stevespringett
commented
1 month ago Per the docs:
For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
So if you're unable to determine the type of component, simply use application.
But yes, we can revisit this requirement for the v1.7 release.
pjdowner
I'm currently working on generating SBOM for a yocto based embedded distribution and I'd like to use dependency-track. I have a semi-working solution to get my SBOM into dependency track but it's not perfect and so I've been looking at generating validated cycloneDX formatted json with the new solution I'm working on.
However after experimenting with cyclonedx-python-lib and it's validation functions I've discovered that component type is a required field: https://cyclonedx.org/docs/1.6/json/#components_items_type
Yocto has a lot of packages (over 100 just in the initramfs, never mind the root fs) that I need to cover and I can't find a way to easily extract a reasonable type for each package. Is there an explanation for why this is required when it doesn't appear to be used by applications like dependency track? Could the required status be dropped?
If there is a specific reason to keep this as a required field, could an extra type of 'unassigned' or similar be added to the spec?