Extend cryptography-related behaviors #772
Conversation
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
There was a problem hiding this comment.
Pull request overview
This PR extends the CycloneDX behavior schema by adding 28 new cryptography-related behaviors to support more detailed security modeling, including certificate presentation, signature verification variants, cryptographic goals (confidentiality, integrity, etc.), and context-specific encryption/decryption operations.
Changes:
- Added 28 new behavior enum values under
security:cryptographynamespace - Extended cryptographic operations to distinguish between data, code, and document signing/verification
- Added behaviors for encryption/decryption in different contexts (at rest, in transit, disk, secrets)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "security:cryptography:presentsServerCertificate", | ||
| "security:cryptography:presentsClientCertificate", |
There was a problem hiding this comment.
All 28 newly added cryptography behaviors are missing their corresponding descriptions in the meta:enum section (around line 1545-1562). Each enum value should have a matching description entry following the pattern of existing behaviors. For example, 'security:cryptography:wrapsKey' needs an entry like '"security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport."' in the meta:enum object.
| "security:cryptography:generatesKey", | ||
| "security:cryptography:wrapsKey", | ||
| "security:cryptography:generatesRandomValue", |
There was a problem hiding this comment.
The behavior 'wrapsKey' is incorrectly positioned. It should appear after 'verifiesSignature' (or at the end with other 'w' entries) to maintain alphabetical ordering. The entire cryptography section follows alphabetical order, and new entries should be inserted accordingly.
| "security:cryptography:signsData", | ||
| "security:cryptography:verifiesDataSignature", | ||
| "security:cryptography:signsCode", | ||
| "security:cryptography:verifiesCodeSignature", | ||
| "security:cryptography:signsDocument", |
There was a problem hiding this comment.
These signature-related behaviors are not in correct alphabetical order. The 'signs*' entries should be grouped together (signsCode, signsData, signsDocument) before the 'verifies*' entries (verifiesCodeSignature, verifiesDataSignature, verifiesDocumentSignature).
| "security:cryptography:signsData", | |
| "security:cryptography:verifiesDataSignature", | |
| "security:cryptography:signsCode", | |
| "security:cryptography:verifiesCodeSignature", | |
| "security:cryptography:signsDocument", | |
| "security:cryptography:signsCode", | |
| "security:cryptography:signsData", | |
| "security:cryptography:signsDocument", | |
| "security:cryptography:verifiesCodeSignature", | |
| "security:cryptography:verifiesDataSignature", |
… Orders new entries alphabetically in the enum Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
|
Addressed the copilot suggestions:
|
stevespringett
merged commit 20ee286
into
CycloneDX:2.0-dev-threatmodeling
2 participants
This PR extends the list of cryptography-related behaviors, as discussed in today's Cryptography WG meeting.
The google sheet is synced with those entries.