Closed chmeliik closed 1 year ago
Why have it a taxonomy, what about adding this as a feature of the standard? Would you open issue here? https://github.com/CycloneDX/specification
That's a good point :+1:
Opened https://github.com/CycloneDX/specification/issues/262
Motivation
As a CycloneDX consumer, I would like the ability to validate whether all the components declared their expected cryptographic checksum. In SLSA v0.1, for example, checksums are recommended for hermetic builds (all dependencies must be declared with immutable references).
CycloneDX components have the hashes attribute. However, an empty
hashes
array does not necessarily mean that the component is missing a checksum - perhaps the component cannot have, and does not need, a checksum.For example:
A Go project can be split into multiple modules which can depend on each other. Such a dependency is expressed via local replacements:
replace my.org/my-project/api => ./api
. A locally replaced module will not have a checksum ingo.sum
, nor should it need one (it is version-controlled along with the module which depends on it).Many package managers allow the user to depend directly on a git repository. Such dependencies also do not have checksums, they instead rely on the commit hash for integrity.
Proposal
Would you be open to adding a
cdx
namespace for security considerations such as this one?Perhaps a
cdx:security:missing-checksum
"boolean" property? Semantics would be along the lines of: "true
if the component could have declared the expected cryptographic checksum but didn't"