[1.7] - Updates from CBOM working group - BREAKING CHANGES #657
Conversation
Signed-off-by: Steve Springett <[email protected]>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work ---- TODO / progress - [x] JSON schema - [ ] XML schema - [ ] ProtoBugf schema <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Basil Hess <[email protected]>
- Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
- Extends cryptography-defs.json list with algorithms from PKCS11 - Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive
Signed-off-by: Nicklas Körtge <[email protected]>
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional paremeter with literal separator
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
…phy-defs.schema.json
This PR will add a python script that can be used to generate an enum-object for the cyclonedx json schema that reflects algorithm families defined in `cryptography-defs.json`.
The following rules apply for the patterns:
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional parameter with literal separator
<!--
Thank you for taking the time to develop and contribute a core
enhancement or fix for a defect!
We kindly request that you create pull requests only for things that
have been discussed in a ticket first; exceptions may be made for
spelling or grammar fixes.
Read more about the process here:
https://cyclonedx.org/participate/standardization-process/#working-model
Please have the related ticket/issue ID ready.
If there is none, feel free to create a new ticket:
https://github.com/CycloneDX/specification/issues/new/choose
-->
<!--
Please provide a brief description of what this pull request intends to
do and which ticket it fixes/closes.
Example:
> As discussed in ticket #485, this PR adds Streebog to the hash
algorithm enum.
>
> fixes #485
In case this is for a spelling or grammar improvement, please provide a
brief description.
Example:
> Fixe typo: color(AE) -> colour(BE)
-->
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Nicklas Körtge <[email protected]>
Signed-off-by: Nicklas Körtge <[email protected]>
This PR further extends the list of algorithms in cryptography-defs.json. <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Jan Kowalleck <[email protected]>
| @@ -7387,28 +7887,28 @@ limitations under the License. | |||
| </xs:annotation> | |||
| <xs:complexType> | |||
| <xs:sequence> | |||
| <xs:element name="encr" type="bom:refType" minOccurs="0" maxOccurs="unbounded"> | |||
There was a problem hiding this comment.
Incompatible change of types, from simple string to complex type.
❌ this is a breaking change
| <xs:annotation> | ||
| <xs:documentation> | ||
| Transform Type 1: encryption algorithms | ||
| </xs:documentation> | ||
| </xs:annotation> | ||
| </xs:element> | ||
| <xs:element name="prf" type="bom:refType" minOccurs="0" maxOccurs="unbounded"> |
There was a problem hiding this comment.
Incompatible change of types, from simple string to complex type.
❌ this is a breaking change
| <xs:annotation> | ||
| <xs:documentation> | ||
| Transform Type 2: pseudorandom functions | ||
| </xs:documentation> | ||
| </xs:annotation> | ||
| </xs:element> | ||
| <xs:element name="integ" type="bom:refType" minOccurs="0" maxOccurs="unbounded"> |
There was a problem hiding this comment.
Incompatible change of types, from simple string to complex type.
❌ this is a breaking change
| <xs:annotation> | ||
| <xs:documentation> | ||
| Transform Type 3: integrity algorithms | ||
| </xs:documentation> | ||
| </xs:annotation> | ||
| </xs:element> | ||
| <xs:element name="ke" type="bom:refType" minOccurs="0" maxOccurs="unbounded"> |
There was a problem hiding this comment.
Incompatible change of types, from simple string to complex type.
❌ this is a breaking change
| @@ -7422,7 +7922,7 @@ limitations under the License. | |||
| </xs:documentation> | |||
| </xs:annotation> | |||
| </xs:element> | |||
| <xs:element name="auth" type="bom:refType" minOccurs="0" maxOccurs="unbounded"> | |||
There was a problem hiding this comment.
incompatible change of types.
❌ this is a breaking change
Signed-off-by: Jan Kowalleck <[email protected]>
| } | ||
|
|
||
| // IKEv2 Transform Types | ||
| message Ikev2TransformTypes { | ||
| // Transform Type 1: encryption algorithms | ||
| repeated string encr = 1; |
There was a problem hiding this comment.
was a string, became a message.
❌ this is a breaking change.
| // Transform Type 2: pseudorandom functions | ||
| repeated string prf = 2; |
There was a problem hiding this comment.
was a string, became a message.
❌ this is a breaking change.
| // Transform Type 3: integrity algorithms | ||
| repeated string integ = 3; |
There was a problem hiding this comment.
was a string, became a message.
❌ this is a breaking change.
| // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) | ||
| repeated string ke = 4; |
There was a problem hiding this comment.
was a string, became a message.
❌ this is a breaking change.
| // Specifies if an Extended Sequence Number (ESN) is used. | ||
| optional bool esn = 5; | ||
| // IKEv2 Authentication method | ||
| repeated string auth = 6; |
There was a problem hiding this comment.
was a string, became a message.
❌ this is a breaking change.
|
did a review of the practical changes. I'd veto this PR as is. Furthermore, I set it to "draft" state the current state MUST NOT be merged in its current state. PS: if you could revert those breaking changes, and mark the respective elements as deprecate, and put new ones next them, that would be great. pseudo example: {
"protocolProperties": {
"properties": {
"auth": {
"deprecated": true,
"description": "DEPRECATED ... use `@.auth-1.7`"
/* revert your changes */
},
"auth-1.7": { /* your new stuff here */ }
}
}
}Ooooor you could revert all the small structural changes you made, and simply add a whole new data structure while deprecating the old one. pseudo example: {
"cryptoProperties": { "properties" {
"protocolProperties": {
"deprecated": true,
"description": "DEPRECATED ... use `@.protocolProperties-1.7`"
/* revert your changes */
},
"protocolProperties-1.7": { /* the new stuff ... */ }
} }
} |
jkowalleck
changed the title
|
IMO, we cannot wait until 2.0 to fix what is broken and unusable today. |
broken by design - yes. there are clearly options to fix this in a non-breaking backwards-compatible way. the most important thing is, that the spec itself has breaking changes: a thing that was a string becomes a complex structure, now. and so do the implementations(JSON/XML/BP). |
…ition of one. Each JOSE component (tokens, algorithms, etc) can be represented as individual components within the CBOM. Signed-off-by: Steve Springett <[email protected]>
…ition of one. Each JOSE component (tokens, algorithms, etc) can be represented as individual components within the CBOM. Signed-off-by: Steve Springett <[email protected]>
Signed-off-by: Steve Springett <[email protected]>
|
@jkowalleck The broken behavior was re-added to XML and JSON. Lets get this merged. |
|
Still reviewing the changes . Sorry, this takes some time. |
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
force-pushed
the
1.7-dev-cryptography
branch
from
6ed75da to
b9423d7
Compare
Background: Some people from the community approached me last year, and they complained about unexpected breaking changes in the CycloneDX PB schema - which basically rendered all their efforts for interoperability useless. |
|
@stevespringett , what do you think about #677 ? this will remove any breaking changes in the PB implementations. |
There was a problem hiding this comment.
remove the word "optional" where possible. the information which fields are optional are clearly visible in the schema.
see #649 (comment) and #616 (comment)
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Steve Springett <[email protected]>
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Steve Springett <[email protected]>
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Steve Springett <[email protected]>
The cryptography working group has received feedback from real-world usage and have made some minor enhancements to the CBOM specificaiton.
Closes #569
RFC notice sent 2025-07-26
This RFC will be open for 4 weeks. At the end of the RFC period the CycloneDX community will vote, by lazy consensus, to accept or reject the proposal.
RFC period end: 2025-08-23
TODO/DONE