prabhu
commented
2 months ago Thinking out aloud, other entities such as services, compositions, vulnerabilities, annotations etc would also benefit from explicit bom-link
Open prabhu opened 2 months ago
prabhu
commented
2 months ago Thinking out aloud, other entities such as services, compositions, vulnerabilities, annotations etc would also benefit from explicit bom-link
Currently, a component has a bom-ref, while the BOM has a serialNumber. Growing number of ASOC and Vulnerability Management platforms aggregate several components from across BOMs into a single database.
Identifying a component based on a deep
BOM-Linkbecomes a three step process in such environments (Retrieve the BOM, parse, and identify the referred component). Further, the regex for a bomlink is quite broad^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$The proposal is to add a new property
bom-linkto a component level. Generator tools can set this value to beserialNumber/bom-ref. This would simplify lookups and joins since the entirety of the BOM document need not be loaded.