You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+10-14Lines changed: 10 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -53,32 +53,28 @@ The working group has produced a list of use cases and requirements for the prot
53
53
-[TEA use cases](doc/tea-usecases.md)
54
54
55
55
## Data model
56
-
57
-
-[TEA Product](tea-product/tea-product): This is the starting point. A "product" is something for sale or distributed as an Open Source project. The [Transparency Exchange Identifier, TEI](/discovery/readme.md) points to a single product. A product can have multiple TEIs.
58
-
-[TEA Component](tea-component/tea-component.md): A Component is a versioned part of the product. In many cases, the product has a single component,
59
-
and in other cases a product consists of multiple components.
60
-
- TEA Components has a list of "releases" for each component.
61
-
-[TEA Collection](tea-collection/tea-collection.md): The collection is a list of artifacts for a specific release. The collection can be
62
-
dynamic or static, depending on the implemenation. TEA collections are versioned to indicate a change for a specific release,
63
-
like an update of a VEX file or a correction of an SBOM.
64
-
-[TEA Artifacts](tea-artifact/tea-artifact.md): The artifact is a file associated with the collection. One artifact can be part of many collections,
65
-
for multiple components.
56
+
-[TEA Product Release](tea-product/tea-product-release.md): The primary entry point. The [Transparency Exchange Identifier, TEI](/discovery/readme.md) resolves to a specific Product Release. A Product Release may optionally belong to a [TEA Product](tea-product/tea-product.md).
57
+
-[TEA Product](tea-product/tea-product.md): An optional higher-level object that groups a set of Product Releases for a product line or family. Products can be discovered and browsed; releases are accessed via `/product/{uuid}/releases`.
58
+
-[TEA Component](tea-component/tea-component.md): Represents a component lineage. A Component is a collection of Component Releases (accessible via `/component/{uuid}/releases`).
59
+
-[TEA Release](/tea-component/tea-release.md: A Component Release object. Each Component Release may have its own TEA Collection.
60
+
-[TEA Collection](tea-collection/tea-collection.md): A versioned list of artefacts for a specific Release (Component Release) or Product Release. Collections are versioned to indicate changes, e.g., an updated VEX or corrected SBOM.
61
+
-[TEA Artefacts](tea-artifact/tea-artifact.md): Files associated with a Collection. A single Artefact can appear in multiple Collections.
66
62
67
63
## artifacts available of the API
68
64
69
65
The Transparency Exchange API (TEA) supports publication and retrieval of a set of transparency exchange artifacts. The API itself should not be restricting the types of the artifacts. A few examples:
70
66
71
67
### xBOM
72
68
73
-
Bill of materials for any type of component and service are supported. This includes, but is not limited to, SBOM, HBOM, AI/ML-BOM, SaaSBOM, and CBOM. The API provides a BOM format agnostic way of publishing, searching, and retrieval of xBOM artifacts.
69
+
Bill of materials for any type of component and service are supported. This includes, but is not limited to, SBOM, HBOM, AI/ML-BOM, SaaSBOM, and CBOM. The API provides a BOM format agnostic way of publishing, searching, and retrieval of xBOM artefacts.
74
70
75
71
### CDXA
76
72
77
-
Standards and requirements along with attestations to those standards and requirements are captured and supported by CycloneDX Attestations (CDXA). Much like xBOM, these are supply chain artifacts that are captured allowing for consistent publishing, searching, and retrieval.
73
+
Standards and requirements along with attestations to those standards and requirements are captured and supported by CycloneDX Attestations (CDXA). Much like xBOM, these are supply chain artefacts that are captured allowing for consistent publishing, searching, and retrieval.
78
74
79
75
### VDR/VEX
80
76
81
-
Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX) are supported artifact types. Like the xBOM element, the VDR/VEX support is format agnostic. However, CSAF has its own distribution requirements that may not be compatible with APIs. Therefore, the initial focus will be on CycloneDX (VDR and VEX) and OpenVEX.
77
+
Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX) are supported artefact types. Like the xBOM element, the VDR/VEX support is format agnostic. However, CSAF has its own distribution requirements that may not be compatible with APIs. Therefore, the initial focus will be on CycloneDX (VDR and VEX) and OpenVEX.
82
78
83
79
### CLE
84
80
@@ -108,7 +104,7 @@ Contributors are listed in the [Contributors](contributors.md) file.
108
104
- API: Application programming interface
109
105
- Authorization (authz):
110
106
- Authentication (authn):
111
-
- Collection: A set of artifacts representing a version of a product
107
+
- Collection: A set of artefacts representing a version of a product
112
108
- Product: An item sold or delivered under one name
0 commit comments