[PROPOSAL] `cdx` namespace property to indicate a missing checksum

[chmeliik]

Motivation

As a CycloneDX consumer, I would like the ability to validate whether all the components declared their expected cryptographic checksum. In SLSA v0.1, for example, checksums are recommended for hermetic builds (all dependencies must be declared with immutable references).

CycloneDX components have the hashes attribute. However, an empty hashes array does not necessarily mean that the component is missing a checksum - perhaps the component cannot have, and does not need, a checksum.

For example:

A Go project can be split into multiple modules which can depend on each other. Such a dependency is expressed via local replacements: replace my.org/my-project/api => ./api. A locally replaced module will not have a checksum in go.sum, nor should it need one (it is version-controlled along with the module which depends on it).

Many package managers allow the user to depend directly on a git repository. Such dependencies also do not have checksums, they instead rely on the commit hash for integrity.

Proposal

Would you be open to adding a cdx namespace for security considerations such as this one?

Perhaps a cdx:security:missing-checksum "boolean" property? Semantics would be along the lines of: "true if the component could have declared the expected cryptographic checksum but didn't"

[jkowalleck]

Why have it a taxonomy, what about adding this as a feature of the standard? Would you open issue here? https://github.com/CycloneDX/specification

[chmeliik]

That's a good point :+1:

Opened https://github.com/CycloneDX/specification/issues/262