Skip to content

Commit 56dfd3d

Browse files
stevespringettstevespringett
committed
Added identity and occurrences to evidence. Updated test cases.
Signed-off-by: Steve Springett <[email protected]>
1 parent 5a579c6 commit 56dfd3d

File tree

6 files changed

+410
-1
lines changed

6 files changed

+410
-1
lines changed

schema/bom-1.5.proto

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -531,6 +531,59 @@ message EvidenceCopyright {
531531
message Evidence {
532532
repeated LicenseChoice licenses = 1;
533533
repeated EvidenceCopyright copyright = 2;
534+
repeated EvidenceIdentity identity = 3;
535+
repeated EvidenceOccurrences occurrences = 4;
536+
}
537+
538+
message EvidenceIdentity {
539+
// The identity field of the component which the evidence describes.
540+
EvidenceFieldType field = 1;
541+
// The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence.
542+
optional float confidence = 2;
543+
// The methods used to extract and/or analyze the evidence.
544+
repeated EvidenceMethods methods = 3;
545+
// The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation.
546+
repeated string tools = 4;
547+
}
548+
549+
message EvidenceMethods {
550+
// The technique used in this method of analysis.
551+
EvidenceTechnique technique = 1;
552+
// The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence.
553+
float confidence = 2;
554+
// The value or contents of the evidence.
555+
optional string value = 3;
556+
}
557+
558+
message EvidenceOccurrences {
559+
// An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.
560+
optional string bom_ref = 1;
561+
// The location or path to where the component was found.
562+
string location = 2;
563+
}
564+
565+
enum EvidenceFieldType {
566+
EVIDENCE_FIELD_NULL = 0;
567+
EVIDENCE_FIELD_GROUP = 1;
568+
EVIDENCE_FIELD_NAME = 2;
569+
EVIDENCE_FIELD_VERSION = 3;
570+
EVIDENCE_FIELD_PURL = 4;
571+
EVIDENCE_FIELD_CPE = 5;
572+
EVIDENCE_FIELD_SWID = 6;
573+
EVIDENCE_FIELD_HASH = 7;
574+
}
575+
576+
enum EvidenceTechnique {
577+
EVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS = 0;
578+
EVIDENCE_TECHNIQUE_BINARY_ANALYSIS = 1;
579+
EVIDENCE_TECHNIQUE_MANIFEST_ANALYSIS = 2;
580+
EVIDENCE_TECHNIQUE_AST_FINGERPRINT = 3;
581+
EVIDENCE_TECHNIQUE_HASH_COMPARISON = 4;
582+
EVIDENCE_TECHNIQUE_INSTRUMENTATION = 5;
583+
EVIDENCE_TECHNIQUE_DYNAMIC_ANALYSIS = 6;
584+
EVIDENCE_TECHNIQUE_FILENAME = 7;
585+
EVIDENCE_TECHNIQUE_ATTESTATION = 8;
586+
EVIDENCE_TECHNIQUE_OTHER = 9;
534587
}
535588

536589
message Note {

schema/bom-1.5.schema.json

Lines changed: 100 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1239,13 +1239,112 @@
12391239
}
12401240
}
12411241
},
1242-
12431242
"componentEvidence": {
12441243
"type": "object",
12451244
"title": "Evidence",
12461245
"description": "Provides the ability to document evidence collected through various forms of extraction or analysis.",
12471246
"additionalProperties": false,
12481247
"properties": {
1248+
"identity": {
1249+
"type": "object",
1250+
"description": "Evidence that substantiates the identity of a component.",
1251+
"required": [ "field" ],
1252+
"additionalProperties": false,
1253+
"properties": {
1254+
"field": {
1255+
"type": "string",
1256+
"enum": [
1257+
"group", "name", "version", "purl", "cpe", "swid", "hash"
1258+
],
1259+
"title": "Field",
1260+
"description": "The identity field of the component which the evidence describes."
1261+
},
1262+
"confidence": {
1263+
"type": "number",
1264+
"minimum": 0,
1265+
"maximum": 1,
1266+
"title": "Confidence",
1267+
"description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."
1268+
},
1269+
"methods": {
1270+
"type": "array",
1271+
"title": "Methods",
1272+
"description": "The methods used to extract and/or analyze the evidence.",
1273+
"additionalItems": false,
1274+
"items": {
1275+
"type": "object",
1276+
"required": [
1277+
"technique" ,
1278+
"confidence"
1279+
],
1280+
"additionalProperties": false,
1281+
"properties": {
1282+
"technique": {
1283+
"title": "Technique",
1284+
"description": "The technique used in this method of analysis.",
1285+
"type": "string",
1286+
"enum": [
1287+
"source-code-analysis",
1288+
"binary-analysis",
1289+
"manifest-analysis",
1290+
"ast-fingerprint",
1291+
"hash-comparison",
1292+
"instrumentation",
1293+
"dynamic-analysis",
1294+
"filename",
1295+
"attestation",
1296+
"other"
1297+
]
1298+
},
1299+
"confidence": {
1300+
"type": "number",
1301+
"minimum": 0,
1302+
"maximum": 1,
1303+
"title": "Confidence",
1304+
"description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."
1305+
},
1306+
"value": {
1307+
"type": "string",
1308+
"title": "Value",
1309+
"description": "The value or contents of the evidence."
1310+
}
1311+
}
1312+
}
1313+
},
1314+
"tools": {
1315+
"type": "array",
1316+
"uniqueItems": true,
1317+
"additionalItems": false,
1318+
"items": {
1319+
"$ref": "#/definitions/refType"
1320+
},
1321+
"title": "BOM References",
1322+
"description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."
1323+
}
1324+
}
1325+
},
1326+
"occurrences": {
1327+
"type": "array",
1328+
"title": "Occurrences",
1329+
"description": "Evidence of individual instances of a component spread across multiple locations.",
1330+
"additionalItems": false,
1331+
"items": {
1332+
"required": [ "location" ],
1333+
"additionalProperties": false,
1334+
"properties": {
1335+
"bom-ref": {
1336+
"$ref": "#/definitions/refType",
1337+
"title": "BOM Reference",
1338+
"description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
1339+
},
1340+
"location": {
1341+
"type": "string",
1342+
"title": "Location",
1343+
"description": "The location or path to where the component was found."
1344+
}
1345+
}
1346+
}
1347+
},
12491348
"licenses": {
12501349
"type": "array",
12511350
"additionalItems": false,

schema/bom-1.5.xsd

Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1669,8 +1669,161 @@ limitations under the License.
16691669
</xs:sequence>
16701670
</xs:complexType>
16711671

1672+
<xs:simpleType name="identityFieldType">
1673+
<xs:restriction base="xs:string">
1674+
<xs:enumeration value="group">
1675+
<xs:annotation>
1676+
<xs:documentation>blah</xs:documentation>
1677+
</xs:annotation>
1678+
</xs:enumeration>
1679+
<xs:enumeration value="name">
1680+
<xs:annotation>
1681+
<xs:documentation>blah</xs:documentation>
1682+
</xs:annotation>
1683+
</xs:enumeration>
1684+
<xs:enumeration value="version">
1685+
<xs:annotation>
1686+
<xs:documentation>blah</xs:documentation>
1687+
</xs:annotation>
1688+
</xs:enumeration>
1689+
<xs:enumeration value="purl">
1690+
<xs:annotation>
1691+
<xs:documentation>blah</xs:documentation>
1692+
</xs:annotation>
1693+
</xs:enumeration>
1694+
<xs:enumeration value="cpe">
1695+
<xs:annotation>
1696+
<xs:documentation>blah</xs:documentation>
1697+
</xs:annotation>
1698+
</xs:enumeration>
1699+
<xs:enumeration value="swid">
1700+
<xs:annotation>
1701+
<xs:documentation>blah</xs:documentation>
1702+
</xs:annotation>
1703+
</xs:enumeration>
1704+
<xs:enumeration value="hash">
1705+
<xs:annotation>
1706+
<xs:documentation>blah</xs:documentation>
1707+
</xs:annotation>
1708+
</xs:enumeration>
1709+
</xs:restriction>
1710+
</xs:simpleType>
1711+
1712+
<xs:simpleType name="decimalPercentType">
1713+
<xs:restriction base="xs:decimal">
1714+
<xs:minInclusive value="0"/>
1715+
<xs:maxInclusive value="1"/>
1716+
</xs:restriction>
1717+
</xs:simpleType>
1718+
1719+
<xs:simpleType name="evidenceTechnique">
1720+
<xs:restriction base="xs:string">
1721+
<xs:enumeration value="source-code-analysis" />
1722+
<xs:enumeration value="binary-analysis" />
1723+
<xs:enumeration value="manifest-analysis" />
1724+
<xs:enumeration value="ast-fingerprint" />
1725+
<xs:enumeration value="hash-comparison" />
1726+
<xs:enumeration value="instrumentation" />
1727+
<xs:enumeration value="dynamic-analysis" />
1728+
<xs:enumeration value="filename" />
1729+
<xs:enumeration value="attestation" />
1730+
<xs:enumeration value="other" />
1731+
</xs:restriction>
1732+
</xs:simpleType>
1733+
16721734
<xs:complexType name="componentEvidenceType">
16731735
<xs:sequence>
1736+
<xs:element name="identity" minOccurs="0" maxOccurs="1">
1737+
<xs:annotation>
1738+
<xs:documentation>Evidence that substantiates the identity of a component.</xs:documentation>
1739+
</xs:annotation>
1740+
<xs:complexType>
1741+
<xs:sequence>
1742+
<xs:element name="field" type="bom:identityFieldType" minOccurs="1" maxOccurs="1">
1743+
<xs:annotation>
1744+
<xs:documentation>The identity field of the component which the evidence describes.</xs:documentation>
1745+
</xs:annotation>
1746+
</xs:element>
1747+
<xs:element name="confidence" type="bom:decimalPercentType" minOccurs="0" maxOccurs="1">
1748+
<xs:annotation>
1749+
<xs:documentation>The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence.</xs:documentation>
1750+
</xs:annotation>
1751+
</xs:element>
1752+
<xs:element name="methods" minOccurs="0" maxOccurs="1">
1753+
<xs:annotation>
1754+
<xs:documentation>The methods used to extract and/or analyze the evidence.</xs:documentation>
1755+
</xs:annotation>
1756+
<xs:complexType>
1757+
<xs:sequence>
1758+
<xs:element name="method" minOccurs="0" maxOccurs="unbounded">
1759+
<xs:complexType>
1760+
<xs:sequence>
1761+
<xs:element name="technique" type="bom:evidenceTechnique" minOccurs="1" maxOccurs="1">
1762+
<xs:annotation>
1763+
<xs:documentation>The technique used in this method of analysis.</xs:documentation>
1764+
</xs:annotation>
1765+
</xs:element>
1766+
<xs:element name="confidence" type="bom:decimalPercentType" minOccurs="1" maxOccurs="1">
1767+
<xs:annotation>
1768+
<xs:documentation>The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence.</xs:documentation>
1769+
</xs:annotation>
1770+
</xs:element>
1771+
<xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="1">
1772+
<xs:annotation>
1773+
<xs:documentation>The value or contents of the evidence.</xs:documentation>
1774+
</xs:annotation>
1775+
</xs:element>
1776+
</xs:sequence>
1777+
</xs:complexType>
1778+
</xs:element>
1779+
</xs:sequence>
1780+
</xs:complexType>
1781+
</xs:element>
1782+
<xs:element name="tools" minOccurs="0" maxOccurs="1">
1783+
<xs:annotation>
1784+
<xs:documentation>
1785+
The object in the BOM identified by its bom-ref. This is often a component or service,
1786+
but may be any object type supporting bom-refs. Tools used for analysis should already
1787+
be defined in the BOM, either in the metadata/tools, components, or formulation.
1788+
</xs:documentation>
1789+
</xs:annotation>
1790+
<xs:complexType>
1791+
<xs:sequence>
1792+
<xs:element name="tool" type="bom:bomReferenceType" minOccurs="0" maxOccurs="unbounded"/>
1793+
</xs:sequence>
1794+
</xs:complexType>
1795+
</xs:element>
1796+
</xs:sequence>
1797+
</xs:complexType>
1798+
</xs:element>
1799+
<xs:element name="occurrences" minOccurs="0" maxOccurs="1">
1800+
<xs:annotation>
1801+
<xs:documentation>Evidence of individual instances of a component spread across multiple locations.</xs:documentation>
1802+
</xs:annotation>
1803+
<xs:complexType>
1804+
<xs:sequence>
1805+
<xs:element name="occurrence" minOccurs="0" maxOccurs="unbounded">
1806+
<xs:complexType>
1807+
<xs:sequence>
1808+
<xs:element name="location" minOccurs="1" maxOccurs="1">
1809+
<xs:annotation>
1810+
<xs:documentation>The location or path to where the component was found.</xs:documentation>
1811+
</xs:annotation>
1812+
</xs:element>
1813+
</xs:sequence>
1814+
<xs:attribute name="bom-ref" type="bom:refType">
1815+
<xs:annotation>
1816+
<xs:documentation>
1817+
An optional identifier which can be used to reference the occurrence elsewhere
1818+
in the BOM. Every bom-ref MUST be unique within the BOM.
1819+
</xs:documentation>
1820+
</xs:annotation>
1821+
</xs:attribute>
1822+
</xs:complexType>
1823+
</xs:element>
1824+
</xs:sequence>
1825+
</xs:complexType>
1826+
</xs:element>
16741827
<xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
16751828
<xs:element name="copyright" type="bom:copyrightsType" minOccurs="0" maxOccurs="1"/>
16761829
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">

tools/src/test/resources/1.5/valid-evidence-1.5.json

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,40 @@
1919
],
2020
"purl": "pkg:maven/com.google.code.findbugs/[email protected]",
2121
"evidence": {
22+
"identity": {
23+
"field": "purl",
24+
"confidence": 1,
25+
"methods": [
26+
{
27+
"technique": "filename",
28+
"confidence": 0.1,
29+
"value": "findbugs-project-3.0.0.jar"
30+
},
31+
{
32+
"technique": "ast-fingerprint",
33+
"confidence": 0.9,
34+
"value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
35+
},
36+
{
37+
"technique": "hash-comparison",
38+
"confidence": 0.7,
39+
"value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
40+
}
41+
],
42+
"tools": [
43+
"bom-ref-of-tool-that-performed-analysis"
44+
]
45+
},
46+
"occurrences": [
47+
{
48+
"bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079",
49+
"location": "/path/to/component"
50+
},
51+
{
52+
"bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175",
53+
"location": "/another/path/to/component"
54+
}
55+
],
2256
"licenses": [
2357
{
2458
"license": {

0 commit comments

Comments
 (0)