Comments (7)
As it stands, the RFC defines external references for components. Would it be possible to also have references for the BOM as a whole?
Thus, issue-tracker would reference the project issue tracker URL. This gives the potential for automatically generating issues based on BOM analysis.
If the above makes sense, I suggest that "build-system" (ciManagement) should also be included. This will allow automatic linking back to the where the BOM was generated (eg, Jenkins), One use case: investigate why a BOM has not been updated for a week.
from specification.
Thats a really good idea and use-case.
from specification.
Glad you like it!
I know that the CycloneDX specification is supposed to be lightweight... but another useful component reference (although I can only really speak from the perspective of Maven) would be "scope". ie, test, compile, etc,
Currently, default behaviour in BOM generation is to exclude test scope. This gives the benefit that downstream analysis is not "polluted" by components that are not part of deliverables... but the disadvatgae that one is not keeping track of use of an 8 year old version of seleniumHQ (or whatever).
The exact same challenge also affects commercial tools, many of which cannot tell the difference between scopes, meaning that it is easier to just exclude them entirely (or perform a whole bunch of manual triage).
By including scope in the BOM it would then be possible for downstream tools to analysis everything in a project, and provide the opportunity to apply different policies depending on the scope. eg:
- component with license x is banned if "scope = compile" but allowed if "scope = test".
- component with any scope might be covered by policies that deal with operational risk (component age)
- etc
from specification.
Scope is already part of the specification. Refer to https://github.com/CycloneDX/specification/blob/master/schema/bom-1.0.xsd#L46
The definition of scope currently is limited to 'required' and 'optional'. I think adding a 'test' scope would be a good addition.
https://github.com/CycloneDX/specification/blob/master/schema/bom-1.0.xsd#L155
I do not think any of the implementations (maven, npm, pypi, nuget) actually use it or populate it this field. This is likely an enhancement that should be made to each of the implementations.
from specification.
On second though, I think an 'excluded' value for scope makes more sense, since components could be excluded for all kinds of reasons, including unit and integration tests.
from specification.
Included in CycloneDX 1.1
from specification.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from specification.
Related Issues (20)
- document RFC-9116 via CycloneDX
- Clarify whether base64 encoding of license content is really optional HOT 15
- chore: add linter for protobuf schema files HOT 3
- BC: remove deprecated `metadata.manufacture`
- BC: remove deprecated `component.author`
- bom-1.5.xsd does not compile HOT 1
- wrong proto3 schema default values for enums
- protobuf schema test files add schema headers
- Add inline mapping to SCVS BOM Maturity Model HOT 8
- Propose new environmental consideration information for ML models HOT 9
- Fix empty link to PURL spec / VERS spec HOT 1
- Request: Add project sustainability fields to CycloneDX HOT 4
- remove `$schema` restrictions from JSON HOT 1
- Link to Purl Version Specification does not work HOT 1
- Where to find latest VEX schema version HOT 2
- environmental/economical/ethical costs of service/component/etc for runtime/manufacturing/etc
- Add support for license acknowledgements
- Add support for redaction
- Add concluded value to identity evidence
- Add support for OmniBOR and SWHID
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from specification.