search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
361 stars 57 forks source link

Evidence for `component.scope` #437

Open prabhu opened 5 months ago

prabhu commented 5 months ago

Currently it is possible to specify a value for scope without offering any evidence.

https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.schema.json#L4783

This creates potential false negatives if consuming tools are configured to filter for components with specific scope values such as required

stevespringett commented 4 weeks ago

Thanks for the suggestion @prabhu. Any suggestions on a possible way to represent this? What kind of evidence would be necessary?