search

CycloneDX / bom-examples

A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
https://cyclonedx.org
Creative Commons Zero v1.0 Universal
185 stars 64 forks source link

CBOM example lists cryptographic-asset in components but does not list it separately as a dependency #47

Closed uzairchhapra closed 3 weeks ago

uzairchhapra commented 3 weeks ago

Description

  1. CDX schema v1.6 adds support for provides tag in dependencies. A good use-case for this is to use it with component type crypotographic-asset.
  2. The official example by CDX lists a cryptographic-asset in components but does not list it separately as a dependency. It is only mentioned in the new provides tag.
  3. According to the CDX v1.6 spec:

    Components or services that do not have their own dependencies must be declared as empty elements within the graph

  4. some-library is also not included as a separate dependency in the dependencies list.

Screenshots

Image

Reference

  1. Issue came up as part of this PR.
uzairchhapra commented 3 weeks ago

I am interested in contributing to this issue @jkowalleck