search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
148 stars 39 forks source link

Provide guidance on linkage to SBOM components #484

Open tschmidtb51 opened 2 years ago

tschmidtb51 commented 2 years ago

Sometimes (e.g. for VEX) it is useful to link to a dedicated component in an SBOM instead of just pointing to the final product.

When using the product_identification_helper CSAF provides, you can identify each single component in an SBOM. However, each format has its own way to uniquely identify the SBOM and a component within. We should collect those to provide guidance how to do this.

Note: You could also use relationships in CSAF. The TC should discuss which way is preferred.

tschmidtb51 commented 2 years ago

CycloneDX

Let's start with CycloneDX. They use something called a bom-link.

For the example, if you want to identify the jboss-logging library which is used in Keycloak 10.0.2 you could use the following product_tree in CSAF:

  "product_tree": {
    "branches": [
      {
        "category": "vendor",
        "name": "Keycloak",
        "branches": [
          {
            "category": "product_name",
            "name": "Keycloak",
            "branches": [
              {
                "category": "product_version",
                "name": "10.0.2",
                "product": {
                  "product_id": "CSAFPID-0001",
                  "name": "Keycloak Keycloak 10.0.2",
                  "product_identification_helper": {
                    "sbom_urls": [
                      "https://raw.githubusercontent.com/CycloneDX/bom-examples/master/SBOM/keycloak-10.0.2/bom.json"
                    ],
                    "x_generic_uris": [
                      {
                        "namespace": "https://cyclonedx.org/capabilities/bomlink/",
                        "uri": "urn:cdx:411dafd2-c29f-491a-97d7-e97de5bc2289/1"
                      }
                    ]
                  }
                }
              }
            ]
          }
        ]
      }
    ],
    "full_product_names": [
      {
        "product_id": "CSAFPID-0002",
        "name": "jboss-logging",
        "product_identification_helper": {
          "x_generic_uris": [
            {
              "namespace": "https://cyclonedx.org/capabilities/bomlink/",
              "uri": "urn:cdx:411dafd2-c29f-491a-97d7-e97de5bc2289/1#pkg:maven/org.jboss.logging/jboss-logging@3.4.1.Final?type=jar"
            }
          ]
        }
      }
    ]
  }
stevespringett commented 2 years ago

FYI the second example that references an individual component should read as urn:cdx not urn:uuid. The first example you could use

urn:uuid:411dafd2-c29f-491a-97d7-e97de5bc2289 or urn:cdx:411dafd2-c29f-491a-97d7-e97de5bc2289/1

Both are valid.

tschmidtb51 commented 2 years ago

FYI the second example that references an individual component should read as urn:cdx not urn:uuid. The first example you could use

urn:uuid:411dafd2-c29f-491a-97d7-e97de5bc2289 or urn:cdx:411dafd2-c29f-491a-97d7-e97de5bc2289/1

Both are valid.

Thanks for the clarification. I updated the example.

tschmidtb51 commented 2 years ago

SPDX

They are using the documentNamespace together with the SPDXID of the component.

If you want to identify the libc as used in this binary, you could write in CSAF:

  "product_tree": {
    "full_product_names": [
      {
        "name": "main-bin",
        "product_id": "CSAFPID-0001",
        "product_identification_helper": {
          "sbom_urls": [
            "https://swinslow.net/spdx-examples/example4/main-bin-v2"
          ],
          "x_generic_uris": [
            {
              "namespace": "https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field",
              "uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-Package-main-bin"
            }
          ]
        }
      },
      {
        "name": "libc",
        "product_id": "CSAFPID-0002",
        "product_identification_helper": {
          "x_generic_uris": [
            {
              "namespace": "https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field",
              "uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-libc"
            }
          ]
        }
      }
    ]
  }