Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need option to provide custom authors and metadata in the SBOM file #654

Closed
visagansanthanam-unisys opened this issue Oct 20, 2023 · 7 comments
Closed

Need option to provide custom authors and metadata in the SBOM file #654

visagansanthanam-unisys opened this issue Oct 20, 2023 · 7 comments

Comments

@visagansanthanam-unisys
Copy link
Contributor

in current scenario when a SBOM is generated, it has the author information as part of the metadata.

   "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:cc528122-f3f3-4ded-b51d-8e75214895e5",
    "version": 1,
    "metadata": {
        "timestamp": "2023-10-13T02:54:48.880Z",
        "tools": [
            {
                "vendor": "cyclonedx",
                "name": "cdxgen",
                "version": "9.3.2"
            }
        ],
        "authors": [
            {
                "name": "Prabhu Subramanian",
                "email": "prabhu@appthreat.com"
            }
        ]
    },

The default authors details can be part of the tools section itself as shown below, since the author mentioned is the author of the tool used and not the SBOM itself

    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:cc528122-f3f3-4ded-b51d-8e75214895e5",
    "version": 1,
    "metadata": {
        "timestamp": "2023-10-13T02:54:48.880Z",
        "tools": [
            {
                "vendor": "cyclonedx",
                "name": "cdxgen",
                "version": "9.3.2"
            },
        {
            "authors": [
                {
                    "name": "Prabhu Subramanian",
                    "email": "prabhu@appthreat.com"
                }
            ]
        }
        ]
    },

and there should be option to provide key value pair based custom meta data which can used to add the details like the Author or product owner or release data etc..

   "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:cc528122-f3f3-4ded-b51d-8e75214895e5",
    "version": 1,
    "metadata": {
    "timestamp": "2023-10-13T02:54:48.880Z",
    "tools": [
        {
            "vendor": "cyclonedx",
            "name": "cdxgen",
            "version": "9.3.2"
        },
        {
            "authors": [
                {
                    "name": "Prabhu Subramanian",
                    "email": "prabhu@appthreat.com"
                }
            ]
        }
    ],
    "custom": [
        {
            "Owner": "XYZ",
            "PO": "abe@sample.com"
        }
    ]
},
@prabhu
Copy link
Collaborator

prabhu commented Oct 20, 2023

@visagansanthanam-unisys, The idea behind the default author is to show the default conditions - that the BOM was not manually edited. If your intention is to manually edit and make changes you can change the author or add to the same array. Or if you have built automation to enhance the bom then the information about the automation tool and its author can be appended in the same way so there is a history.

In the future we can add multi signing and start establishing layers of trust beginning with the tool author.

@troy256
Copy link

troy256 commented Oct 20, 2023

@prabhu
It might be better to nest the author information underneath the tool, so it's clear that you are the author of the tool and not the SBOM itself. Perhaps like this:

"tools": [
    {
        "vendor": "cyclonedx",
        "name": "cdxgen",
        "version": "9.3.2",
        "authors": [
            {
                "name": "Prabhu Subramanian",
                "email": "prabhu@appthreat.com"
            }
        ]
    }
]

@prabhu
Copy link
Collaborator

prabhu commented Oct 20, 2023
edited
Loading

@troy256, this indeed is possible now that metadata.tools support components.author. 1.4 doesn't have support for the tool author.

@prabhu prabhu mentioned this issue Oct 22, 2023
Merged
1 task
@prabhu
Copy link
Collaborator

prabhu commented Oct 23, 2023

@troy256 @visagansanthanam-unisys could you kindly test the PR branch #660 and let me know how it looks?

@visagansanthanam-unisys
Copy link
Contributor Author

@prabhu can you share the documentation on steps to pass the author information.

@troy256

@troy256
Copy link

troy256 commented Oct 24, 2023

@prabhu
I tested with 9.9.0 since it has PR branch #660.

Using the --author parameter to cdxgen I confirm that I can now insert 1 or more authors into the BOM and that we get a nice block under tools showing it was built with cdxgen and the level of cdxgen:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c97179c4-0f17-484c-a567-d4c994c8cc07",
  "version": 1,
  "metadata": {
    "timestamp": "2023-10-24T17:54:46.894Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "9.9.0",
          "purl": "pkg:npm/%40cyclonedx/cdxgen@9.9.0",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/cdxgen@9.9.0",
          "author": "OWASP Foundation",
          "publisher": "OWASP Foundation"
        }
      ]
    },
    "authors": [
      {
        "name": "Company XYZ"
      },
      {
        "name": "Platform Engineering Team"
      }
    ]
  },
  "components": [],
  "services": [],
  "dependencies": []
}

@prabhu prabhu closed this as completed Oct 24, 2023
@prabhu
Copy link
Collaborator

prabhu commented Oct 24, 2023

@troy256, authors can be passed via environment variables and config files, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prabhu @troy256 @visagansanthanam-unisys