From e89704be79b8fdf95f36ceff60e6c02cea448013 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 6 May 2024 15:45:08 -0500 Subject: [PATCH 1/4] Support v1.6 bindings for new S&C Standards Definitions and Declarations Signed-off-by: Matt Rutkowski --- schema/cyclonedx.go | 3 + schema/cyclonedx_declarations.go | 130 +++++++++++++++++++++++++++++++ schema/cyclonedx_definitions.go | 23 ++++++ 3 files changed, 156 insertions(+) create mode 100644 schema/cyclonedx_declarations.go create mode 100644 schema/cyclonedx_definitions.go diff --git a/schema/cyclonedx.go b/schema/cyclonedx.go index 6cea6d9a..b4cb2386 100644 --- a/schema/cyclonedx.go +++ b/schema/cyclonedx.go @@ -36,6 +36,7 @@ var EMPTY_CDXLicense = CDXLicense{} // v1.3: added "compositions" // v1.4: added "vulnerabilities", "signature" // v1.5: added "annotations", "formulation", "properties" +// v1.6: added "declarations", "definitions" type CDXBom struct { BOMFormat string `json:"bomFormat,omitempty"` SpecVersion string `json:"specVersion,omitempty"` @@ -52,6 +53,8 @@ type CDXBom struct { Annotations *[]CDXAnnotation `json:"annotations,omitempty" cdx:"+1.5"` // v1.5 added Formulation *[]CDXFormula `json:"formulation,omitempty" cdx:"+1.5"` // v1.5 added Properties *[]CDXProperty `json:"properties,omitempty" cdx:"+1.5"` // v1.5 added + Declarations *[]CDXDeclaration `json:"declarations,omitempty" cdx:"+1.6"` // v1.6 added + Definitions *[]CDXDefinition `json:"definitions,omitempty" cdx:"+1.6"` // v1.6 added } // v1.2: existed diff --git a/schema/cyclonedx_declarations.go b/schema/cyclonedx_declarations.go new file mode 100644 index 00000000..ac07f18e --- /dev/null +++ b/schema/cyclonedx_declarations.go @@ -0,0 +1,130 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package schema + +// v1.6: added "declarations" +type CDXDeclaration struct { + Assessors *[]CDXAssessor `json:"assessors,omitempty" cdx:"+1.6"` // v1.6 added + Attestations *[]CDXAttestation `json:"attestations,omitempty" cdx:"+1.6"` // v1.6 added + Claims *[]CDXClaim `json:"claims,omitempty" cdx:"+1.6"` // v1.6 added + Evidence *[]CDXEvidence `json:"evidence,omitempty" cdx:"+1.6"` // v1.6 added + Targets *[]CDXOrganizationalEntity `json:"targets,omitempty" cdx:"+1.6"` // v1.6 added + Affirmation *CDXAffirmation `json:"affirmation,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAssessor struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + ThirdParty bool `json:"thirdParty,omitempty" cdx:"+1.6"` // v1.6 added + Organization *CDXOrganizationalEntity `json:"organization,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAttestation struct { + Summary string `json:"summary,omitempty" cdx:"+1.6"` // v1.6 added + Assessor *CDXRefType `json:"assessor,omitempty" cdx:"+1.6"` // v1.6 added + Map *[]CDXAttestationMap `json:"map,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAttestationMap struct { + Requirement *CDXRefLinkType `json:"requirement,omitempty" cdx:"+1.6"` // v1.6 added + Claims *[]CDXRefLinkType `json:"claims,omitempty" cdx:"+1.6"` // v1.6 added + CounterClaims *[]CDXRefLinkType `json:"counterClaims,omitempty" cdx:"+1.6"` // v1.6 added + Conformance *CDXConformance `json:"conformance,omitempty" cdx:"+1.6"` // v1.6 added + Confidence *CDXConfidence `json:"confidence,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// TODO: NOTE: overlap in fields with CDXConfidence +type CDXConformance struct { + Score float64 `json:"score,omitempty" cdx:"+1.6"` // v1.6 added + Rationale string `json:"rationale,omitempty" cdx:"+1.6"` // v1.6 added + MitigationStrategies *[]CDXRefLinkType `json:"mitigationStrategies,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// TODO: NOTE: overlap in fields with CDXConformance +type CDXConfidence struct { + Score float64 `json:"score,omitempty" cdx:"+1.6"` // v1.6 added + Rationale string `json:"rationale,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXClaim struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Target *[]CDXRefLinkType `json:"target,omitempty" cdx:"+1.6"` // v1.6 added + Predicate string `json:"predicate,omitempty" cdx:"+1.6"` // v1.6 added + MitigationStrategies *[]CDXRefLinkType `json:"mitigationStrategies,omitempty" cdx:"+1.6"` // v1.6 added + Reasoning string `json:"reasoning,omitempty" cdx:"+1.6"` // v1.6 added + Evidence *[]CDXRefLinkType `json:"evidence,omitempty" cdx:"+1.6"` // v1.6 added + CounterEvidence *[]CDXRefLinkType `json:"counterEvidence,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXEvidence struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + PropertyName string `json:"propertyName,omitempty" cdx:"+1.6"` // v1.6 added + Description string `json:"description,omitempty" cdx:"+1.6"` // v1.6 added + Data *[]CDXData `json:"data,omitempty" cdx:"+1.6"` // v1.6 added + Created string `json:"created,omitempty" cdx:"+1.6"` // v1.6 added + Expires string `json:"expires,omitempty" cdx:"+1.6"` // v1.6 added + Author *CDXOrganizationalContact `json:"author,omitempty" cdx:"+1.6"` // v1.6 added + Reviewer *CDXOrganizationalContact `json:"reviewer,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// NOTE: The "Contents" field defines a structure that is identical to the CDXContent +// used in CDXComponentData, but does NOT have a "properties" field. +// we will reuse it here as it does NOT impact JSON encoding/decoding +// NOTE: The "Classification" field is actually an "enum" type in the JSON schema +type CDXData struct { + Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added + Contents *CDXContent `json:"contents,omitempty" cdx:"+1.6"` // v1.6 added + Classification string `json:"classification,omitempty" cdx:"+1.6"` // v1.6 added + SensitiveData *[]string `json:"sensitiveData,omitempty" cdx:"+1.6"` // v1.6 added + Governance *CDXGovernance `json:"governance,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXGovernance struct { + Custodians *[]CDXDataGovernanceResponsibleParty `json:"custodians,omitempty" cdx:"+1.6"` // v1.6 added + Stewards *[]CDXDataGovernanceResponsibleParty `json:"stewards,omitempty" cdx:"+1.6"` // v1.6 added + Owners *[]CDXDataGovernanceResponsibleParty `json:"owners,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXAffirmation struct { + Statement string `json:"statement,omitempty" cdx:"+1.6"` // v1.6 added + Signatories *[]CDXSignatory `json:"signatories,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +type CDXSignatory struct { + Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added + Role string `json:"role,omitempty" cdx:"+1.6"` // v1.6 added + // TODO: + Signature interface{} `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added + Organization *CDXOrganizationalEntity `json:"organization,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added +} diff --git a/schema/cyclonedx_definitions.go b/schema/cyclonedx_definitions.go new file mode 100644 index 00000000..2b25dee9 --- /dev/null +++ b/schema/cyclonedx_definitions.go @@ -0,0 +1,23 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package schema + +// v1.6: added +type CDXDefinition struct { + //TODO +} From 9d51ba2fa1d645eb50439299417d840641bf4ae6 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 6 May 2024 18:43:41 -0500 Subject: [PATCH 2/4] Finalize JSON schema struct definitions for Standards Declarations Signed-off-by: Matt Rutkowski --- schema/cyclonedx_declarations.go | 34 ++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/schema/cyclonedx_declarations.go b/schema/cyclonedx_declarations.go index ac07f18e..c3b75cc1 100644 --- a/schema/cyclonedx_declarations.go +++ b/schema/cyclonedx_declarations.go @@ -19,13 +19,13 @@ package schema // v1.6: added "declarations" type CDXDeclaration struct { - Assessors *[]CDXAssessor `json:"assessors,omitempty" cdx:"+1.6"` // v1.6 added - Attestations *[]CDXAttestation `json:"attestations,omitempty" cdx:"+1.6"` // v1.6 added - Claims *[]CDXClaim `json:"claims,omitempty" cdx:"+1.6"` // v1.6 added - Evidence *[]CDXEvidence `json:"evidence,omitempty" cdx:"+1.6"` // v1.6 added - Targets *[]CDXOrganizationalEntity `json:"targets,omitempty" cdx:"+1.6"` // v1.6 added - Affirmation *CDXAffirmation `json:"affirmation,omitempty" cdx:"+1.6"` // v1.6 added - Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added + Assessors *[]CDXAssessor `json:"assessors,omitempty" cdx:"+1.6"` // v1.6 added + Attestations *[]CDXAttestation `json:"attestations,omitempty" cdx:"+1.6"` // v1.6 added + Claims *[]CDXClaim `json:"claims,omitempty" cdx:"+1.6"` // v1.6 added + Evidence *[]CDXEvidence `json:"evidence,omitempty" cdx:"+1.6"` // v1.6 added + Targets *CDXTargets `json:"targets,omitempty" cdx:"+1.6"` // v1.6 added + Affirmation *CDXAffirmation `json:"affirmation,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added } // v1.6: added @@ -85,7 +85,7 @@ type CDXEvidence struct { BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added PropertyName string `json:"propertyName,omitempty" cdx:"+1.6"` // v1.6 added Description string `json:"description,omitempty" cdx:"+1.6"` // v1.6 added - Data *[]CDXData `json:"data,omitempty" cdx:"+1.6"` // v1.6 added + Data *[]CDXEvidenceData `json:"data,omitempty" cdx:"+1.6"` // v1.6 added Created string `json:"created,omitempty" cdx:"+1.6"` // v1.6 added Expires string `json:"expires,omitempty" cdx:"+1.6"` // v1.6 added Author *CDXOrganizationalContact `json:"author,omitempty" cdx:"+1.6"` // v1.6 added @@ -98,7 +98,7 @@ type CDXEvidence struct { // used in CDXComponentData, but does NOT have a "properties" field. // we will reuse it here as it does NOT impact JSON encoding/decoding // NOTE: The "Classification" field is actually an "enum" type in the JSON schema -type CDXData struct { +type CDXEvidenceData struct { Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added Contents *CDXContent `json:"contents,omitempty" cdx:"+1.6"` // v1.6 added Classification string `json:"classification,omitempty" cdx:"+1.6"` // v1.6 added @@ -113,18 +113,26 @@ type CDXGovernance struct { Owners *[]CDXDataGovernanceResponsibleParty `json:"owners,omitempty" cdx:"+1.6"` // v1.6 added } +// v1.6: added +// NOTE: Type name matches plural reference from the spec. +type CDXTargets struct { + Organizations *[]CDXOrganizationalEntity `json:"organizations,omitempty" cdx:"+1.6"` // v1.6 added + Components *[]CDXComponent `json:"components,omitempty" cdx:"+1.6"` // v1.6 added + Services *[]CDXService `json:"services,omitempty" cdx:"+1.6"` // v1.6 added +} + // v1.6: added type CDXAffirmation struct { Statement string `json:"statement,omitempty" cdx:"+1.6"` // v1.6 added Signatories *[]CDXSignatory `json:"signatories,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added } // v1.6: added type CDXSignatory struct { - Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added - Role string `json:"role,omitempty" cdx:"+1.6"` // v1.6 added - // TODO: - Signature interface{} `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added + Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added + Role string `json:"role,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added Organization *CDXOrganizationalEntity `json:"organization,omitempty" cdx:"+1.6"` // v1.6 added ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added } From 4124b14294a6fcbcdf47c13b9329757495d5dc79 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 6 May 2024 19:00:09 -0500 Subject: [PATCH 3/4] Finalize JSON schema struct definitions for Standards Defintions Signed-off-by: Matt Rutkowski --- schema/cyclonedx_definitions.go | 37 ++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/schema/cyclonedx_definitions.go b/schema/cyclonedx_definitions.go index 2b25dee9..e9d51505 100644 --- a/schema/cyclonedx_definitions.go +++ b/schema/cyclonedx_definitions.go @@ -19,5 +19,40 @@ package schema // v1.6: added type CDXDefinition struct { - //TODO + Standards *[]CDXStandard `json:"standards,omitempty" cdx:"+1.6"` // v1.6 added +} + +// v1.6: added +// NOTE: The "Owner" field SHOULD be a CDXOrganizationalEntity OR CDXOrganizationalContact +// We have structures that already support this concept!!! +type CDXStandard struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Name string `json:"name,omitempty" cdx:"+1.6"` // v1.6 added + Version string `json:"version,omitempty" cdx:"+1.6"` // v1.6 added + Description string `json:"description,omitempty" cdx:"+1.6"` // v1.6 added + Owner string `json:"owner,omitempty" cdx:"+1.6"` // v1.6 added + Requirements *[]CDXRequirement `json:"requirements,omitempty" cdx:"+1.6"` // v1.6 added + Levels *[]CDXLevel `json:"levels,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added + Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added +} + +type CDXRequirement struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Identifier string `json:"identifier,omitempty" cdx:"+1.6"` // v1.6 added + Title string `json:"title,omitempty" cdx:"+1.6"` // v1.6 added + Text string `json:"text,omitempty" cdx:"+1.6"` // v1.6 added + Descriptions *[]string `json:"descriptions,omitempty" cdx:"+1.6"` // v1.6 added + OpenCre *[]string `json:"openCre,omitempty" cdx:"+1.6"` // v1.6 added + Parent *CDXRefLinkType `json:"parent,omitempty" cdx:"+1.6"` // v1.6 added + Properties *[]CDXProperty `json:"properties,omitempty" cdx:"+1.6"` // v1.6 added + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added +} + +type CDXLevel struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added + Identifier string `json:"identifier,omitempty" cdx:"+1.6"` // v1.6 added + Title string `json:"title,omitempty" cdx:"+1.6"` // v1.6 added + Description string `json:"description,omitempty" cdx:"+1.6"` // v1.6 added + Requirements *[]CDXRefLinkType `json:"requirements,omitempty" cdx:"+1.6"` // v1.6 added } From 2142f8f50ff6c741c0cf17112b0c1e63dd52e430 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 7 May 2024 08:31:48 -0500 Subject: [PATCH 4/4] Finalize JSON schema struct definitions for Standards Defintions Signed-off-by: Matt Rutkowski --- schema/cyclonedx_definitions.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/schema/cyclonedx_definitions.go b/schema/cyclonedx_definitions.go index e9d51505..bf9e2351 100644 --- a/schema/cyclonedx_definitions.go +++ b/schema/cyclonedx_definitions.go @@ -37,6 +37,7 @@ type CDXStandard struct { Signature *JSFSignature `json:"signature,omitempty" cdx:"+1.6"` // v1.6 added } +// v1.6: added type CDXRequirement struct { BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added Identifier string `json:"identifier,omitempty" cdx:"+1.6"` // v1.6 added @@ -49,6 +50,7 @@ type CDXRequirement struct { ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.6"` // v1.6 added } +// v1.6: added type CDXLevel struct { BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.6"` // v1.6 added Identifier string `json:"identifier,omitempty" cdx:"+1.6"` // v1.6 added