search

CycloneDX / cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Apache License 2.0
21 stars 12 forks source link

Add 'evidence' element for the components #69

Open macblazer opened 7 months ago

macblazer commented 7 months ago

As an SBOM consumer I would like to have the evidence element added as components/component/evidence (XPath-like syntax) especially for the identity element so that I can make better decisions regarding the contents of SBOMs created with cyclonedx-cocoapods.

This project uses the "manifest-analysis" technique which has confidence from 0.4 to 0.6 (based on this guide).

Here is a JSON example from a Java bom to make it more concrete:

      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.8,
          "methods": [
            {
              "technique": "binary-analysis",
              "confidence": 0.8,
              "value": "/tmp/mvn-deps-fN9MGL/us/springett/alpine-common/2.2.4-SNAPSHOT/alpine-common-2.2.4-SNAPSHOT.jar"
            }
          ]
        },