Skip to content

[FEATURE]: Include TLP marking in metadata #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
anthonyharrison opened this issue Feb 10, 2025 · 5 comments · Fixed by #604 · May be fixed by #511
Closed

[FEATURE]: Include TLP marking in metadata #595

anthonyharrison opened this issue Feb 10, 2025 · 5 comments · Fixed by #604 · May be fixed by #511
Assignees
@anthonyharrison
Labels
promote to tc54 Promote to Ecma Technical Committee 54 proposed core enhancement RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted tc54 accepted Ecma TC54 has accepted the feature candidate
Milestone
1.7

Comments

@anthonyharrison
Copy link

Describe the feature

xBOMs can contain information which the creator may consider sensitive and may wish to ensure that the xBOM is only shared with an appropriate audience. For example an SBOM may indicate the version of a component which is known to be vulnerable; the creator may not want that information to be widely known

Possible solutions

The Traffic Light Protocol (TLP) (see here) is a standard way of indicating how sensitive information be shared. CISA adopted Version 2.0 of the FIRST standard on November 1, 2022, By including a TLP property as part of the document metadata, the sharing conditions will be clearly defined.

Alternatives

Sharing artifacts such as xBOMs could be controlled by contractual means; however whilst this can work, there is nothing within the xBOM to indicate if the xBOM is subject to some restrictions as regards sharing. By explicitly including the sharing restrictions, there is no ambiqguity.

Additional context

The [CSAF standard (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html)for sharing vulnerability information already includes TLP proerty.
@jkowalleck
Copy link
Member

@anthonyharrison is this something you would like to actively work on?

@jkowalleck
Copy link
Member

Sharing artifacts such as xBOMs could be controlled by contractual means; however whilst this can work, there is nothing within the xBOM to indicate if the xBOM is subject to some restrictions as regards sharing.

I thought this is what $.metadata.licenses was for. https://cyclonedx.org/docs/1.6/json/#metadata_licenses

The license information for the BOM document.
This may be different from the license(s) of the component(s) that the BOM describes.

@anthonyharrison
Copy link
Author

@jkowalleck TLP is independent of the licence information of the component. I am particularly thinking of cases where the product contains a mixture of opens source and proprietary information and the proprietary information (and existence of) needs top be carefully controlled. Clearly the default is TLP: Clear (no restriction) but I am seeing use cases where this is not appropriate and having something explicitly included would be a great help.

Happy to be involved in making this work.

@jkowalleck
Copy link
Member

I will assign this topic to you, then, @anthonyharrison .

Feel free to organize with your peers, and work on a prototype for it.

@anthonyharrison anthonyharrison mentioned this issue Feb 22, 2025
Closed
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 22, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes CycloneDX#595)
2d456e1
@anthonyharrison anthonyharrison mentioned this issue Feb 22, 2025
Merged
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 22, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes CycloneDX#595)
5d5201f 
Signed-off-by: anthonyharrison <[email protected]>
@jkowalleck jkowalleck linked a pull request Feb 22, 2025 that will close this issue
feat: Add support for TLP marking in metadata #604
Merged
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes CycloneDX#595)
e7f1f82
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes CycloneDX#595)
1972085 
Signed-off-by: anthonyharrison <[email protected]>
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes CycloneDX#595)
1fd2561 
Signed-off-by: anthonyharrison <[email protected]>
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata - fix protobuf enum (fixes
a767891 
 CycloneDX#595)
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes CycloneDX#595)
1962322 
Signed-off-by: anthonyharrison <[email protected]>
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes CycloneDX#595)
925f5f9 
Signed-off-by: anthonyharrison <[email protected]>
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata - fix protobuf enum (fixes
55425e5 
 CycloneDX#595)

Signed-off-by: anthonyharrison <[email protected]>
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Feb 23, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata - add default values an…
d3d243f 
…d documentation (fixes CycloneDX#595)

Signed-off-by: anthonyharrison <[email protected]>
@jkowalleck jkowalleck added this to the 1.7 milestone Feb 24, 2025
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Mar 6, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata - correct TLP descripti…
3da8e47 
…on (fixes CycloneDX#595)

Signed-off-by: anthonyharrison <[email protected]>
anthonyharrison added a commit to anthonyharrison/specification that referenced this issue Mar 6, 2025
@anthonyharrison
feat: Add support for TLP marking in metadata - correct TLP descripti…
ed5fa84 
…on (fixes CycloneDX#595)

Signed-off-by: anthonyharrison <[email protected]>
@jkowalleck jkowalleck added the RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration label Mar 16, 2025
@jkowalleck jkowalleck added RFC vote accepted promote to tc54 Promote to Ecma Technical Committee 54 labels Apr 14, 2025
jkowalleck added a commit that referenced this issue Jun 5, 2025
@jkowalleck
feat: Add support for TLP marking in metadata (#604)
a9122e8 
As discussed in ticket #595, this PR adds TLP marking in the BOM
metadata.

This PR superseeds #603

fixes #595
@jkowalleck jkowalleck mentioned this issue Jun 5, 2025
Draft
@jkowalleck jkowalleck added the tc54 accepted Ecma TC54 has accepted the feature candidate label Jun 5, 2025
@jkowalleck
Copy link
Member

jkowalleck commented Jun 5, 2025
edited
Loading

Ecma TC54 accepted the solution - merged to 1.7 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anthonyharrison anthonyharrison

Labels
promote to tc54 Promote to Ecma Technical Committee 54 proposed core enhancement RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted tc54 accepted Ecma TC54 has accepted the feature candidate
Projects
None yet
Milestone
1.7
2 participants
@jkowalleck @anthonyharrison