Skip to content

feat: Add support for TLP marking in metadata #604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 5, 2025
Merged

feat: Add support for TLP marking in metadata #604

merged 11 commits into from
Jun 5, 2025

Conversation

@anthonyharrison
Copy link
Contributor

@anthonyharrison anthonyharrison commented Feb 22, 2025
edited by jkowalleck
Loading

As discussed in ticket #595, this PR adds TLP marking in the BOM metadata.

This PR superseeds #603

fixes #595

@anthonyharrison anthonyharrison requested a review from a team as a code owner February 22, 2025 20:50
@jkowalleck jkowalleck linked an issue Feb 22, 2025 that may be closed by this pull request
[FEATURE]: Include TLP marking in metadata #595
Closed
@jkowalleck jkowalleck added this to the 1.7 milestone Feb 22, 2025
jkowalleck
jkowalleck requested changes Feb 23, 2025
View reviewed changes
Copy link
Member

@jkowalleck jkowalleck left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you add some documentation here and there, and properly set the default values?

@jkowalleck
Copy link
Member

jkowalleck commented Feb 23, 2025
edited
Loading

for backwards compatibility reasons, i would not set "CLEAR" as the default value.
I'd prefer a unset as default.

clean means a decision actively was made, right?

in JSON, this would mean no default is defined, and the property is optional.
in XML, this would mean no default is defined, and the element is optional.
in protobuf, this would mean adding a case TLP_UNSPECIFIED = 0;, and the field is optional.

@anthonyharrison
Copy link
Contributor Author

for backwards compatibility reasons, i would not set "CLEAR" as the default value. I'd prefer a unset as default.

clean means a decision actively was made, right?

in JSON, this would mean no default is defined, and the property is optional. in XML, this would mean no default is defined, and the element is optional. in protobuf, this would mean adding a case TLP_UNSPECIFIED = 0;, and the field is optional.

I see CLEAR as the default when the user makes no choice as the user is more likely to explicitly state one of the other values (which indicates that he has thought about the constraints as regards sharing the BOM). Personally, I would prefer to see all BOMs to have the TLP value explicitly stated but that is possibly too much to expect at this stage.

jkowalleck
jkowalleck reviewed Feb 24, 2025
View reviewed changes
@jkowalleck jkowalleck requested review from a team and jkowalleck February 24, 2025 15:29
jkowalleck
jkowalleck requested changes Mar 6, 2025
View reviewed changes
@jkowalleck
Copy link
Member

I'll try to fix the open issues ASAP

@jkowalleck
fixed schema and docs
98d888d 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: fix examples
dbd3c43 
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
jkowalleck requested changes Mar 6, 2025
View reviewed changes
@jkowalleck
style fixes
636eb43 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck requested a review from a team March 6, 2025 10:35
@jkowalleck jkowalleck self-requested a review March 13, 2025 10:29
@jkowalleck
Copy link
Member

@anthonyharrison, the current state looks promising.

According to the CycloneDX working model, the next step would be to move from "prototype" to "draft", meaning the community review phase (RFC) would start.
Do you want to change anything, or should we move to RFC?

@anthonyharrison
Copy link
Contributor Author

@jkowalleck Let's go to the next stage and see what the community thinks. I have no outstanding changes.

@jkowalleck jkowalleck added draft RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration request for comment ready for review and removed prototype labels Mar 16, 2025
@jkowalleck
Copy link
Member

RFC notice sent.

Public RFC period ends April 13, 2025

@jkowalleck jkowalleck changed the title feat: Add support for TLP marking in metadata (fixes #595) feat: Add support for TLP marking in metadata Apr 14, 2025
@jkowalleck jkowalleck requested a review from a team April 14, 2025 06:56
@jkowalleck jkowalleck added promote to tc54 Promote to Ecma Technical Committee 54 RFC vote accepted labels Apr 14, 2025
prabhu
prabhu reviewed Apr 28, 2025
View reviewed changes
prabhu
prabhu reviewed Apr 28, 2025
View reviewed changes
@jkowalleck
Copy link
Member

All current discussuons are basically too late. Public RFC ended on 13. of April.

This feature is promoted to become standardized under Ecma. Vote will be on 1. May.

Please do not alter the current state last minute.
FYI : If you want to alter things, we will restart the month long RFC phase and then wait another month or so for Ecma.

@jkowalleck jkowalleck added the tc54 accepted Ecma TC54 has accepted the feature candidate label Jun 5, 2025
@jkowalleck
Copy link
Member

This feature was just appoved by Ecma TC54 👍

@jkowalleck jkowalleck merged commit a9122e8 into CycloneDX:1.7-dev Jun 5, 2025
9 checks passed
@jkowalleck jkowalleck mentioned this pull request Jun 5, 2025
Merged
stevespringett added a commit that referenced this pull request Oct 21, 2025
@stevespringett
v1.7 (#511)
11c0e00 
## Fixed

* XML schema: add type for `ComponentData` sub-elements ([#600] via
[#601])
* JSON schema: added the correct `deprecated` mark for already
deprecated structures (via [a973a6b])

## Deprecated

* Deprecated various fields and structures related to _cryptographic
transparency_ - _CBOM_ . (via [#657])
Use the newly added structures and fields for detailing the information
instead.

## Changed

* Extended the scope of _formulations_. (via [#647])
From now on, _formulations_ may be used to describe how any referencable
object within the BOM came together, including components, services,
metadata, declarations, or the BOM itself.
  Before, it was restricted to components and services.

## Added

* Support for _external components_ with _version-ranges_ ([#321] via
[#586])
* Support for _multiple_ SPDX License Expressions alongside with other
licenses ([#454] via [#582])
* Support for _Streebog hashing algorithm_ ([#485] via [#525])
* Support for license expression _details and properties_ ([#549],
[#554] via [#599])
* Support for expressing BOM distribution constraints with the _Traffic
Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653])
* Support for representing _patent information_ ([#596] via [#597])
* Support for _properties_ on external-references ([#608] via [#610])
* Support for _citations_ ([#630] via [#629])
* Support for detailing _cryptographic transparency_ information -
_CBOM_ ([#569] via [#657])

## Documentation

* Elaborated component classification "platform", explicitly expressed
that it includes just-in-time compilers and interpreters ([#233] via
[#647])
* Removed the term "optional" from the schema where the definition was
already unambiguous ([#616], [#649] via [#680])

## Test data

* Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf


[#233]: #233
[#321]: #321
[#454]: #454
[#485]: #485
[#525]: #525
[#549]: #549
[#554]: #554
[#569]: #569
[#582]: #582
[#586]: #586
[#595]: #595
[#596]: #596
[#597]: #597
[#599]: #599
[#600]: #600
[#601]: #601
[#604]: #604
[#608]: #608
[#610]: #610
[#616]: #616
[#629]: #629
[#630]: #630
[#647]: #647
[#649]: #649
[#653]: #653
[#657]: #657
[#680]: #680
[a973a6b]:
a973a6b

----

- fixes #233
- fixes #321
- fixes #454
- fixes #485
- fixes #549
- fixes #554
- fixes #595
- fixes #596
- fixes #600
- fixes #608
- fixes #629
- fixes #616 
- fixes #649
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck jkowalleck approved these changes

+1 more reviewer

@prabhu prabhu prabhu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

draft promote to tc54 Promote to Ecma Technical Committee 54 proposed core enhancement ready for review request for comment RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted tc54 accepted Ecma TC54 has accepted the feature candidate

Projects

None yet

Milestone

1.7

Development

Successfully merging this pull request may close these issues.

[FEATURE]: Include TLP marking in metadata

3 participants

@anthonyharrison @jkowalleck @prabhu