Open vetsin opened 8 months ago
pedigree in CycloneDX spec looks like a good target https://cyclonedx.org/docs/1.5/json/#metadata_component_pedigree I don't know if there are examples of SBOM with such a pedigree filled
@hboutemy you can find the pedigree example here = cyclonedx.org/use-cases/#pedigree
great, how is it supposed to be filled? manual injection? automation somewhere? based on what initial information?
The more I consider, the more it feels like there should be a standard way to support this -- e.g. a configuration of some sort that isn't build tool specific. Which would, then, imply the best place to support pedigree wouldn't be any build tool extension but rely on a third party, e.g. a hopper transfer plugin or even just the cyclonedx-cli?
@vetsin as usual, getting one unique implementation will be hard to be accepted for every technology but at least a common approach and a few reference implementations would be useful
from a wider perspective, it's hard to clarify what part of the SBOM is automatically extracted and what part requires manual configuration. I recently was able to write down a case on external references https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html , but there is a wider range of cases, particularly with the new advanced features of CycloneDX 1.5.
@hboutemy
from a wider perspective, it's hard to clarify what part of the SBOM is automatically extracted and what part requires manual configuration.
We have the evidence.identity section to exactly describe the techniques that were used and the confidence for each of them.
We may be generating a SBOM for a forked library -- given such we would want the ability to declare our provenance (pedigree? i'm not really sure what the difference is) within the build. #427 is slightly related.
Some thoughts:
upstream
remote?