stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

advisories update

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-23 17:18:17 +02:00
parent 7768555f2d
commit c3ce1ebc25
25 changed files with 16553 additions and 10646 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/product-advisories/archived/16-Nov-2025 - spdx canonical persistence cyclonedx interchange.md Normal file
View File

@@ -0,0 +1,34 @@
Heres a quick, concrete proposal to **lock in a stable SBOM model for StellaOps**: use **SPDX3.0.1** as your canonical persistence schema and **CycloneDX1.6** as the interchange “view,” bridged by a deterministic transform.
**Why this pairing**
* **SPDX3.0.1** gives you a rigorous, profilebased data model (Core/Security/AI/Build, etc.) with explicit **Relationship** semantics—ideal for longlived storage and graph queries. ([SPDX][1])
* **CycloneDX1.6** excels at exchange: widely adopted, supports **services/SaaSBOM**, **attestations (CDXA)**, **CBOM (crypto inventory)**, MLBOM, and more—perfect for producing portable BOMs for customers and regulators. ([CycloneDX][2])
**Target architecture (minimal)**
* **Persistence:** Store SBOMs as SPDX3.0.1 (JSONLD/RDF), normalized into your Mongo eventsourced graph; keep Relationship edges firstclass. ([SPDX][1])
* **Interchange:** On export, render CycloneDX1.6 (JSON/XML) including `components`, `services`, `dependencies`, `vulnerabilities`, and optional CBOM/CDXA blocks. ([SBOM Observer][3])
* **Deterministic transform:** Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byteforbyte reproducibility across offline sites.
**Quick win mapping examples**
* SPDX `Element` + `RelationshipType` → CycloneDX `dependencies` graph. ([SPDX][4])
* SPDX Security profile findings → CycloneDX `vulnerabilities` entries. ([SPDX][1])
* SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). ([SPDX][5])
* Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX **CBOM** on export for policy checks (CNSA/NIST). ([CycloneDX][2])
**Governance & standards signal**
* SPDX3.0.x is actively aligned with **OMG/ISO** submissions (good longterm bet for storage). ([SPDX Lists][6])
* CycloneDX1.6 is the current, actively enhanced interchange standard used across vendors and tooling. ([GitHub][7])
If you want, Ill draft the exact fieldbyfield mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter.
[1]: https://spdx.github.io/spdx-spec/v3.0.1/?utm_source=chatgpt.com "SPDX Specification 3.0.1"
[2]: https://cyclonedx.org/news/cyclonedx-v1.6-released/?utm_source=chatgpt.com "CycloneDX v1.6 Released, Advances Software Supply ..."
[3]: https://sbom.observer/academy/learn/topics/cyclonedx?utm_source=chatgpt.com "What is CycloneDX?"
[4]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/RelationshipType/?utm_source=chatgpt.com "RelationshipType - SPDX Specification 3.0.1"
[5]: https://spdx.dev/wp-content/uploads/sites/31/2024/12/SPDX-3.0.1-1.pdf?utm_source=chatgpt.com "SPDX© Specification v3.0.1"
[6]: https://lists.spdx.org/g/Spdx-tech/topic/release_3_0_1_of_the_spdx/110308825?utm_source=chatgpt.com "Release 3.0.1 of the SPDX Specification"
[7]: https://github.com/CycloneDX/specification?utm_source=chatgpt.com "CycloneDX/specification"