Extend cryptography-related behaviors #772
Conversation
Signed-off-by: Basil Hess <[email protected]>
Signed-off-by: Basil Hess <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR extends the CycloneDX behavior schema by adding 28 new cryptography-related behaviors to support more detailed security modeling, including certificate presentation, signature verification variants, cryptographic goals (confidentiality, integrity, etc.), and context-specific encryption/decryption operations.
Changes:
- Added 28 new behavior enum values under
security:cryptographynamespace - Extended cryptographic operations to distinguish between data, code, and document signing/verification
- Added behaviors for encryption/decryption in different contexts (at rest, in transit, disk, secrets)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "security:cryptography:encryptsData", | ||
| "security:cryptography:exchangesKey", | ||
| "security:cryptography:generatesKey", | ||
| "security:cryptography:wrapsKey", |
There was a problem hiding this comment.
All 28 newly added cryptography behaviors are missing their corresponding descriptions in the meta:enum section (around line 1545-1562). Each enum value should have a matching description entry following the pattern of existing behaviors. For example, 'security:cryptography:wrapsKey' needs an entry like '"security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport."' in the meta:enum object.
| "security:cryptography:presentsServerCertificate", | ||
| "security:cryptography:presentsClientCertificate", |
There was a problem hiding this comment.
All 28 newly added cryptography behaviors are missing their corresponding descriptions in the meta:enum section (around line 1545-1562). Each enum value should have a matching description entry following the pattern of existing behaviors. For example, 'security:cryptography:wrapsKey' needs an entry like '"security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport."' in the meta:enum object.
| "security:cryptography:verifiesDataSignature", | ||
| "security:cryptography:signsCode", | ||
| "security:cryptography:verifiesCodeSignature", | ||
| "security:cryptography:signsDocument", | ||
| "security:cryptography:verifiesDocumentSignature", |
There was a problem hiding this comment.
All 28 newly added cryptography behaviors are missing their corresponding descriptions in the meta:enum section (around line 1545-1562). Each enum value should have a matching description entry following the pattern of existing behaviors. For example, 'security:cryptography:wrapsKey' needs an entry like '"security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport."' in the meta:enum object.
| "security:cryptography:authenticates", | ||
| "security:cryptography:ensuresConfidentiality", | ||
| "security:cryptography:ensuresIntegrity", | ||
| "security:cryptography:ensuresNonRepudiation", | ||
| "security:cryptography:ensuresAccountability", | ||
| "security:cryptography:preservesPrivacy", | ||
| "security:cryptography:identifies", | ||
| "security:cryptography:usesIdentity", | ||
| "security:cryptography:validatesToken", | ||
| "security:cryptography:encryptsDataAtRest", | ||
| "security:cryptography:encryptsDataInTransit", | ||
| "security:cryptography:decryptsDataAtRest", | ||
| "security:cryptography:decryptsDataInTransit", | ||
| "security:cryptography:encryptsDisk", | ||
| "security:cryptography:decryptsDisk", | ||
| "security:cryptography:encryptsSecret", | ||
| "security:cryptography:decryptsSecret", |
There was a problem hiding this comment.
All 28 newly added cryptography behaviors are missing their corresponding descriptions in the meta:enum section (around line 1545-1562). Each enum value should have a matching description entry following the pattern of existing behaviors. For example, 'security:cryptography:wrapsKey' needs an entry like '"security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport."' in the meta:enum object.
| "security:cryptography:generatesKey", | ||
| "security:cryptography:wrapsKey", | ||
| "security:cryptography:generatesRandomValue", |
There was a problem hiding this comment.
The behavior 'wrapsKey' is incorrectly positioned. It should appear after 'verifiesSignature' (or at the end with other 'w' entries) to maintain alphabetical ordering. The entire cryptography section follows alphabetical order, and new entries should be inserted accordingly.
| "security:cryptography:presentsServerCertificate", | ||
| "security:cryptography:presentsClientCertificate", |
There was a problem hiding this comment.
These certificate presentation behaviors are out of alphabetical order. 'presentsClientCertificate' should come before 'presentsServerCertificate' (c before s), and 'preservesPrivacy' should be positioned before both of them in the list.
| "security:cryptography:presentsServerCertificate", | |
| "security:cryptography:presentsClientCertificate", | |
| "security:cryptography:presentsClientCertificate", | |
| "security:cryptography:presentsServerCertificate", |
| "security:cryptography:signsData", | ||
| "security:cryptography:verifiesDataSignature", | ||
| "security:cryptography:signsCode", | ||
| "security:cryptography:verifiesCodeSignature", | ||
| "security:cryptography:signsDocument", |
There was a problem hiding this comment.
These signature-related behaviors are not in correct alphabetical order. The 'signs*' entries should be grouped together (signsCode, signsData, signsDocument) before the 'verifies*' entries (verifiesCodeSignature, verifiesDataSignature, verifiesDocumentSignature).
| "security:cryptography:signsData", | |
| "security:cryptography:verifiesDataSignature", | |
| "security:cryptography:signsCode", | |
| "security:cryptography:verifiesCodeSignature", | |
| "security:cryptography:signsDocument", | |
| "security:cryptography:signsCode", | |
| "security:cryptography:signsData", | |
| "security:cryptography:signsDocument", | |
| "security:cryptography:verifiesCodeSignature", | |
| "security:cryptography:verifiesDataSignature", |
| "security:cryptography:verifiesDataSignature", | ||
| "security:cryptography:signsCode", | ||
| "security:cryptography:verifiesCodeSignature", | ||
| "security:cryptography:signsDocument", | ||
| "security:cryptography:verifiesDocumentSignature", | ||
| "security:cryptography:storesKey", | ||
| "security:cryptography:validatesCertificate", | ||
| "security:cryptography:verifiesHash", | ||
| "security:cryptography:verifiesSignature", | ||
| "security:cryptography:authenticates", | ||
| "security:cryptography:ensuresConfidentiality", | ||
| "security:cryptography:ensuresIntegrity", | ||
| "security:cryptography:ensuresNonRepudiation", | ||
| "security:cryptography:ensuresAccountability", | ||
| "security:cryptography:preservesPrivacy", | ||
| "security:cryptography:identifies", | ||
| "security:cryptography:usesIdentity", | ||
| "security:cryptography:validatesToken", | ||
| "security:cryptography:encryptsDataAtRest", | ||
| "security:cryptography:encryptsDataInTransit", | ||
| "security:cryptography:decryptsDataAtRest", | ||
| "security:cryptography:decryptsDataInTransit", | ||
| "security:cryptography:encryptsDisk", | ||
| "security:cryptography:decryptsDisk", | ||
| "security:cryptography:encryptsSecret", | ||
| "security:cryptography:decryptsSecret", |
There was a problem hiding this comment.
These behaviors are positioned at the end but should be integrated alphabetically within the existing list. For example, 'authenticates' should appear before 'checksRevocation', 'ensures*' entries should appear before 'exchangesKey', 'identifies' before 'issuesCertificate', and 'usesIdentity' before 'validatesCertificate'.
| "security:cryptography:verifiesDataSignature", | |
| "security:cryptography:signsCode", | |
| "security:cryptography:verifiesCodeSignature", | |
| "security:cryptography:signsDocument", | |
| "security:cryptography:verifiesDocumentSignature", | |
| "security:cryptography:storesKey", | |
| "security:cryptography:validatesCertificate", | |
| "security:cryptography:verifiesHash", | |
| "security:cryptography:verifiesSignature", | |
| "security:cryptography:authenticates", | |
| "security:cryptography:ensuresConfidentiality", | |
| "security:cryptography:ensuresIntegrity", | |
| "security:cryptography:ensuresNonRepudiation", | |
| "security:cryptography:ensuresAccountability", | |
| "security:cryptography:preservesPrivacy", | |
| "security:cryptography:identifies", | |
| "security:cryptography:usesIdentity", | |
| "security:cryptography:validatesToken", | |
| "security:cryptography:encryptsDataAtRest", | |
| "security:cryptography:encryptsDataInTransit", | |
| "security:cryptography:decryptsDataAtRest", | |
| "security:cryptography:decryptsDataInTransit", | |
| "security:cryptography:encryptsDisk", | |
| "security:cryptography:decryptsDisk", | |
| "security:cryptography:encryptsSecret", | |
| "security:cryptography:decryptsSecret", | |
| "security:cryptography:authenticates", | |
| "security:cryptography:decryptsDataAtRest", | |
| "security:cryptography:decryptsDataInTransit", | |
| "security:cryptography:decryptsDisk", | |
| "security:cryptography:decryptsSecret", | |
| "security:cryptography:encryptsDataAtRest", | |
| "security:cryptography:encryptsDataInTransit", | |
| "security:cryptography:encryptsDisk", | |
| "security:cryptography:encryptsSecret", | |
| "security:cryptography:ensuresAccountability", | |
| "security:cryptography:ensuresConfidentiality", | |
| "security:cryptography:ensuresIntegrity", | |
| "security:cryptography:ensuresNonRepudiation", | |
| "security:cryptography:identifies", | |
| "security:cryptography:preservesPrivacy", | |
| "security:cryptography:signsCode", | |
| "security:cryptography:signsDocument", | |
| "security:cryptography:storesKey", | |
| "security:cryptography:usesIdentity", | |
| "security:cryptography:validatesCertificate", | |
| "security:cryptography:validatesToken", | |
| "security:cryptography:verifiesCodeSignature", | |
| "security:cryptography:verifiesDataSignature", | |
| "security:cryptography:verifiesDocumentSignature", | |
| "security:cryptography:verifiesHash", | |
| "security:cryptography:verifiesSignature", |
| "security:cryptography:encryptsDataAtRest", | ||
| "security:cryptography:encryptsDataInTransit", | ||
| "security:cryptography:decryptsDataAtRest", | ||
| "security:cryptography:decryptsDataInTransit", | ||
| "security:cryptography:encryptsDisk", | ||
| "security:cryptography:decryptsDisk", | ||
| "security:cryptography:encryptsSecret", | ||
| "security:cryptography:decryptsSecret", |
There was a problem hiding this comment.
These encryption/decryption variants are positioned at the end but should be alphabetically integrated near their base operations. The 'decrypts*' entries should appear after 'decryptsData' and before 'destroysKey'. The 'encrypts*' entries should appear after 'encryptsData' and before 'exchangesKey'.
| "security:cryptography:encryptsDataAtRest", | |
| "security:cryptography:encryptsDataInTransit", | |
| "security:cryptography:decryptsDataAtRest", | |
| "security:cryptography:decryptsDataInTransit", | |
| "security:cryptography:encryptsDisk", | |
| "security:cryptography:decryptsDisk", | |
| "security:cryptography:encryptsSecret", | |
| "security:cryptography:decryptsSecret", | |
| "security:cryptography:decryptsDataAtRest", | |
| "security:cryptography:decryptsDataInTransit", | |
| "security:cryptography:decryptsDisk", | |
| "security:cryptography:decryptsSecret", | |
| "security:cryptography:encryptsDataAtRest", | |
| "security:cryptography:encryptsDataInTransit", | |
| "security:cryptography:encryptsDisk", | |
| "security:cryptography:encryptsSecret", |
2 participants
This PR extends the list of cryptography-related behaviors, as discussed in today's Cryptography WG meeting.
The google sheet is synced with those entries.