OWASP Common Lifecycle Enumeration

The Common Lifecycle Enumeration (CLE) is an open standard supporting component aliasing, component lifecycle changes such as end-of-life and end-of-support, and provenance chaining over time.

Introduction

Despite years of development in standards for communicating software component vulnerabilities, there is a notable lack of standardized communication for lifecycle events of software or hardware components. Lifecycle events include instances such as the cessation of active development, discontinuation of sales, or the end of security updates. Crucially, events altering the software identifier, as elaborated in the Component Aliasing section, are also significant.

The absence of a standardized way of communicating lifecycle events for software or hardware components has significant implications, particularly in regards to security and maintenance. For example, once a component reaches its end-of-life, it no longer receives security updates. Determining when components reach such milestones remains challenging, potentially exposing security vulnerabilities.

Work in Progress

The CLE project is collecting use cases and will be working with the community to create a specification that can achieve said use cases. Conversations have historically taken place in the OWASP CycloneDX Slack workspace, however, a dedicated Slack channel is now available on the OWASP Slack workspace.

Get Involved

Like all OWASP projects, CLE is open for everyone to participate in. You do not need to be an OWASP member to make a difference. If you’d like to get involved, review and optionally comment on the use cases document and introduce yourself and what you’d like to work on in the Slack channel. Together, we can make CLE a reality.