CBOM: add custom fingerprints#903
Conversation
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
stevespringett
added
request for comment
RFC notice sent
|
RFC notice sent on May 04, 2026
Public RFC period ends June 01, 2026 |
jkowalleck
requested review from
DarthHater,
coderpatros,
jkowalleck,
mrutkows and
stevespringett
| "additionalProperties": false, | ||
| "properties": { | ||
| "alg": { | ||
| "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm" |
There was a problem hiding this comment.
please add a title and description
| "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm" | |
| "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm", | |
| "title": "Standard, well-known Fingerprint Algorithm", | |
| "description": "The standard, well-known algorithm used to compute the fingerprint." |
There was a problem hiding this comment.
@bhess, if the title and description of the alg property differ from the title and description of the hashAlgorithm definition, we'll need a title and description here. If they are the same, there is no need for a title and description. Please confirm.
| "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm" | ||
| }, | ||
| "content": { | ||
| "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue" |
There was a problem hiding this comment.
please add a title and description
| "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue" | |
| "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue", | |
| "title": "Standard, well-known Fingerprint Content", | |
| "description": "The value of the fingerprint computed using the standard, well-known algorithm." |
There was a problem hiding this comment.
@bhess, if the title and description of the content property differ from the title and description of the hashValue definition, we'll need a title and description here. If they are the same, there is no need for a title and description. Please confirm.
| "title": "Fingerprint", | ||
| "description": "The fingerprint is a cryptographic hash of the asset.", | ||
| "oneOf": [ | ||
| { |
There was a problem hiding this comment.
this data structure looks pretty much like cyclonedx-common-2.0.schema.json#$defs/hash.
To prevent any confusion, we should add narrow titles/descriptions to cyclonedx-common-2.0.schema.json#$defs/hash/properties/alg and cyclonedx-common-2.0.schema.json#$defs/hash/properties/content
something like
{
// cyclonedx-common-2.0.schema.json#$defs
"hash": {
"type": "object",
"title": "Hash",
"required": [
"alg",
"content"
],
"additionalProperties": false,
"properties": {
"alg": {
"$ref": "#/$defs/hashAlgorithm",
"titile": "Hash algorithm",
"description": "Standard, well-known algorithm used to compute the hash"
},
"content": {
"$ref": "#/$defs/hashValue",
"titile": "Hash value",
"description": "The value of the hash computed using the standard, well-known algorithm"
}
}
},
}There was a problem hiding this comment.
Agreed. I will need to check to see if those are in place or not.
|
just some remarks on the schema docs. |
stevespringett
added
RFC vote accepted
promote to tc54
4 participants
Extend the
fingerprintdefinition incyclonedx-cryptography-2.0.schema.jsonto support custom fingerprint algorithms alongside standard hash algorithms.Changes
$ref: hashoncertificateProperties.fingerprintandrelatedCryptoMaterialProperties.fingerprintwith a single central$defs/fingerprintdefinition$defs/fingerprintusesoneOfwith two branches:alg+content(refs to existinghashAlgorithm/hashValue); fully backward compatiblecustomAlg+customContentfor non-standard algorithmsBackward Compatibility
Existing documents with
{"alg": "SHA-256", "content": "..."}satisfy the Standard Hash branch unchanged.