++++ 3 files changed, 201 insertions(+) create mode 100644 schema/cyclonedx_declarations.go create mode 100644 schema/cyclonedx_definitions.go diff --git a/schema/cyclonedx.go b/schema/cyclonedx.go index 6cea6d9a..b4cb2386 100644 --- a/schema/cyclonedx.go +++ b/schema/cyclonedx.go @@ -36,6 +36,7 @@ var EMPTY_CDXLicense = CDXLicense{} // v1.3: added "compositions" // v1.4: added "vulnerabilities", "signature" // v1.5: added "annotations", "formulation", "properties" +// v1.6: added "declarations", "definitions" type CDXBom struct { BOMFormat string `json:"bomFormat,omitempty"` SpecVersion string `json:"specVersion,omitempty"` @@ -52,6 +53,8 @@ type CDXBom struct { Annotations *[]CDXAnnotation `json:"annotations,omitempty" cdx:"+1.5"` // v1.5 added Formulation *[]CDXFormula `json:"formulation,omitempty" cdx:"+1.5"` // v1.5 added Properties *[]CDXProperty `json:"properties,omitempty" cdx:"+1.5"` // v1.5 added + Declarations *[]CDXDeclaration `json:"declarations,omitempty" cdx:"+1.6"` // v1.6 added + Definitions *[]CDXDefinition `json:"definitions,omitempty" cdx:"+1.6"` // v1.6 added } // v1.2: existed diff --git a/schema/cyclonedx_declarations.go b/schema/cyclonedx_declarations.go new file mode 100644 index 00000000..c3b75cc1 --- /dev/null +++ b/schema/cyclonedx_declarations.go @@ -0,0 +1,138 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package schema + +// v1.6: added "declarations" +type CDXDeclaration struct { + Assessors *[]CDXAssessor `json:"assessors,omitempty" cdx:"+1.6"` // v1.6 added + Attestations *[]CDXAttestation `json:"attestations,omitempty" cdx:"+1.6"` // v1.6 added + Claims *[]CDXClaim `json:"claims,omitempty" cdx:"+1.6"` // v1.6 added + Evidence *[]CDXEvidence `json:"evidence,omitempty" cdx:"+1.6"` // v1.6 added + Targets *CDXTargets `json:"targets,omitempty" cdx:"+1.6"` // v1.6 added + Affirmation *CDXAffirmation `json:"affirmation,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAssessor struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + ThirdParty bool `json:"thirdParty,omitempty" cdx:"+1.6"` // v1.6 added + Organization *CDXOrganizationalEntity `json:"organization,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAttestation struct { + Summary string `json:"summary,omitempty" cdx:"+1.6"` // v1.6 added + Assessor *CDXRefType `json:"assessor,omitempty" cdx:"+1.6"` // v1.6 added + Map *[]CDXAttestationMap `json:"map,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAttestationMap struct { + Requirement *CDXRefLinkType `json:"requirement,omitempty" cdx:"+1.6"` // v1.6 added + Claims *[]CDXRefLinkType `json:"claims,omitempty" cdx:"+1.6"` // v1.6 added + CounterClaims *[]CDXRefLinkType `json:"counterClaims,omitempty" cdx:"+1.6"` // v1.6 added + Conformance *CDXConformance `json:"conformance,omitempty" cdx:"+1.6"` // v1.6 added + Confidence *CDXConfidence `json:"confidence,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// TODO: NOTE: overlap in fields with CDXConfidence +type CDXConformance struct { + Score float64 `json:"score,omitempty" cdx:"+1.6"` // v1.6 added + Rationale string `json:"rationale,omitempty" cdx:"+1.6"` // v1.6 added + MitigationStrategies *[]CDXRefLinkType `json:"mitigationStrategies,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// TODO: NOTE: overlap in fields with CDXConformance +type CDXConfidence struct { + Score float64 `json:"score,omitempty" cdx:"+1.6"` // v1.6 added + Rationale string `json:"rationale,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXClaim struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Target *[]CDXRefLinkType `json:"target,omitempty" cdx:"+1.6"` // v1.6 added + Predicate string `json:"predicate,omitempty" cdx:"+1.6"` // v1.6 added + MitigationStrategies *[]CDXRefLinkType `json:"mitigationStrategies,omitempty" cdx:"+1.6"` // v1.6 added + Reasoning string `json:"reasoning,omitempty" cdx:"+1.6"` // v1.6 added + Evidence *[]CDXRefLinkType `json:"evidence,omitempty" cdx:"+1.6"` // v1.6 added + CounterEvidence *[]CDXRefLinkType `json:"counterEvidence,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXEvidence struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + PropertyName string `json:"propertyName,omitempty" cdx:"+1.6"` // v1.6 added + Description string `json:"description,omitempty" cdx:"+1.6"` // v1.6 added + Data *[]CDXEvidenceData `json:"data,omitempty" cdx:"+1.6"` // v1.6 added + Created string `json:"created,omitempty" cdx:"+1.6"` // v1.6 added + Expires string `json:"expires,omitempty" cdx:"+1.6"` // v1.6 added + Author *CDXOrganizationalContact `json:"author,omitempty" cdx:"+1.6"` // v1.6 added + Reviewer *CDXOrganizationalContact `json:"reviewer,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// NOTE: The "Contents" field defines a structure that is identical to the CDXContent +// used in CDXComponentData, but does NOT have a "properties" field. +// we will reuse it here as it does NOT impact JSON encoding/decoding +// NOTE: The "Classification" field is actually an "enum" type in the JSON schema +type CDXEvidenceData struct { + Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added + Contents *CDXContent `json:"contents,omitempty" cdx:"+1.6"` // v1.6 added + Classification string `json:"classification,omitempty" cdx:"+1.6"` // v1.6 added + SensitiveData *[]string `json:"sensitiveData,omitempty" cdx:"+1.6"` // v1.6 added + Governance *CDXGovernance `json:"governance,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXGovernance struct { + Custodians *[]CDXDataGovernanceResponsibleParty `json:"custodians,omitempty" cdx:"+1.6"` // v1.6 added + Stewards *[]CDXDataGovernanceResponsibleParty `json:"stewards,omitempty" cdx:"+1.6"` // v1.6 added + Owners *[]CDXDataGovernanceResponsibleParty `json:"owners,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// NOTE: Type name matches plural reference from the spec. +type CDXTargets struct { + Organizations *[]CDXOrganizationalEntity `json:"organizations,omitempty" cdx:"+1.6"` // v1.6 added + Components *[]CDXComponent `json:"components,omitempty" cdx:"+1.6"` // v1.6 added + Services *[]CDXService `json:"services,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAffirmation struct { + Statement string `json:"statement,omitempty" cdx:"+1.6"` // v1.6 added + Signatories *[]CDXSignatory `json:"signatories,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXSignatory struct { + Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added + Role string `json:"role,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added + Organization *CDXOrganizationalEntity `json:"organization,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added +} diff --git a/schema/cyclonedx_definitions.go b/schema/cyclonedx_definitions.go new file mode 100644 index 00000000..bf9e2351 --- /dev/null +++ b/schema/cyclonedx_definitions.go @@ -0,0 +1,60 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package schema + +// v1.6: added +type CDXDefinition struct { + Standards *[]CDXStandard `json:"standards,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// NOTE: The "Owner" field SHOULD be a CDXOrganizationalEntity OR CDXOrganizationalContact +// We have structures that already support this concept!!! +type CDXStandard struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added + Version string `json:"version,omitempty" cdx:"+1.6"` // v1.6 added + Description string `json:"description,omitempty" cdx:"+1.6"` // v1.6 added + Owner string `json:"owner,omitempty" cdx:"+1.6"` // v1.6 added + Requirements *[]CDXRequirement `json:"requirements,omitempty" cdx:"+1.6"` // v1.6 added + Levels *[]CDXLevel `json:"levels,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXRequirement struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Identifier string `json:"identifier,omitempty" cdx:"+1.6"` // v1.6 added + Title string `json:"title,omitempty" cdx:"+1.6"` // v1.6 added + Text string `json:"text,omitempty" cdx:"+1.6"` // v1.6 added + Descriptions *[]string `json:"descriptions,omitempty" cdx:"+1.6"` // v1.6 added + OpenCre *[]string `json:"openCre,omitempty" cdx:"+1.6"` // v1.6 added + Parent *CDXRefLinkType `json:"parent,omitempty" cdx:"+1.6"` // v1.6 added + Properties *[]CDXProperty `json:"properties,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXLevel struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Identifier string `json:"identifier,omitempty" cdx:"+1.6"` // v1.6 added + Title string `json:"title,omitempty" cdx:"+1.6"` // v1.6 added + Description string `json:"description,omitempty" cdx:"+1.6"` // v1.6 added + Requirements *[]CDXRefLinkType `json:"requirements,omitempty" cdx:"+1.6"` // v1.6 added +}