Skip to content

DRAFT - docs: adding hashes and fields #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
idunbarh wants to merge 3 commits into
base: main
Choose a base branch
from
Open

DRAFT - docs: adding hashes and fields #26

idunbarh wants to merge 3 commits into from

Conversation

@idunbarh
Copy link
Collaborator

@idunbarh idunbarh commented Jun 26, 2024

No description provided.

idunbarh added 3 commits June 26, 2024 08:03
@idunbarh
docs: adding hashes and fields
35765b2 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
docs: adding annotations fields to specification
4a85ac8 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
fixing heading numbering
0bef1f4 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
idunbarh
idunbarh commented Jul 10, 2024
View reviewed changes
specification.md
* A comma separate list without spaces of urls to attestations
* Example: `sbomit:attestation:urls`: `https://search.sigstore.dev/?uuid=24296fb24b8ad77a015df1bc74d136caf352a8e23c12eda8fd1c89f10d49a31aa1a239c70de3996e,https://search.sigstore.dev/?logIndex=94408136`
* `sbomit:attestation:contents`
* A comma separate list without spaces of base64 encoded attestations
Copy link
Collaborator Author

@idunbarh idunbarh Jul 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add VSA as a separate annotation in the taxonomy.

specification.md

CycloneDX has support for hashes in sha256 for versions `1.2` - `latest`. The declared `alg` needs to be `SHA-256` and the `content` needs be the sha256 content of the component. This checksum must match the hashes used in the in-toto link attestations.

* `metadata.component.hashes[]`
Copy link
Collaborator Author

@idunbarh idunbarh Jul 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generalize this section to be any secure hash (ideally multiple hashes), but atleast one of the hash alg need to be used consistently in the SBOM and in-toto attestations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@idunbarh