Support pedigree (for forks)

CycloneDX / cyclonedx-maven-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

https://cyclonedx.org/

Apache License 2.0

290 stars 85 forks source link

Support pedigree (for forks) #448

Open vetsin opened 8 months ago

vetsin commented 8 months ago

We may be generating a SBOM for a forked library -- given such we would want the ability to declare our provenance (pedigree? i'm not really sure what the difference is) within the build. #427 is slightly related.

Some thoughts:

We would probably want the ability to specify the supplier and manufacture differently, as we are a fork
We may want to allow additional externalReferences, e.g. the original vcs and the current one
I think a single ancestor is all that one would support for now?
Would one want to manually specify the commits, or just the base? What if they are different vcs types?
- Are there standards to enforce here? e.g. always have a upstream remote?
- This would probably require some additional deps, e.g. maven-scm-api? is that desired?
How would one define patches and notes? in the pom? via another file?

hboutemy commented 8 months ago

pedigree in CycloneDX spec looks like a good target https://cyclonedx.org/docs/1.5/json/#metadata_component_pedigree I don't know if there are examples of SBOM with such a pedigree filled

VinodAnandan commented 8 months ago

@hboutemy you can find the pedigree example here = cyclonedx.org/use-cases/#pedigree

hboutemy commented 8 months ago

great, how is it supposed to be filled? manual injection? automation somewhere? based on what initial information?

vetsin commented 8 months ago

The more I consider, the more it feels like there should be a standard way to support this -- e.g. a configuration of some sort that isn't build tool specific. Which would, then, imply the best place to support pedigree wouldn't be any build tool extension but rely on a third party, e.g. a hopper transfer plugin or even just the cyclonedx-cli?

hboutemy commented 8 months ago

@vetsin as usual, getting one unique implementation will be hard to be accepted for every technology but at least a common approach and a few reference implementations would be useful

from a wider perspective, it's hard to clarify what part of the SBOM is automatically extracted and what part requires manual configuration. I recently was able to write down a case on external references https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html , but there is a wider range of cases, particularly with the new advanced features of CycloneDX 1.5.

prabhu commented 5 months ago

@hboutemy

from a wider perspective, it's hard to clarify what part of the SBOM is automatically extracted and what part requires manual configuration.

We have the evidence.identity section to exactly describe the techniques that were used and the confidence for each of them.