[FEATURE]: Include TLP marking in metadata

[anthonyharrison]

Describe the feature

xBOMs can contain information which the creator may consider sensitive and may wish to ensure that the xBOM is only shared with an appropriate audience. For example an SBOM may indicate the version of a component which is known to be vulnerable; the creator may not want that information to be widely known

Possible solutions

The Traffic Light Protocol (TLP) (see here) is a standard way of indicating how sensitive information be shared. CISA adopted Version 2.0 of the FIRST standard on November 1, 2022, By including a TLP property as part of the document metadata, the sharing conditions will be clearly defined.

Alternatives

Sharing artifacts such as xBOMs could be controlled by contractual means; however whilst this can work, there is nothing within the xBOM to indicate if the xBOM is subject to some restrictions as regards sharing. By explicitly including the sharing restrictions, there is no ambiqguity.

Additional context

The [CSAF standard (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html)for sharing vulnerability information already includes TLP proerty.

[jkowalleck]

@anthonyharrison is this something you would like to actively work on?

[jkowalleck]

Sharing artifacts such as xBOMs could be controlled by contractual means; however whilst this can work, there is nothing within the xBOM to indicate if the xBOM is subject to some restrictions as regards sharing.

I thought this is what $.metadata.licenses was for. https://cyclonedx.org/docs/1.6/json/#metadata_licenses

The license information for the BOM document.
This may be different from the license(s) of the component(s) that the BOM describes.

[anthonyharrison]

@jkowalleck TLP is independent of the licence information of the component. I am particularly thinking of cases where the product contains a mixture of opens source and proprietary information and the proprietary information (and existence of) needs top be carefully controlled. Clearly the default is TLP: Clear (no restriction) but I am seeing use cases where this is not appropriate and having something explicitly included would be a great help.

Happy to be involved in making this work.

[jkowalleck]

I will assign this topic to you, then, @anthonyharrison .

Feel free to organize with your peers, and work on a prototype for it.