Replies: 17 comments 15 replies
This comment was marked as off-topic.
This comment was marked as off-topic.
-
For hardware, please take a look at https://cyclonedx.github.io/cyclonedx-property-taxonomy/cdx/device and the example that we provide in GitHub. There are also folks from large manufactures that are producing HBOM or have working POCs with CycloneDX HBOMs in the Slack workspace. Component types are abstract concepts. Please do not think of them as concrete. It would be impossible to come up with a complete taxonomy of different component types. That is not the goal. The goal was to achieve a certain amount of separation of concerns. Middleware is just another application. If you want to use properties to expand upon that, you can do so. You can also use services to describe the services that the middleware provides or depends on. Same thing for database. There are a few new component types in v1.5 including platform, device driver, data, and machine learning model. Storage is a bit odd. We can describe network storage such as S3 or NAS using services. We can also describe the physical storage device. But currently, we cannot describe the volume. That capability is coming with v1.5, but will initially be limited to formulation support, not inventory support. |
Beta Was this translation helpful? Give feedback.
-
Hi Steve. |
Beta Was this translation helpful? Give feedback.
-
digraph G { srv1_App1 -> srv1; srv1_App1 -> srv2_App1; srv1_App1 -> srv1_sw1; srv2_app1_sw1 -> srv1_library; srv2_App1 -> srv2_app1_sw1; srv2_app1_sw1 -> srv2_library; srv2_app1_data1 -> srv2_app1_data1_fs1; srv2_app1_data1_fs1 -> srv2_file1; srv2_file1 -> srv3; srv3 -> srv3_dsk1; srv4 -> srv4_dsk1; srv3_dsk1 -> srv3_dsk1_fw1; srv4_dsk1 -> srv4_dsk1_fw1; } |
Beta Was this translation helpful? Give feedback.
-
I mean a database tier such as DB2 HADR, Oracle RAC, SQL Server ALWAYS ON, or Postgresql HA consisting of at least 2 voted nodes. Maybe 2oo3. |
Beta Was this translation helpful? Give feedback.
-
I don't mean a tightly coupled datastore like sqlite or mysql . I mean a database server. One which earns revenue. |
Beta Was this translation helpful? Give feedback.
-
Note that the stack needs software and data packages as per CIS and STIG. |
Beta Was this translation helpful? Give feedback.
-
Unless you want to call data packages software/firmware which can't be executed. I'm OK with that but it will blow some peoples minds. |
Beta Was this translation helpful? Give feedback.
-
To elaborate, if you call data software which can't be executed, then what do you a call a register. Something which streams Software ? Then what do you call a demux, something which streams multiple software elements? |
Beta Was this translation helpful? Give feedback.
-
I won't even ask about how we specify the dependency on the HVAC much less single mode fibre. |
Beta Was this translation helpful? Give feedback.
-
Oops. The temperature is 90+ Deg C - BACNET is down. We just fried the equipment due to Electrostatic discharge(ESD) and floating ground. The battery pile caught on fire. And, the pipes burst. |
Beta Was this translation helpful? Give feedback.
-
The GPS-R attena can't see any GPS-T satellites. Someone took the Cesium clock - unable to authenticate to the domain. Access control system is DOA - unable to open the door. Fire supression is offline - looking for a stick, some wieners, and some marshmellows. Because they weren't documented in CycloneDX |
Beta Was this translation helpful? Give feedback.
-
Where are the "45 TB" 8 track tapes? Oops, no one put the firesafe in cycloneDX. I guess we didn't document the HW/SW stack. ;) |
Beta Was this translation helpful? Give feedback.
-
Let's not even discuss what's included in SaaS. ;) |
Beta Was this translation helpful? Give feedback.
-
[like] Brent Kimberley reacted to your message:
…________________________________
From: Steve Springett ***@***.***>
Sent: Wednesday, June 14, 2023 10:23:28 PM
To: CycloneDX/specification ***@***.***>
Cc: Brent Kimberley ***@***.***>; Author ***@***.***>
Subject: Re: [CycloneDX/specification] Is CylcloneDX able to describe a hardware software stack? (Discussion #243)
As I mentioned earlier. Theres a new component type in v1.5 called data.
—
Reply to this email directly, view it on GitHub<#243 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJXZLIIIR3I2NWTGGN2QZXTXLI2WBANCNFSM6AAAAAAZG2T2JY>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
|
Beta Was this translation helpful? Give feedback.
-
Perfect!
…________________________________
From: Steve Springett ***@***.***>
Sent: Wednesday, June 14, 2023 6:23:28 PM
To: CycloneDX/specification ***@***.***>
Cc: Brent Kimberley ***@***.***>; Author ***@***.***>
Subject: Re: [CycloneDX/specification] Is CylcloneDX able to describe a hardware software stack? (Discussion #243)
As I mentioned earlier. Theres a new component type in v1.5 called data.
—
Reply to this email directly, view it on GitHub<#243 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJXZLIIIR3I2NWTGGN2QZXTXLI2WBANCNFSM6AAAAAAZG2T2JY>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
|
Beta Was this translation helpful? Give feedback.
-
Is CylcloneDX able to describe a hardware software stack?
How do we track components such as database servers and databases muchless containers and pods?
Looking at the list of components in CycloneDX, I see: Application, Framework, Operating System, Firmware, Library, Container, Device and file.
then comparing to a simplified hardware stoftware stack, I see: Applications, Middleware, database, operating system, virtual machine, server, storage.
Sorting the components by hardware stack layer - we have:
application tier:
Middware tier:
Database tier:
OS tier:
virtual machine tier:
server tier:
storage tier:
Beta Was this translation helpful? Give feedback.
All reactions