English 中文(简体)
了解CycloneDX文档中与安全相关的领域
原标题:Understanding security relevant fields of CycloneDX files

基本上,标题。 我有一个方案,对以json格式的2个基列基-DX SBOM 之间的安全相关变化进行检查。

I ve written an application to diff the two sbom s, though, I am noticing that there are fields that change from run-to-run that don t seem to be relevant to actual component change, e.g. sha256 hash changes of a particular component property; e.g.:

"components":[
  {
    "bom-ref":"foo",
    "name": "bar",
    "cpe": "foobarCPE",
    "properties": [
      {
        "name":"syft:someLocation:idx:layerID", 
        "value":"sha256:some_sha_here"
      }
    ]
  },
  {
   "bom-ref":"{foobar}",
   ...
  }
]

如果我忽视<代码>[构成部分][properties]领域,是否有可能忽略某一构成部分的性质的相关变化? 作为一个tag子,我是否考虑这里的信息较少? 根据一些直观的解读,似乎像CPE的目的一样,保证以共同的方式表明基线的重大改变,但我有些不清楚。

最佳回答

Following up on this answer, some months later, a few months wiser.

问题的关键在于,一些cker鱼层的沙256英赫正在发生变化。 这表明,建筑层本身发生了变化。 这应该是静止的。

你可能想放弃“似乎有问题”。 从安全角度看,它的确应该这样做。 散列的变化表明,层层本身已经改变。 由于这一特定项目的属性是如何构造的,几个不同邮袋的cker集装箱正在根据一些玉米案例使用不同版本的大小。

因此,如果你在此问,“我无视过去变化吗?” 它取决于。 你们是否试图作出安全保证? 如果是的话,这或许是一个直观者,直到你能够说明如何适当确定你们的责任归属。 你们是否试图建立一个SBOM? 然后,它可能被罚款。 就我们而言,解决办法是汇编一套由依赖性名称、版本和来源构成的关键。

如果事情从业到业发生改变,有一份报告将说明所增加的内容、被删除的内容以及已经发生什么变化。 这可能不足以解决问题。 YMMV。

时间:2024-03-11 03:03:02
问题回答

暂无回答


上一篇:
下一篇:


相关问题
Signed executables under Linux

For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...

时间:2009-11-14 01:34:19 回答:10 展示:1
MALICIOUS_CODE EI_EXPOSE_REP Medium

I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...

时间:2009-11-14 00:40:10 回答:5 展示:1
XSS on jsbin.com

Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...

时间:2009-11-14 00:18:21 回答:1 展示:1
Make md5 strong

Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...

时间:2009-11-13 18:59:37 回答:5 展示:1
Why running a service as Local System is bad on windows?

I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...

时间:2009-11-13 16:51:19 回答:5 展示:1
Brute-force/DoS prevention in PHP [closed]

I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...

时间:2009-11-13 05:37:34 回答:5 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全