search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
365 stars 59 forks source link

Feature: documenting external/extraneous dependencies #321

Open jkowalleck opened 1 year ago

jkowalleck commented 1 year ago

current state

CycloneDX allows describing components, and the dependency graph. Each component can have exactly one version, no version range. Components can be connected in a dependency graph.

feature

Make it possible to describe external dependencies that are not part of a shipped product, like runtime environments, shared objects and dynamically linked libraries, operating system, hardware (architecture) etc.

use cases

It would enable identifying vendor locks, dependency to outdated external software, and enable DevOps better spec runtime environments.

possible solution

Discussion

First of, the goal is to allow describing externals, this is not SBOM in the traditional way, this is about the capability of CycloneDX.

Question: Where to put a marker that signals the fact that something is external?
Is scope the best place to put this? No! What if something is eternal and optional at the same time?! So it might be better to have a dedicated marker for that purpose.

Question: Which element/object to use? The existing "Component" seams good, but might be just to broad. Maybe use "Definitions"' child element, as soon as it is clear? see https://github.com/CycloneDX/specification/issues/321#issuecomment-1763703364

motivation / need

As requested by the community:

As described by German Cybersecurity Agency BSI

As a solution for the package registries that (are planning to) provide SBOMS for libraries which do not include all their dependencies. These SBOMs pretend/predict the dependencies as "components" but in fact, the components are not packaged with these libraries, but need to be fetched additionally. It these package registries would make unresolved dependencies as "extraneous", that would be great.

stevespringett commented 1 year ago

A PR would be good. Or at a minimum, a prototype on this ticket describing a proposal. FYI, v1.6 has a new top-level element called definitions which are not included in the inventory of the BOM but can still be referenced. That may be useful here, although there are likely other ways to achieve this as well.

jkowalleck commented 1 year ago

[...] v1.6 has a new top-level element called definitions which are not included in the inventory of the BOM but can still be referenced.

Did not find "definitions" in the current (draft) state of 1.6-dev nor any of (the work-in-progress) branches that eventually will be merged into 1.6-dev. As soon as it is there, I will see if it fits the idea. No rush.

[...] although there are likely other ways to achieve this as well.

:+1: I might sketch out possible schema changes and new test cases based on "component". This might not be best solution, but should help visualize the concept.

stevespringett commented 1 year ago

The definitions property is here: https://github.com/CycloneDX/specification/blob/1.6-dev-attestations/schema/bom-1.6.schema.json#L473

It currently only consists of standards, but can (and likely should) be expanded to include additional objects (e.g. licenses, components, services, etc)

jkowalleck commented 1 year ago

re: https://github.com/CycloneDX/specification/issues/321#issuecomment-1763703364

A PR would be good.

here is a sketch: https://github.com/CycloneDX/specification/pull/326

jkowalleck commented 10 months ago

read: https://github.com/CycloneDX/specification/issues/293#issuecomment-1869969390

scope is a way to include a component but not assert that that component is delivered or included in the inventory. For example, you may want to include Windows XP Embedded as a component, mark the scope as excluded, as a way to indicate that the entire stack will include the OS, but that the supplier does not provide it with the software. There is ongoing discussions within CISA on how to specify runtime requirements. Expect this capability to expand in the future.

mtsfoni commented 9 months ago

read: #293 (comment)

scope is a way to include a component but not assert that that component is delivered or included in the inventory. For example, you may want to include Windows XP Embedded as a component, mark the scope as excluded, as a way to indicate that the entire stack will include the OS, but that the supplier does not provide it with the software. There is ongoing discussions within CISA on how to specify runtime requirements. Expect this capability to expand in the future.

Does this invalidate your change request? Sound like scope was meant exactly as a solution to the depicted problem?

However, scope cannot currently not describe a difference between an extraneous optional and required component.

What about dev dependencies? In the dotnet tool those currently get marked as external. But they are external for a completely different reason. Maybe there should be a better distinction of why a component is external? (because it can be added, because it must be added/be installed on the target system or because it was once used in the production process but is not part of the scope of delivery?)

jkowalleck commented 9 months ago

Dropped this issue/request from the 1.6 milestone goals, and moved it to 1.7 for the following reasons: did not finish in time for 1.6, needs further discussion.

jkowalleck commented 9 months ago

@jerod might have additional ideas how he implemented a process to get around todays limitations ...

@stevespringett proposed to

need to think about all of this. will come back later. :-)

jkowalleck commented 8 months ago

now that the enum cases for scope are documented, lets rethink possible solutions. https://github.com/CycloneDX/specification/blob/d6835a98e427215e54168ee5be233c0660ed6a4e/schema/bom-1.6.schema.json#L930-L934

vetsin commented 8 months ago

I've seen a need for this when dealing with Java -- you release a jar or war artifact and it defines dependencies. There is no indication on if they're what you say you need or what's packaged within/distributed with what you're describing.

My thoughts:

That being said I am for a provides-relation instead of any extraneous/intrinsic declaration. The component states what it states, but it does/cannot reflect what the consumer will do with it. If the component is compiled, it seems like it should state the specific version it was compiled with (even if it doesn't provide it). If it's not compiled it seems fair to state what you tested with. Why does it matter if i can use Foo>=1.0 when i tested with 1.0 and when you use me, you provide Foo? Even if we state Foo>=1.0 its disingenuous to think that 2.0 may cause regressions and not work anyway.

I know there's some edge cases in that maybe I tested with python 3.6, 3.8, and 3.11 -- do i list them all as dependencies? I can't attest 3.9 works, but do i include it anyway?

jkowalleck commented 8 months ago

@DarthHater could you check https://github.com/CycloneDX/specification/issues/321#issuecomment-1992640752 and see how CDX fits in the Java world when it comes to "externals"?

sschoeling commented 7 months ago

So, with 1.6 out of the way now, I'd like to revisit this. So far scope doesn't seem to work out and ComponentType "runtime" from #233 doesn't tell whether it's included or not either. @jkowalleck : Following the list you put into cyclonedx-php-composer/#435 I think it comes down to:

and both of these are orthogonal to scope (whether the component is used for runtime or other purposes) and ComponentType.