Skip to content

Commit

Permalink
Add cwe as ExternalIdentifierType
Browse files Browse the repository at this point in the history 
Per discussion in the April 10 Security call, this commit adds cwe
(common weakness enumeration) as an ExternalIdentifierType.

Closes spdx/spdx-spec#102

Signed-off-by: Rose Judge <[email protected]>
  • Loading branch information
@rnjudge
rnjudge committed Apr 10, 2024
1 parent af0514c commit db61076
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions model/Core/Vocabularies/ExternalIdentifierType.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ ExteralIdentifierType specifies the type of an external identifier.
- cpe22: https://cpe.mitre.org/files/cpe-specification_2.2.pdf
- cpe23: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
- cve: An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.
- cwe: An identifier for a specific source of software flaw defined within the official CWE Dictionary that conforms to the CWE specification as defined by https://csrc.nist.gov/glossary/term/common_weakness_enumeration.
- email: https://datatracker.ietf.org/doc/html/rfc3696#section-3
- gitoid: https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https:/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https:/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https:/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https:/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.
- other: Used when the type doesn't match any of the other options.
Expand Down

0 comments on commit db61076

Please sign in to comment.