Closed topiga closed 3 weeks ago
maybe use the CycloneDX property named cdx:lifecycle:milestone:generalAvailability
.
see https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/lifecycle.md
Wow !! I didn't even know this repo existed for that ! That fixes my problem. I'll change my script to add the values with this property now. Should it be on a doc on the CycloneDX website ? EDIT: lifecycle properties were added two weeks ago, that's why I missed it, btw I already use the ISO 8601 format, so I almost don't have to change anything ^^
The repo itself is already mentioned in the spec docs and guides here and there, when it comes to CycloneDX properties.
EDIT: lifecycle properties were added two weeks ago, that's why I missed it, [...]
The cdx:lifecycle
namespace is pretty new, yes.
It is a standardized solution for people who think they might need it to represent certain use cases.
At CycloneDX, we currently have the understanding that such lifecycle information is non-static and should not be included in a static BOM document, see the discussions in #400. But we understand the idea and the wish to communicate such information.
EDIT: [...] so I almost don't have to change anything ^^
Fantastic!
Hey everyone ! We heavily use the CycloneDX format for our SBOM and vulnerability reports when applicable at my workplace. Something we always add in our report are the release date of the component. It is quite useful since it permits us to see what/when an administrator has updated their system or when a group of developers has updated their dependencies. It also permits us to see the contrary, at a glance. I think it would be a nice feature to have on the spec. I know there's a field in components->releaseNote->timestamp, but it has to have a type of release, so we don't use it.
I see it being implemented either with the sustainability fields of #400, or add a new type of releaseNote: "unknown". It is also possible to simply have a publishedDate/releaseDate/publishedAt/releasedAt field in a component (I think publishedDate would be better for the spec, since it's more general-purpose).
What do you all think ?