[FEATURE]: properties for externalReferences #608
Comments
|
sounds interesting. An alternative i see is, to ass a According to our https://cyclonedx.org/participate/standardization-process/ Please open a pull request, changing the schema and adding a test. Next iteration is 1.7 - so the pull request's source/target branch would be https://github.com/CycloneDX/specification/tree/1.7-dev |
Looking at https://cyclonedx.org/specification/overview/, I'm not sure if annotations target my use case. My question is about storing "inherent", but arbitrary attributes of an external reference in the SBOM for later reference (e.g. a filesystem or upload timestamp, the creator of the referenced artefact, internal artefact IDs which are not part of its URL etc.).
Will do that asap! |
Allow custom properties for externalReferences
CycloneDX already allows a rich set of https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences_items_type to specify artefacts for a given component.
Such artefacts however usually have connected metadata like author, timestamps etc. Often, it would be very helpful to specify such metadata directly in the SBOM, e.g. to allow for filtering of references by metadata in postprocessing steps.
In my case, an internal component analysis tool enriches SBOMs of a (large) OS image with externalReferences to per-component analysis reports. This SBOM is then archived for later reference.
Now I want to take such an SBOM and download a subset of reports, e.g. filtered by author or date of creation. I could easily extend the analysis tool to store the reports' metadata in the SBOM if I had a way to express it. First, I tried to store the metadata with some syntax in the
commentfield, but decided that's not the way to go. So as of today, I need to either query the component analysis tool for metadata of all externalReferences in later processing steps or create a proprietary file along with the SBOM to hold this metadata.Possible solutions
I think an easy solution could be to just allow custom
propertiesinexternalReferencesas CycloneDX already has for components.Alternatives
I also thought about create a 2nd SBOM listing the component analysis reports as components, using dependencies to connect them to the SBOM listing the actual components, but this doesn't really seem to be along the idea of SBOMs.
The text was updated successfully, but these errors were encountered: