Description
Describe the feature
xBOMs can contain information which the creator may consider sensitive and may wish to ensure that the xBOM is only shared with an appropriate audience. For example an SBOM may indicate the version of a component which is known to be vulnerable; the creator may not want that information to be widely known
Possible solutions
The Traffic Light Protocol (TLP) (see here) is a standard way of indicating how sensitive information be shared. CISA adopted Version 2.0 of the FIRST standard on November 1, 2022, By including a TLP property as part of the document metadata, the sharing conditions will be clearly defined.
Alternatives
Sharing artifacts such as xBOMs could be controlled by contractual means; however whilst this can work, there is nothing within the xBOM to indicate if the xBOM is subject to some restrictions as regards sharing. By explicitly including the sharing restrictions, there is no ambiqguity.
Additional context
The [CSAF standard (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html)for sharing vulnerability information already includes TLP proerty.