OASIS Open Command and Control (OpenC2) TC
Joe Brule (jmbrule@radium.ncsc.mil), National Security Agency
Duncan Sparrell (duncan@sfractal.com), sFractal Consulting LLC
Duncan Sparrell (duncan@sfractal.com), sFractal Consulting LLC
This prose specification is one component of a Work Product that also includes:
(Note: Any normative computer language definitions that are part of the Work Product, such as XML instances, schemas and Java(TM) code, including fragments of such, must be (a) well formed and valid, (b) provided in separate plain text files, (c) referenced from the Work Product; and (d) where any definition in these separate files disagrees with the definition found in the specification, the definition in the separate file prevails. Remove this note before submitting for publication.)This specification is related to:
Open Command and Control (OpenC2) is a concise and extensible language to enable the command and control of cyber defense components, subsystems and/or systems in a manner that is agnostic of the underlying products, technologies, transport mechanisms or other aspects of the implementation. Software Bill of Materials (SBoM) is an emerging set of standards for identifying and listing software components, information about those components, and supply chain relationships between them. This profile defines the Actions, Targets, Specifiers and Options that are consistent with the version 1.0 of the OpenC2 Language Specification ([OpenC2-Lang-v1.0]) in the context of Software Bill of Materials retrieval.
This document was last revised or approved by the OASIS Open Command and Control (OpenC2) TC on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2#technical.
TC members should send comments on this specification to the TC's email list. Others should send comments to the TC's public comment list, after subscribing to it by following the instructions at the "Send A Comment" button on the TC's web page at https://www.oasis-open.org/committees/openc2/.
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page (https://www.oasis-open.org/committees/openc2/ipr.php).
Note that any machine-readable content (Computer Language Definitions) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product's prose narrative document(s), the content in the separate plain text file prevails.
Initial publication URI:
https://docs.oasis-open.org/openc2/ap-sbom/v1.0/csprd01/ap-sbom-v1.0-csprd01.html
Permanent "Latest stage" URI:
https://docs.oasis-open.org/openc2/ap-sbom/v1.0/ap-sbom-v1.0.html
(Note: Publication URIs are managed by OASIS TC Administration; please don't modify.)
When referencing this specification the following citation format should be used:
[OpenC2-SBOM-v1.0]
Open Command and Control (OpenC2) Profile for Software Bill of Materials Retrieval Version 1.0. Edited by Duncan Sparrell. 13 December 2019. OASIS Committee Specification Draft 01 / Public Review Draft 01. https://docs.oasis-open.org/openc2/ap-sbom/v1.0/csprd01/ap-sbom-v1.0-csprd01.html. Latest stage: https://docs.oasis-open.org/openc2/ap-sbom/v1.0/ap-sbom-v1.0.html.
Copyright © OASIS Open 2020. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.
The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above guidance.
[[TOC will be inserted here]]
The text in this section may all be replaced, but the following three sections (1.1, 1.2, and 1.3) are required for OASIS publications. Section 1.1 (IPR Policy) must not be changed by the TC. Section 1.2 (Terminology) may be modified to include other terminology-related information used in this specification. Section 1.3 (Normative References) should be modified to include additional references, as needed. Section 1.4 (Non-Normative References) is not required, but should be modified to include additional references, as needed.
Here is a customized command line which will generate HTML from this markdown file (named ap-sbom-v1.0-wd01.md):
pandoc -f gfm -t html ap-sbom-v1.0-wd01.md -c styles/markdown-styles-v1.7.3.css --toc --toc-depth=5 -s -o ap-sbom-v1.0-wd01.html --metadata title="Open Command and Control (OpenC2) Profile for Software Bill of Materials Retrieval Version 1.0"
We are currently using pandoc 2.6 from https://github.com/jgm/pandoc/releases/tag/2.6.
This also requires the presence of a .css file containing the HTML styles (like styles/markdown-styles-v1.7.3.css).
Note this command generates a Table of Contents (TOC) in HTML which is located at the top of the HTML document, and which requires additional editing in order to be published in the expected OASIS style. This editing will be handled by OASIS staff during publication.
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page (https://www.oasis-open.org/committees/openc2/ipr.php).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] and [RFC8174] when, and only when, they appear in all capitals, as shown here.
(Reference sources: For references to IETF RFCs, use the approved citation formats at:
http://docs.oasis-open.org/templates/ietf-rfc-list/ietf-rfc-list.html.
For references to W3C Recommendations, use the approved citation formats at:
http://docs.oasis-open.org/templates/w3c-recommendations-list/w3c-recommendations-list.html.
Remove this note before submitting for publication.)
Open Command and Control (OpenC2) Language Specification Version 1.0. Edited by Jason Romano and Duncan Sparrell. Latest stage: https://docs.oasis-open.org/openc2/oc2ls/v1.0/oc2ls-v1.0.html.
Specification for Transfer of OpenC2 Messages via HTTPS Version 1.0. Edited by David Lemire. Latest stage: http://docs.oasis-open.org/openc2/open-impl-https/v1.0/open-impl-https-v1.0.html
Open Command and Control (OpenC2) Profile for Stateless Packet Filtering Version 1.0. Edited by Joe Brule, Duncan Sparrell, and Alex Everett. Latest stage: http://docs.oasis-open.org/openc2/oc2slpf/v1.0/oc2slpf-v1.0.html
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, http://www.rfc-editor.org/info/rfc2119.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, http://www.rfc-editor.org/info/rfc8174.
Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, https://www.rfc-editor.org/info/rfc3552.
Text.
Note that text paragraphs in markdown should be separated by a blank line between them -
Otherwise the separate paragraphs will be joined together when the HTML is generated. Even if the text appears to be separate lines in the markdown source.
To avoid having the usual vertical space between paragraphs,
append two or more space characters (or space-backslash) to the end of the lines
which will generate an HTML break tag instead of a new paragraph tag
(as demonstrated here).
FIGURE EXAMPLE: <note caption is best placed ABOVE figure, to allow a link to it to display image - same for table captions>
(this image is missing)
Table 1-1. Table Label
| Item | Description |
|---|---|
| Item 1 | Something (second line) |
| Item 2 | Something |
| Item 3 | Something (second line) |
| Item 4 | text |
text.
| Title 1 | Title 2 | title 3 |
|---|---|---|
| something | something | something else that is a long string of text that might need to wrap around inside the table box and will just continue until the column divider is reached |
| something | something | something |
| Name | Description |
|---|---|
| content | Message body as specified by content_type and msg_type. |
Here is a reference to the table caption: Please see Table 1-5 or other meaningful label
Bulleted list:
Indented or multi-level bullet list - add two spaces per level before bullet character (* or -):
Numbered list:
Left-justified list without bullets or numbers: To list multiple items without full paragraph breaks between items, add space-backslash after each item except the last.
REFERENCES and ANCHORS
###### [RFC2119]Bradner, S., "Key words ..."
reference text has to be on a separate line below the tag
format cross-references (citations of the references) like: see [[RFC2119](#rfc2119)]
"see [RFC2119]"
(note the outer square brackets in markdown will appear in the visible HTML text)
The text in the Reference tag (following ###### ) will become an HTML anchor using the following conversion rules:
-- punctuation marks will be dropped (including "[" )
-- leading white spaces will be dropped
-- upper case will be converted to lower
-- spaces between letters will be converted to a single hyphen
The same HTML anchor construction rules apply to cross-references and to section headings.
-- Thus, a section heading like "## 1.3 Normative References"
-- becomes an anchor in HTML like <a href="#13-normative-references">
-- referenced in the markdown like: see Section 1.3
-- (in markdown: "see [Section 1.3](#13-normative-references")
-- similar HTML anchors are also used in constructing the TOC
Text to appear as an indented code block with grey background and monospace font - use three back-ticks before and after the code block).
Note the actual backticks will not appear in the HTML format. If it's necessary to display visible backticks, place a back-slash before them like: ``` .
{
"target": {
"x_kmip_2.0": {
{"kmip_type": "json"},
{"operation": "RekeyKeyPair"},
{"name": "publicWebKey11DEC2017"}
}
}
}
Text to be highlighted as code can also be surrounded by a single "backtick" character: code text
Add horizontal rule lines where page breaks are desired in the PDF - before each major section
<h1> tag)text.
text.
text.
text.
This is the deepest level, because six # gets transformed into a Reference tag.
text.
(Note: OASIS strongly recommends that Technical Committees consider issues that might affect safety, security, privacy, and/or data protection in implementations of their specification and document them for implementers and adopters. For some purposes, you may find it required, e.g. if you apply for IANA registration.
While it may not be immediately obvious how your specification might make systems vulnerable to attack, most specifications, because they involve communications between systems, message formats, or system settings, open potential channels for exploit. For example, IETF [RFC3552] lists “eavesdropping, replay, message insertion, deletion, modification, and man-in-the-middle” as well as potential denial of service attacks as threats that must be considered and, if appropriate, addressed in IETF RFCs.
In addition to considering and describing foreseeable risks, this section should include guidance on how implementers and adopters can protect against these risks.
We encourage editors and TC members concerned with this subject to read Guidelines for Writing RFC Text on Security Considerations, IETF [RFC3552], for more information.
Remove this note before submitting for publication.)
(Note: The OASIS TC Process requires that a specification approved by the TC at the Committee Specification Public Review Draft, Committee Specification or OASIS Standard level must include a separate section, listing a set of numbered conformance clauses, to which any implementation of the specification must adhere in order to claim conformance to the specification (or any optional portion thereof). This is done by listing the conformance clauses here. For the definition of "conformance clause," see OASIS Defined Terms.
See "Guidelines to Writing Conformance Clauses":
http://docs.oasis-open.org/templates/TCHandbook/ConformanceGuidelines.html.
Remove this note before submitting for publication.)
(Note: A Work Product approved by the TC must include a list of people who participated in the development of the Work Product. This is generally done by collecting the list of names in this appendix. This list shall be initially compiled by the Chair, and any Member of the TC may add or remove their names from the list by request.
Remove this note before submitting for publication.)
The following individuals have participated in the creation of this specification and are gratefully acknowledged:
OpenC2 TC Members:
| First Name | Last Name | Company |
|---|---|---|
| Philippe | Alcoy | Arbor Networks |
| Alex | Amirnovin | Viasat |
| Kris | Anderson | Trend Micro |
| Darren | Anstee | Arbor Networks |
| Revision | Date | Editor | Changes Made |
|---|---|---|---|
| specname-v1.0-wd01 | yyyy-mm-dd | Editor Name | Initial working draft |