[1.7] - Updates from CBOM working group #657
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Steve Springett <[email protected]>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work ---- TODO / progress - [x] JSON schema - [ ] XML schema - [ ] ProtoBugf schema <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Basil Hess <[email protected]>
- Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
- Extends cryptography-defs.json list with algorithms from PKCS11 - Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive
Signed-off-by: Nicklas Körtge <[email protected]>
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional paremeter with literal separator
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
…phy-defs.schema.json
This PR will add a python script that can be used to generate an enum-object for the cyclonedx json schema that reflects algorithm families defined in `cryptography-defs.json`.
The following rules apply for the patterns:
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional parameter with literal separator
<!--
Thank you for taking the time to develop and contribute a core
enhancement or fix for a defect!
We kindly request that you create pull requests only for things that
have been discussed in a ticket first; exceptions may be made for
spelling or grammar fixes.
Read more about the process here:
https://cyclonedx.org/participate/standardization-process/#working-model
Please have the related ticket/issue ID ready.
If there is none, feel free to create a new ticket:
https://github.com/CycloneDX/specification/issues/new/choose
-->
<!--
Please provide a brief description of what this pull request intends to
do and which ticket it fixes/closes.
Example:
> As discussed in ticket #485, this PR adds Streebog to the hash
algorithm enum.
>
> fixes #485
In case this is for a spelling or grammar improvement, please provide a
brief description.
Example:
> Fixe typo: color(AE) -> colour(BE)
-->
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Nicklas Körtge <[email protected]>
Signed-off-by: Nicklas Körtge <[email protected]>
It looks like we missed some key changes from the `1.7-dev-cryptography` branch. This PR will put them back in. Thanks @JoeyLupo for pointing that out!
jkowalleck
changed the title
Signed-off-by: steve.springett <[email protected]>
JoeyLupo
reviewed
Jul 10, 2025
- Schema fix: Define items in ikeV2 arrays - Schema extension: in protocolProperties/cipherSuites, adds explicit tlsGroups and tlsSignatureSchemes properties - Updates valid-cryptography-full-1.7 and valid-cryptography-implementation.1.7 test cases Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
Update schema test cases and fix validation issues for 1.7 CBOM. This PR addresses two schema validation issues discovered while running ajv on the test cases: - ikev2TransformTypes: The array items were missing type definitions. This has been corrected. - certificateExtensions: The oneOf clause defined two objects (commonExtensions and customExtensions) with overlapping property names, which caused validation errors. The property names have been made unique within each object to resolve this. Additionally, two new properties have been added to cryptoProperties.cipherSuites to support more precise TLS configurations: tlsGroups and tlsSignatureSchemes. <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
|
This is ready for review.
|
|
This PR introduces the following:
|
stevespringett
added
request for comment
RFC notice sent
prabhu
reviewed
Jul 26, 2025
| "variant": { | ||
| "type": "array", | ||
| "title": "Variants", | ||
| "description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.", |
There was a problem hiding this comment.
Suggested change
| "description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.", | |
| "description": "Defines algorithm variants by a naming pattern and the corresponding cryptographic primitive.", |
prabhu
reviewed
Jul 26, 2025
| "title": "Standard Name", | ||
| "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." | ||
| }, | ||
| "primitive": { |
There was a problem hiding this comment.
Could this attribute be made an enum?
prabhu
reviewed
Jul 26, 2025
| "additionalProperties": false, | ||
| "properties": { | ||
| "category": { | ||
| "type": "string", |
There was a problem hiding this comment.
Could this become an enum as well? Some of the values could be "nist", "secg", "x963", and "other".
prabhu
reviewed
Jul 26, 2025
| "title": "OID", | ||
| "description": "The Object Identifier (OID) of the elliptic curve." | ||
| }, | ||
| "form": { |
There was a problem hiding this comment.
My knowledge on this is quite limited. It appears like we are capturing the form of the equation but not the field type. Based on the below document, an enum called fieldType could be added with the values prime and binary. This would help with categorization.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
prabhu
reviewed
Jul 26, 2025
| "Montgomery" | ||
| ] | ||
| }, | ||
| "aliases": { |
There was a problem hiding this comment.
In addition to aliases, it will be nice to have a much simpler way to compare the forms like 128 bits, 256 bits etc (computational effort to break). Often these values are approximate but could be still useful. The attribute could be an integer with the name securityBits or keyLength.
prabhu
reviewed
Jul 26, 2025
| "title": "Last Updated", | ||
| "description": "The date and time (timestamp) when the data was last updated." | ||
| }, | ||
| "algorithms": { |
There was a problem hiding this comment.
We capture the algorithms, but do not communicate the production status.
An explicit attribute status with enum values such as legacy, active, evaluation, deprecated would help.
There was a problem hiding this comment.
In the same line of thought, it will be nice to communicate some known risks associated with an algorithm. Examples:
timing-attack
replay-attack
side-channel attack
It could be argued that often such risks are due to the implementations. In such cases, an example of a CBOM with components and dependencies.provides to illustrate implementation risks would be perfect.
prabhu
reviewed
Jul 26, 2025
| ], | ||
| "variant": [ | ||
| { | ||
| "pattern": "RSA-PKCS1-1.5[-{digestAlgorithm}][-{keyLength}]", |
There was a problem hiding this comment.
This is new to me. We're using placeholders in the pattern string for the first time? To keep the specification consistent, can we define the list of allowed placeholders to help implementation tools? ChatGPT is suggesting an attribute as below:
{
"pattern": {
"type": "string",
"title": "Pattern",
"description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for standardized algorithm-specific properties.",
// This regex enforces that any placeholder {} contains only one of the predefined standard names.
// Note: This is a simplified example and might need adjustment for edge cases like escaping or nested brackets.
"pattern": "^([^{}]|\\{((keyLength)|(mode)|(digestAlgorithm)|(hashFunction)|(saltLength)|(ellipticCurve)|(securityLevel)|(function)|(padding)|(tagLength)|(ivLength)|(primitive))\\})*$"
}
}
Signed-off-by: Jan Kowalleck <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The cryptography working group has received feedback from real-world usage and have made some minor enhancements to the CBOM specificaiton.
Closes #569
RFC notice sent 2025-07-26
This RFC will be open for 4 weeks. At the end of the RFC period the CycloneDX community will vote, by lazy consensus, to accept or reject the proposal.
RFC period end: 2025-08-23
TODO/DONE