search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
337 stars 57 forks source link

Clarify swhid in documentation #444

Open prabhu opened 2 months ago

prabhu commented 2 months ago

The documentation for swhid is below:

Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html.

Many SWHID especially based on content and directory type are not unique and hence requires additional qualifiers such as anchors.

Below is a snippet from the swhid docs

This means, for example, that you should prefer swh:1:dir:a8eded6a2d062c998ba2dcc3dcb0ce68a4e15a58;anchor=swh:1:rel:22ece559cc7cc2364edc5e5593d63ae8bd229f9f over swh:1:rel:22ece559cc7cc2364edc5e5593d63ae8bd229f9f.

Similar to purl, I think the swhid attribute in the specification must allow qualifiers. This could be clarified via the documentation.