clarify use of "provenance" as it relates to NIST vs SLSA,etc

[ashleygwilliams]

during the specification meeting, when reviewing the Terms and Definitions, it was called out that the usage of "provenance" is very specific to NIST and differs from the SLSA,etc definition. while the spec is not a good place for this information, the guide is likely a place to call this out as it will likely help clarify the term, esp for people coming from the supplychain security space who may be more familiar with the SLSA definition.

[stevespringett]

Agreed. The term provenance has been misused over the past few years. It is important to note that the CycloneDX use of the term aligns to NIST, MITRE, OWASP, and the Oxford/Cambridge definition of the word. CycloneDX is not intentionally aligned to NIST, rather, it is aligned to the common use of the term used in global supply chains.

The SBOM guide currently has a section of provenance which reads:

Provenance refers to the history of the origin and ownership of a component. In the context of a software supply chain, provenance provides a way to trace the lineage of a component and ensure its authenticity is in alignment.

Provenance information can help software developers and users identify the source of a component, and helps to establish trust and accountability among different parties involved in the software supply chain, such as software vendors, distributors, and consumers.

By maintaining a record of provenance information throughout the software supply chain, organizations can improve their ability to detect and mitigate security risks, reduce the likelihood of supply chain attacks, and increase the overall reliability and quality of their software products. Furthermore, regulatory compliance requirements (such as those related to data privacy, data protection, and intellectual property) often mandate the use of provenance tracking to ensure compliance with legal and ethical standards.

CycloneDX supports provenance via four distinct fields: author, publisher, supplier, and manufacturer. In addition, components that are modified from the original can be described along with the complete authorship, including commits and the person or account that authored and committed the modifications

Additionally, it has a definition of the term:

Provenance - The chain of custody and origin of a software component. Provenance incorporates the point of origin through distribution as well as derivatives in the case of software that has been modified.

Are there any suggestions on how to improve the clarity of the term?

[ashleygwilliams]

So I think that the current content is very good- however, I think we could improve it by calling out the lack of consistency in the term's use. We'll need to do this delicately as we don't want it to be a judgement of any particular use, but for folks who are new to the space, or more used to a different definition- a relative definition (defining "our" provenance as it relates to the "other" provenance) can help people who read the current definition and wonder why they have lingering confusion. Let me know if that makes sense!

You may be familiar with other uses of the term provenance, such as how it is leveraged by SLSA. The usage of this term in the context of CycloneDX is slightly different in that ....