You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: doc/tea-requirements.md
+13-6
Original file line number
Diff line number
Diff line change
@@ -12,16 +12,21 @@ Based on an identifier a repository URL needs to be found. The identifier can be
12
12
13
13
At the base URL well known URLs (ref) needs to point to
14
14
15
-
- A lifecycle status document
15
+
- A lifecycle status document (using OWASP Common Lifecycle Enumeration, CLE)
16
16
- A version list. For each version, a URL will point to where a **collection** can be found
17
17
- Vendor Discovery, returns a list of Vendors represented in the repository
18
-
- Vendor Name
19
-
- Vendor ID
18
+
- Vendor Name
19
+
- Vendor ID
20
+
21
+
As an alternative, discovery using a company's ordinary web site should be supported.
22
+
This can be handled using the file security.txt (IETF RFC 9116)
20
23
21
24
## Artifact Discovery based on TEA collections
22
25
23
26
The API MUST provide a way to discover the artifacts that are available for retrieval or further query.
24
-
Discovery SHOULD group artifacts together that represent a **collection** that are directly applicable to a given product. Collections are OPTIONAL. For example, a medical device that has:
27
+
Discovery SHOULD group artifacts together that represent a **collection**
28
+
that are directly applicable to a given product with a given version.
29
+
Collections are OPTIONAL.
25
30
26
31
- SBOM - Software Bill of Material
27
32
- CBOM - Cryptography Bill of Material
@@ -42,14 +47,16 @@ modifying collections, or deleting existing collections.
42
47
## Artifact Retrieval
43
48
44
49
The API MUST provide a method in which to retrieve an artifact based on the identity of the artifact.
45
-
For example, using CycloneDX BOM-Link to retrieve either the latest version or specific version of an artifact.
50
+
For example, using CycloneDX BOM-Link to retrieve either the
51
+
latest version or specific version of an artifact.
46
52
47
53
```text
48
54
urn:cdx:serialNumber
49
55
urn:cdx:serialNumber/version
50
56
```
51
57
52
-
The API needs to provide support for update checks, i.e. to check if a document is updated without downloading. (possibly etag or HEAD method or similar)
58
+
The API needs to provide support for update checks, i.e. to check if a document is
59
+
updated without downloading. (possibly etag or HEAD method or similar)
0 commit comments