Closed tmart234 closed 3 years ago
Ha! So sorry. Somehow this issue was not visible in my feed.
We currently cross reference the PURL URL and use the "tagId" in a SWID element, which can be used to cross reference these SBOMs. Surely adding the SWID information into Cyclonedx can be done. However, this may not solve the problem you are after. As currently the PURL urls are generated locally and they do not really have a reliable software naming approach they follow to distinctly identify vulnerabilities with a PURL or SWID tagId.
I am closing this issue due to no activity. The SWID portion of SwiftBOM hopefully will be focus at a later stage when there is more interest and more support from those active in SWID community - NIST etc.
Couldn't you automatically add the swid tags generated in the SWID file into CycloneDX with
<swid></swid>
? This field could help for component vulnerability tracing.