search

CERTCC / SBOM

Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
MIT License
57 stars 16 forks source link

SWID tags for CycloneDX #5

Closed tmart234 closed 3 years ago

tmart234 commented 3 years ago

Couldn't you automatically add the swid tags generated in the SWID file into CycloneDX with <swid></swid> ? This field could help for component vulnerability tracing.

sei-vsarvepalli commented 3 years ago

Ha! So sorry. Somehow this issue was not visible in my feed.

We currently cross reference the PURL URL and use the "tagId" in a SWID element, which can be used to cross reference these SBOMs. Surely adding the SWID information into Cyclonedx can be done. However, this may not solve the problem you are after. As currently the PURL urls are generated locally and they do not really have a reliable software naming approach they follow to distinctly identify vulnerabilities with a PURL or SWID tagId.

sei-vsarvepalli commented 3 years ago

I am closing this issue due to no activity. The SWID portion of SwiftBOM hopefully will be focus at a later stage when there is more interest and more support from those active in SWID community - NIST etc.