Skip to content

feat: Add support for TLP marking in metadata (fixes #595)#603

Closed
anthonyharrison wants to merge 1 commit intoCycloneDX:masterfrom
anthonyharrison:master
Closed

feat: Add support for TLP marking in metadata (fixes #595)#603
anthonyharrison wants to merge 1 commit intoCycloneDX:masterfrom
anthonyharrison:master

Conversation

@anthonyharrison
Copy link
Copy Markdown
Contributor

@anthonyharrison anthonyharrison commented Feb 22, 2025
edited by jkowalleck
Loading

As discussed in ticket #595 this PR adds TLP marking to the metadata to indicate the sharing and distribution constraints for the BOM.

fixes #595

@anthonyharrison anthonyharrison requested a review from a team as a code owner February 22, 2025 12:52
@anthonyharrison
feat: Add support for TLP marking in metadata (fixes #595)
d51492e 
Signed-off-by: anthonyharrison <anthony.p.harrison@gmail.com>
@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Feb 22, 2025
edited
Loading

thanks for the implementation, @anthonyharrison

Could you port these changes to schema 1.7 based on branch 1.7-dev?
Could I ask you to add some test data? they wold to into the folder tools/src/test/resources/1.7.

thank you in advance.

PS: i am sorry that i did not communicate these things earlier. Please bear with me.

@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Feb 22, 2025

I'll set this PR to "draft", until the proposed changes were ported to the "next" version.

@jkowalleck jkowalleck marked this pull request as draft February 22, 2025 15:18
jkowalleck
jkowalleck requested changes Feb 22, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@jkowalleck jkowalleck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please port to "next" version.
v1.6 will not get any new features, but upcoming v1.7 will.

@anthonyharrison anthonyharrison closed this by deleting the head repository Feb 22, 2025
@anthonyharrison anthonyharrison mentioned this pull request Feb 22, 2025
Merged
jkowalleck added a commit that referenced this pull request Jun 5, 2025
@jkowalleck
feat: Add support for TLP marking in metadata (#604)
a9122e8 
As discussed in ticket #595, this PR adds TLP marking in the BOM
metadata.

This PR superseeds #603

fixes #595
@prabhu
Copy link
Copy Markdown
Contributor

prabhu commented Jun 14, 2025

This is resulting in a string attribute called "distribution" under metadata and the phrase "tlp" is no where to be found.

{
 "metadata": {
    "timestamp": "2025-06-14T10:45:57Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "11.4.0",
          "purl": "pkg:npm/%40cyclonedx/cdxgen@11.4.0",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/cdxgen@11.4.0",
          "publisher": "OWASP Foundation",
          "authors": [
            {
              "name": "OWASP Foundation"
            }
          ]
        }
      ]
    },
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "lifecycles": [
      {
        "phase": "build"
      }
    ],
    "distribution": "AMBER"
 }
}

Can we make distribution an object with an attribute tlpClassification, since the string attribute is confusing especially with externalReferences.type = distribution (Direct or repository download location).

@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Jun 14, 2025

@CycloneDX/core-team, what do you think about #603 (comment) ?

@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Jun 16, 2025
edited
Loading

re: #603 (comment)
I'll draft a PR to showcase this.

PS: see the draft: #653

@jkowalleck jkowalleck mentioned this pull request Jun 16, 2025
Merged
jkowalleck added a commit that referenced this pull request Sep 4, 2025
@jkowalleck
refactor: metadata distribution to be an object (#653)
f822afc 
Refactored `metadata.distribution` to be more verbose in its name, and
made it more versatile by converting it to an "object" with "TLP" as a
property.

caused by
#603 (comment)
luckystar-crypto pushed a commit to luckystar-crypto/specification that referenced this pull request Jan 27, 2026
refactor: metadata distribution to be an object (#653)
721a6de 
Refactored `metadata.distribution` to be more verbose in its name, and
made it more versatile by converting it to an "object" with "TLP" as a
property.

caused by
CycloneDX/specification#603 (comment)
jvdsn pushed a commit to jvdsn/specification that referenced this pull request Feb 23, 2026
@jkowalleck
feat: Add support for TLP marking in metadata (CycloneDX#604)
c4276f8 
As discussed in ticket CycloneDX#595, this PR adds TLP marking in the BOM
metadata.

This PR superseeds CycloneDX#603

fixes CycloneDX#595
jvdsn pushed a commit to jvdsn/specification that referenced this pull request Feb 23, 2026
@jkowalleck
refactor: metadata distribution to be an object (CycloneDX#653)
7ad3c4c 
Refactored `metadata.distribution` to be more verbose in its name, and
made it more versatile by converting it to an "object" with "TLP" as a
property.

caused by
CycloneDX#603 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck jkowalleck requested changes

Assignees

No one assigned

Labels

proposed core enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE]: Include TLP marking in metadata

3 participants

@anthonyharrison @jkowalleck @prabhu