Skip to content

feat: Add support for TLP marking in metadata #604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: 1.7-dev
Choose a base branch
from
+140 −0
Open

feat: Add support for TLP marking in metadata #604

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1962322
feat: Add support for TLP marking in metadata (fixes #595)
anthonyharrison Feb 22, 2025
925f5f9
feat: Add support for TLP marking in metadata (fixes #595)
anthonyharrison Feb 23, 2025
55425e5
feat: Add support for TLP marking in metadata - fix protobuf enum (fi…
anthonyharrison Feb 23, 2025
d3d243f
feat: Add support for TLP marking in metadata - add default values an…
anthonyharrison Feb 23, 2025
5708d61
`TLP_CLEAR_UNSPECIFIED` -> `TLP_CLEAR`
jkowalleck Feb 24, 2025
98d888d
fixed schema and docs
jkowalleck Mar 6, 2025
dbd3c43
tests: fix examples
jkowalleck Mar 6, 2025
636eb43
style fixes
jkowalleck Mar 6, 2025
3da8e47
feat: Add support for TLP marking in metadata - correct TLP descripti…
anthonyharrison Mar 6, 2025
4e918f8
Merge remote-tracking branch 'refs/remotes/origin/1.7-dev' into 1.7-dev
anthonyharrison Mar 6, 2025
ed5fa84
feat: Add support for TLP marking in metadata - correct TLP descripti…
anthonyharrison Mar 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions schema/bom-1.7.proto
View file
Original file line number Diff line number Diff line change
@@ -514,6 +514,8 @@ message Metadata {
repeated Lifecycles lifecycles = 9;
// The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead.
optional OrganizationalEntity manufacturer = 10;
// The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.
optional TlpClassification distribution = 11;
}

message Lifecycles {
@@ -675,6 +677,22 @@ message Swid {
optional string url = 7;
}

// Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information.
//The default classification is "CLEAR"
enum TlpClassification {
// The information is not subject to any restrictions as regards the sharing.
// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- "CLEAR" is our fallback, the default.
TLP_CLASSIFICATION_CLEAR = 0;
// The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.
TLP_CLASSIFICATION_GREEN = 1;
// The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.
TLP_CLASSIFICATION_AMBER = 2;
// The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.
TLP_CLASSIFICATION_AMBER_AND_STRICT = 3;
// The information is subject to restricted distribution to individual recipients only and must not be shared.
TLP_CLASSIFICATION_RED = 4;
}

// Specifies a tool (manual or automated).
message Tool {
// DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM.
25 changes: 25 additions & 0 deletions schema/bom-1.7.schema.json
View file
Original file line number Diff line number Diff line change
@@ -712,9 +712,34 @@
"title": "Properties",
"description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
"items": {"$ref": "#/definitions/property"}
},
"distribution": {
"title": "Distribution",
"description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.",
"$ref": "#/definitions/tlpClassification"
}
}
},
"tlpClassification": {
"title": "Traffic Light Protocol (TLP) Classification",
"description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"",
"type" : "string",
"default": "CLEAR",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default could be UNKNOWN.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UNKNOWN is not a valid TLP value

"enum": [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can retain the TLP: prefix to avoid confusions and retain the exact semantic meanings.

From the first.org website:

The four TLP labels are: TLP:RED, TLP:AMBER, TLP:GREEN, and TLP:CLEAR. In written form, they MUST not contain spaces and SHOULD be in capitals. TLP labels MUST remain in their original form, even when used in other languages: content can be translated, but the labels cannot.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TLP values are identical to those adopted by CSAF

"CLEAR",
"GREEN",
"AMBER",
"AMBER_AND_STRICT",
"RED"
],
"meta:enum": {
"CLEAR": "The information is not subject to any restrictions as regards the sharing.",
"GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.",
"AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.",
"AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.",
"RED": "The information is subject to restricted distribution to individual recipients only and must not be shared."
}
},
"tool": {
"type": "object",
"title": "Tool",
52 changes: 52 additions & 0 deletions schema/bom-1.7.xsd
View file
Original file line number Diff line number Diff line change
@@ -256,6 +256,12 @@ limitations under the License.
Formal registration is optional.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="distribution" type="bom:tlpClassificationType" default="CLEAR" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>The Traffic Light Protocol (TLP) classification that controls the sharing and distribution
of the data that the BOM describes.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>
@@ -390,6 +396,52 @@ limitations under the License.
</xs:anyAttribute>
</xs:complexType>

<xs:simpleType name="tlpClassificationType">
<xs:annotation>
<xs:documentation xml:lang="en">
Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information.
The default classification is "CLEAR"
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="CLEAR">
<xs:annotation>
<xs:documentation>
The information is not subject to any restrictions as regards the sharing.
</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="GREEN">
<xs:annotation>
<xs:documentation>
The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.
</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="AMBER">
<xs:annotation>
<xs:documentation>
The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.
</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="AMBER_AND_STRICT">
<xs:annotation>
<xs:documentation>
The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.
</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="RED">
<xs:annotation>
<xs:documentation>
The information is subject to restricted distribution to individual recipients only and must not be shared.
</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>

<xs:complexType name="toolType">
<xs:annotation>
<xs:documentation>Information about the automated or manual tool used</xs:documentation>
11 changes: 11 additions & 0 deletions tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"distribution": "Unrestricted"
},
"components": []
}
7 changes: 7 additions & 0 deletions tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
<metadata>
<distribution>Unrestricted</distribution>
</metadata>
<components />
</bom>
11 changes: 11 additions & 0 deletions tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"distribution": "RED"
},
"components": []
}
9 changes: 9 additions & 0 deletions tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# proto-file: schema/bom-1.7.proto
# proto-message: Bom

spec_version: "1.7"
version: 1
serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
metadata {
distribution: TLP_CLASSIFICATION_RED
}
7 changes: 7 additions & 0 deletions tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
<metadata>
<distribution>RED</distribution>
</metadata>
<components />
</bom>