search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
338 stars 57 forks source link

Add concluded value to identity evidence #411

Closed stevespringett closed 3 months ago

stevespringett commented 3 months ago

Identity evidence has many methods, each with a technique, confidence score, and associated value of the evidence. What is missing, is the concluded value from all of the methods.

For example:

"evidence": {
  "identity": [
    {
      "field": "cpe",
      "confidence": 1.0,
      "concludedValue": "cpe:2.3:a:example:acme-application:1.0.0:*:*:*:*:*:*:*",
      "methods": [
        {
          "technique": "filename",
          "confidence": 0.1,
          "value": "acme-application-1.0.0.exe"
        },
        {
          "technique": "hash-comparison",
          "confidence": 0.8,
          "value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
        }
      ]
    }
  ]
}

The example above concludes that the combination of the two methods results in a specific CPE. The proposal is to add concludedValue so that this can be expressed.