Add predicate specification for CycloneDX

[danbev]

This commit adds a predicate specification for CycloneDX using the example specification from issue #82.

The motivation for doing this is only to offer help with getting this into in-toto, in case the original author currently does not have time.

Co-authored-by: samj1912 [email protected]
Resolves: #82

Signed-off-by: Daniel Bevenius [email protected]

[marcelamelara]

Thanks for this PR @danbev! Could you please make sure to write up your proposed predicate in ITE-9 formatting guidelines?

A separate question, how large do you expect CycloneDX predicates to be in practice? We do want to consider scalability of attestations as well.

[danbev]

Could you please make sure to write up your proposed predicate in ITE-9 formatting guidelines?

Sorry about that, for some reason I though it was in that format. I'll take a look at this next week and update 👍

[danbev]

A separate question, how large do you expect CycloneDX predicates to be in practice? We do want to consider scalability of attestations as well.

I'm afraid I don't know the answer to this question as I have very little practical experience with CycloneDX. Hopefully others can chime in that do have experience.

[pxp928]

This should be good to go. It does reference the most up-to-date CDX schema as the predicate

[TomHennen]

Is it supposed to just be https://cyclonedx.org/bom? The page doesn't include the version (which I assume is embedded in the predicate field as it is for SPDX?

[marcelamelara]

Thanks for the updates @danbev ! I have a few more change suggestions for clarity.

[marcelamelara]

Thank you for the changes, @danbev !

One more thing: Could you please add a link to the CycloneDX spec in the predicates list?

[TomHennen]

Thanks, generally looks good, just a couple small comments.

[pxp928]

LGTM! Thanks for the changes